The ombudsman has ordered the Registrar of Companies to stop collecting personal data from company shareholders who are not beneficial owners under the beneficial ownership provisions of the company registration process.
The decision by the ombudsman emanated from a complaint that the registrar requested personal information about individuals who were 1% shareholders in a company.
Under the Companies Law, beneficial owners have to provide information to the company register. Beneficial owners hold either more than 25% of shares or voting rights in a company, or they are able to vote to remove a majority of the company’s board of directors.
The complaint, under section 43 of the Data Protection Law which took effect on 30 Sept. 2019, asserted that the registrar did not have the legal authority to process this type of information.
The registrar of companies is collecting data under the Companies Law. The law was amended on 19 Feb. 2020, shortly before the complaint was filed. The changes added a section that stated, “The competent authority may request by notice in writing, additional information from a company or corporate services provider for the purposes of carrying out its functions under this Part.”
Citing the new section, the registrar argued in the case that, as the competent authority for the maintenance of a beneficial ownership register, it is allowed to request additional information from shareholders who fall below the 25% threshold to comply with anti-money laundering rules.
However, the ombudsman noted that while there may be specific circumstances where personal information could be requested about someone holding fewer than 25% of a company’s shares, the registrar cannot apply a “blanket” requirement to do so without establishing a legal basis and informing the person of the reason for the data collection.
“The Registrar was using a blunt instrument to collect data on all company shareholders rather than the lancet the law requires,” said Ombudsman Sandy Hermiston. “All entities collecting personal data must respect the data protection principles, which include the requirement that processing personal data must have a legal basis and that the person whose data is being processed is informed of the purposes for the processing.”
If the registrar is seeking information on shareholders who are not beneficial owners, that request should not be conjoined with the requests for registrable persons.
“The registration of a company and the provision of information on registrable individuals are not parts of the same process, as heightened due diligence may be required in specific circumstances,” the ombudsman wrote in her decision.
Instead, additional information could be requested through a mechanism provided in a different section of the Companies Law, section 279A, which specifically addresses this point.
In addition to the order to stop processing data of individuals who are not considered registerable shareholders under the Companies Law, the registrar was ordered to develop a suitable privacy notice to include on the Cayman Business Portal where companies are registered.
The ombudsman also recommended that the registrar develop a policy setting out fair and reasonable criteria in circumstances where additional data collection for non-registerable shareholders is sought.
As with all enforcement orders made under the Data Protection Law, the entity against which the order is made has 45 days to seek judicial review of the ombudsman’s decision.