This Privacy Notice lays out the manner in which Cayman Islands Monetary Authority (“CIMA”) collects, uses, maintains and otherwise process personal data collected from data subjects (i.e. a living individual who can be identified directly or indirectly based on their personal data). This Privacy Notice applies to the website and all products and services offered by CIMA.
This Privacy Notice provides you with the details of how and why CIMA processes personal data. We will explain how we obtain and handle your personal data, provide you with information about your rights as a data subject, and how to contact us if you have any questions.
We may collect personal information from you in a variety of ways, including, but not limited to, to enable us to carry out our regulatory, monetary, advisory, and co-operative functions, when you visit our website, register on the website, place an order, fill out a form, respond to a survey, subscribe to the newsletter and in connection with other activities, services, features or resources we make available. You may be asked for, as appropriate, name, email address, mailing address, phone number, credit card information, a government issued identification number.
Table 1 provides some examples of who personal data is collected from and why the personal data is collected:
Table 1 – Collection of Personal Data
|Who personal data is collected from
|Why personal data is collected
|Numismatic coin collectors
|To facilitate the sale and redemption of numismatic coins.
|Regulated and registered persons and their customers
|To authorize persons, assess compliance with regulatory laws and measures, and take appropriate enforcement actions when necessary.
|Visitors to CIMA
|To employ proper security and safety measures for the benefit of employees and visitors.
|Conference participants, participants of public education efforts, survey participants, and other forms of stakeholder engagement.
|To enable us to measure impact of content delivery, consider feedback and identify improvement opportunities.
|Job applicants, interns, current and former employees, Board members
|To enable us to identify and employ suitable candidates, to comply with our obligations as an employer, to participate in community and staff events, and to meet corporate governance requirements.
|Complainants or persons who contact us with questions
|To address complaints or respond to questions from persons.
|Users of the website
|To monitor website use to identify areas for improvement and obtain webpage statistics.
|Persons using the web portals to submit information
|To receive applications, questionnaires, regulatory filings, and other documentation electronically.
|Newsletter subscribers and social media followers
|To enable us to correspond directly with you.
|Vendors and other persons who work on our behalf
|To enable us to provide goods and services for regulated persons, our employees, and to the general public.
|Beneficiaries of social contributions
|To enable us to perform charitable acts.
|To process scholarship applications.
We collect personal data from individuals who are involved with a regulated entity, employees, vendors, consultants, our customers, and other individuals who we interact with in order to provide a good or service, employ, to meet our operational needs, or when you interact with us for other reasons. The amount of data we collect varies and depends on the reason for collecting the personal data.
In some instances, for instance for KYC purposes, we collect your sensitive personal data such as your association memberships or whether you are a Politically Exposed Person (PEP). We may also collect or store your sensitive personal data such as your health and marital status.
You will either provide us your personal data or some of your personal data will come to us from third parties (such as your employer). We may have information such as your names, address, and date of birth; personal identification documents; employment details, financial information such as bank accounts, correspondence to and from you, personal data for safety and assurance reasons such as video surveillance.
It is most likely that you or a third party will provide your personal data to CIMA:
CIMA will utilize more than one cookie or one type of cookie. A cookie may be set for the website to function properly, to enable CIMA to track page popularity (or lack thereof), or for advertising or marketing purposes. In general, we use the following cookies:
For further information about cookies, visit www.allaboutcookies.org.
We have established and are continuously improving organizational measures to protect your personal data. Our physical and information and communications technology (ICT) security measures aim to guard against unauthorized access, alteration, disclosure or destruction of your personal data whether stored internally or externally.
We develop and maintain security policies and procedures applicable to all staff regarding use of software and hardware, access security, and data breaches. Where we use third parties to provide a service involving personal data, our contract with third parties specifies the confidentiality and protection of personal data.
In certain circumstances, we may transfer your personal data to countries outside of the Cayman Islands, whether or not they have adequate data protection laws and measures in place. Such circumstances where transfers may take place include where the transfer is required under international cooperation agreements of which CIMA is a party, with your consent, the transfer is necessary for reasons of substantial public interest, the transfer is necessary or the performance of a contract, or other relevant reasons as listed in Schedule 4 of the Data Protection Law (DPL) or as prescribed in the regulations.
Your information will be shared with our employees, consultants, agents, and other service providers where it is necessary for the performance of their duties and in accordance with the reasons for processing your personal data. In some instances, we make the decision to disclose personal data on a case-by-case basis whether as a result of relevant legislation or by a court order.
CIMA is subject to the National Archive and Public Records Law (NAPRL), which governs the preservation of public record. Therefore, it may be possible that records of historical or cultural significance that may contain your personal data, will be transferred to the Cayman Islands National Archive. Such records may contain your personal data and unless exempted or excluded by legislation, may be retained permanently by the Cayman Islands National Archive.
