Effective date: 30 September 2019
Kalo Caribbean and its subsidiaries Kalo (Cayman) Limited and Kalo (BVI) Limited (together Kalo) value your privacy and apply relevant data protection legislation.
This notice sets out the principles upon which we receive and process a data subject’s personal data both in the day to day operations of Kalo and in relation to our insolvency and restructuring appointments.
Should you have any queries relating to privacy issues either in relation to Kalo itself, or an entity to which one of our officeholders is appointed, please contact us in writing:
- by email at firstname.lastname@example.org; or
- by post to: Data Protection, Kalo, PO Box 776, Suite 4208 Canella Court, Camana Bay, Grand Cayman, Cayman Islands, KY1-9006.
The Data Controller
The data controller is Kalo.
Where one of our officeholders is appointed to a company, data may be held and generated by Kalo as part of that appointment.
Our officeholders may also be considered data controllers in relation to the entity to which they are appointed.
How we use your personal information
Where advice is given by Kalo outside of a formal appointment or process, the purpose of processing personal data is to consider that information to provide appropriate advice.
Our officeholders could be appointed through a variety of processes pursuant to the laws and regulations of the relevant jurisdiction. They may act as liquidators to both solvent and insolvent entities, as receivers, scheme supervisors, controllers or directors. They may be appointed by the entity, its shareholders, creditors, regulators or by the Court.
The purpose of the processing is dependent on the nature of the assignment and is to enable the officeholder to meet their legal, statutory and regulatory obligations and other duties, including:
- delivering insolvency and restructuring advice, directorship, liquidation, forensic or other services;
- verifying your identity pursuant to anti-money laundering legislation;
- sanction screening;
- preventing and detecting crime, fraud or corruption;
- defending or taking legal actions on behalf of an entity;
- maintaining the records of the company;
- processing financial transactions;
- communication by post, email or telephone;
- compliance with international tax reporting regimes;
- to manage our relationship with you, respond to your enquiries or to any problems that may arise and to investigate and resolve complaints;
- to inform you of important changes or developments to the services or our policies and to provide you with technical, support or administrative notifications;
- for insurance, audit and administrative purposes;
- for our internal business purposes, including data analysis, invoicing and detecting, preventing, and responding to actual or potential fraud, illegal activities, or intellectual property infringementreporting and responding to requests by regulators, government bodies or the Court; and
- all other obligations arising under the laws applicable to an officeholder’s appointment.
- Further, we may aggregate personal and other data captured by us so that the data is no longer capable of identifying an individual. Aggregated data may cover patterns of usage, and we reserve the right to use this aggregated information for the purposes of improving and enhancing our services, generating insights, for use in marketing to other users and current and potential partners and otherwise for the purposes of our business. Provided that such aggregated data does not directly or indirectly identify you as an individual, this data is not considered to be personal information for the purpose of this Notice.
- maintaining its corporate and banking records;
- receiving candidate applications for recruitment purposes;
- maintaining employee HR records;
- receiving general business enquiries; and
- processing client and interested party data for direct marketing purposes.
Kalo also processes personal data in its day to day business operations, including:
The legal basis for the processing
Personal data may only be processed if the purpose satisfies one of the conditions under the data protection legislation.
The applicable legal bases for Kalo’s data processing are:
- Contract: The processing is necessary for a) the performance of a contract to which the data subject is party; or b) the taking of steps at the request of a data subject with a view to entering into a contract.
- Legal obligation: The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
- Legitimate interests: The processing is necessary for the purpose of legitimate interests pursued by the data controller or a third party to whom the data is disclosed, except if the processing is unwarranted and prejudices the rights of the data subject.
- Consent: The processing is carried out with the explicit consent of the data subject for the specified purpose.
Some categories of data, referred to as “sensitive personal data”, are considered to require extra protection. Sensitive personal data will only be processed when the data subject has given their express consent, or subject to the following legal conditions:
- Employment: The processing is necessary for the purposes of exercising or performing a right or obligation in connection with the data subject’s employment.
- Public information: The processing relates to information that has already been made public by the data subject.
- Legal proceedings: The processing is necessary for a) any legal proceedings; b) obtaining legal advice; or c) establishing, exercising or defending legal rights.
- Public functions: The processing is necessary for a) the administration of justice or b) the exercise of any functions conferred on any person by or under any enactment.
The legitimate interest of processing
Where personal data in relation to a business enquiry or assignment is based on a legitimate interest, it relates to the legitimate interest of Kalo to provide its services and meet the legal and regulatory obligations conferred upon an officeholder.
Processing may also be done in the legitimate interests of third parties, such as the company’s estate, its creditors and shareholders, by processing personal data to detect fraud, maximise realisations and process distributions.
Where Kalo processes data relating to its clients for marketing purposes and interested parties for sale of an entity’s assets or pursuing funding arrangements, it does so in the legitimate interests of its business or the entity’s estate.
When processing personal data on this basis, the legitimate interest of the data controller and/or third parties will be balanced against the individual data subject’s rights and interests.
The categories of data obtained
The categories of data obtained will depend on the circumstances for which the data is processed and may include the following:
- Names, including former names and aliases;
- Date of birth;
- Email addresses;
- Residential and postal addresses;
- Telephone numbers;
- Passport numbers and other photographic identification details;
- Tax identification numbers;
- Financial information, including bank details;
- Employment details / HR records; and
- Details of offences committed or alleged to have been committed.
Our Website may include integrated content or links to content provided by third parties.
The source of the data
We may obtain personal data directly from you, either in response to a direct request for information, or volunteered by you in communications with our staff or through our Website.
During an assignment, we may have been provided with personal data from several third-party sources. Data is often obtained from the books and records held by an entity prior to the appointment of the officeholder. Other sources may include an entity’s legal advisors, auditors, registered agents, investment managers, custodians or other third-party service providers.
Who we share your data with
Kalo will only share your personal data with other parties where it is necessary to achieve the lawful purpose of the processing.
Kalo’s internal drives are accessible by staff working in both jurisdictions. Kalo uses third parties to provide, run and manage our internal IT systems. For example, providers of information technology, cloud-based service providers, website hosting and management, data back-up, security and storage services.
Depending on the circumstances of a case, data may also be shared with the following third parties, to assist in the provision of our services:
- Legal advisors;
- Joint appointees, employed by other insolvency and restructuring practices;
- Government organisations including, but not limited to, local tax authorities and regulators;
- Agents appointed by an officeholder to assist in carrying out their function, such as accountants, auditors or valuation agents; and
- Any other organisation with which the data controller is obliged to share information under any applicable law or regulation, in any jurisdiction.
- To service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a transaction in which we are acquired by or merged with another company or we sell, liquidate, or transfer all or a portion of our assets. Upon completion of such a transaction, your personal information will continue to be processed in accordance with this Notice, except as agreed otherwise by you or permitted by applicable law.
- To our employees, sub-contractors, agents or service providers who work for us where required or necessary for the performance of their duties and in line with the reasons for processing.
We do not sell, rent, or otherwise share personal information that reasonably identifies you or your organisation with unaffiliated entities for their independent use except as expressly described in this Notice or with your prior permission. We may share information that does not reasonably identify you or your organisation as permitted by applicable law.
International transfer of data
Kalo’s offices are in the Cayman Islands and the British Virgin Islands.
Given the international reach of Kalo’s assignments, personal data may be transferred, accessed and stored internationally in order to fulfill the purpose of the processing.
In these circumstances, the data controllers will ensure that the country or territory to which the personal data is transferred ensures an adequate level of protection to the rights of a Data Subject in the processing of their data or that appropriate safeguards are put in place.
Retention period of the data
The period of retention of the data is dependent upon the reason for processing and the nature and duration of the assignment. Personal data will be deleted or destroyed where it has been identified that there is no longer a need to retain it, under any legal or contractual requirement.
Protection and storage of the information we collect
We deploy administrative, technical and physical safeguards designed to comply with applicable legal requirements and to safeguard the information that we collect. This includes, when required or appropriate and feasible, obtaining written assurances from third parties that may access your data that they will protect the data with safeguards designed to provide a level of protection equivalent to that adopted by Kalo.
No information system can be 100% secure. We cannot guarantee the absolute security of your information. Moreover, we are not responsible for the security of information you transmit to us over networks that we do not control, including the internet and wireless networks.
We may store the information we collect in on our servers (both cloud based or in servers located in secure data centres in countries where we or our service providers have facilities. Therefore, we may transfer information to countries outside your country of residence which may have data protection laws and regulations that differ from those in your country.
The rights of individuals under the relevant data protection laws are:
- Right to be informed: the right to be informed about how your personal data is being processed, as soon as practicable;
- Right of access: the right to access your own personal data and obtain information about its use;
- Right to rectification: the right to have inaccurate personal data rectified, blocked, erased or destroyed;
- Right to stop/restrict processing: the right, in certain circumstances, to demand that the data processing cease;
- Right to stop direct marketing: the right to demand that any direct marketing targeted at you cease;
- Right in relation to automated decision making: the right to require that any decision made solely by processing personal data by automated means, is reconsidered on a different basis; and
- Right to complain and seek compensation: the right to lodge a complaint with the relevant supervisory authority, where you consider that your rights have not been upheld by the data controller.
Individuals should be aware that these rights are not necessarily absolute and there may be circumstances where Kalo is unable to comply with a request made pursuant to these rights.
Automated decision making
Automated decision making is where a decision, taken by or on behalf of the data controller, significantly effects the data subject and is based solely on the processing by automatic means of the data subject’s personal data. For example, for the purpose of evaluating the data subject’s creditworthiness, reliability, conduct or other matters relating to the data subject.
Kalo does not currently use automatic decision making when processing personal data.
Right to make a complaint
Kalo will work with you in order to resolve any issues or queries you may have in relation to the processing of your personal data. However, if you are dissatisfied with Kalo’s response to a request, you may make a complaint to the relevant authority:
Cayman Islands Ombudsman
Physical address: 5th Floor, Anderson Square, 64 Shedden Road, George Town, Grand Cayman
Mail: PO Box 2252, Grand Cayman KY1-1107, Cayman Islands
Call: +1 345 946 6283
British Virgin Islands
There is currently no formal legislation regulating data protection in the British Virgin Islands and no authority to which you can report data or security breaches. However, the BVI Court will be persuaded by the English common law principles of confidentiality and privacy.
It is recommended that you seek independent legal advice in relation to any complaints you may have pertaining to a data breach in this jurisdiction.
Changes to this Notice
We may update this Notice from time to time and we encourage you to periodically review this Notice. The use of certain of our services may also be governed by other applicable terms and policies regarding privacy and the sharing of personal information, which supplement, and should be reviewed alongside, this Notice.
If we make any material changes to this Notice regarding the way we collect, use, and/or share the personal information that you have provided and we hold your email or other contact information, we will notify you by email or other communication.
Last updated: 30 September 2019