Where we share information with data controllers or data processors outside the Cayman Islands, and subject to any exclusions as per the DPL, we will ensure that they have the appropriate safeguards in place to protect your personal data.
We may share generic aggregated demographic information not linked to any personal identification information with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third party service providers to help us operate our business on our behalf, such as sending out newsletters or surveys.
We do not sell, trade, rent or otherwise share your personal data unless as described or with your consent.
Table 2 summarizes some instances where we may share your personal data and some of the reasons for doing so.
Table 2 - Sharing personal data
|Personal data may be shared with
|So that we are able to
|Consultants, special project managers, and other contractual arrangements
|Fulfil our functions by providing them the information required.
|Other regulatory authorities in or outside the Cayman Islands
|Fulfil our principal functions by providing assistance to or receiving assistance from overseas regulatory authorities or by conducting fit and proper assessments on regulated and registered persons.
|Government agencies in or outside the Cayman Islands
|Carry out our functions and meet legal requirements.
|Law enforcement agencies in or outside the Cayman Islands
|Facilitate the conduct of investigations about persons suspected of criminal activities.
|Industry associations, educational institutions, or other professional bodies
|To facilitate the fit and proper assessment of persons doing business with or regulated by CIMA.
|CIMA’s vendors/suppliers or others who work on our behalf
|Operate in an effective and efficient manner regarding all products and services provided.
We will keep your personal data for as long as necessary to fulfil our purposes and as required by law.
We rely on several legal bases for processing your personal information. The legal basis on which personal data may be processed is covered by the DPL and we will process your personal data under a lawful basis only some of which are:
We use the personal data we collect to carry out our functions in accordance with the Monetary Authority Law and all regulatory laws, the Public Authorities Law and other local legislation including those applicable to Statutory Authorities and Government Companies (SAGCs), obligations required by international standard setters, laws and regulations to combat money laundering, terrorist financing, and proliferation financing (ML/TF/PF). As the financial services regulator for the Cayman Islands, CIMA engages in a number of activities to enable us to carry out our functions and obligations. The personal data we collect is processed fairly and appropriately and is not excessive. In some instances, we may have to check other sources in an effort to verify accuracy of the personal data you have provided, this means the personal data may be shared or disclosed to other organizations or we may undertake a review of publicly available sources.
The personal data collected will be used for the original purpose for which it was collected. The personal data will only be used for a new purpose if 1) the new purpose is compatible with the original purpose; 2) we have obtained your consent; or 3) we are legally obligated to do so. CIMA will not use the personal data to make decisions about you based solely on an automated decision-making process such as for profiling purposes.
The below table summaries some of what personal data is used for.
Table 3 – Use of personal data
|Personal data is used for
|So that we are able to
|Applications for licensing or registration
|Determine whether persons meet the requirements under the regulatory laws to carry on financial services business.
|Fitness and propriety assessments
|Determine whether persons are fit and proper to carry on or provide services to financial services business, to become vendors or employees of CIMA, etc.
|Conducting surveys, outreach, fundraising events, and other activities to engage stakeholders and the general public
|Plan, execute, assess, and improve our public education efforts.
|Investigations and enforcement of licensed, registered persons or other persons
|Prevent, detect, or take action against persons who engage in criminal activities or do not comply with regulatory laws and measures. Such action may include the imposition of administrative fines where appropriate.
|Supervising licensed or registered persons
|Carry out inspections and other supervision activities to ensure compliance with regulatory laws and measures.
|Development of regulatory policies, procedures, rules, and other guidance
|Consult with persons for feedback on regulatory measures.
|Carrying out our non-regulatory functions
|Comply with employment requirements, manage internal software and tools, process accounts receivables and accounts payables, and carry out other internal functions necessary for the functioning of CIMA.
|Communicating and responding to enquiries
|Provide responses to enquiries and communicate effectively with persons.
You have certain rights regarding your personal data (see Table 4). However, depending on the purposes for which we are processing your personal data, your ability to exercise your rights may be limited and we may not be able to comply with your request. We will be able to advise you further when you seek to exercise your rights.
Table 4 – Rights regarding personal data
|Be informed about how we process your personal data
|This Privacy Notice explains how we process your personal data including what we collect, why we collect it, and the measures we use to secure your personal data.
|Access your personal data and certain information about its use
|If you would like a copy of your personal data or obtain specific information about it, you may make a Data Subject Access Request (“DSAR”). Though completion of a DSAR form is optional, we recommend you complete the form for efficiency purposes.
|Require that processing of your personal data cease, not begin at all, or cease for a specified purposes or in a specified manner
|You can require that we stop processing your personal data. You do not have to provide a reason for your request.
|Require that we cease the processing of your personal data for direct marketing purposes
|If we process your personal data for direct marketing purposes, for instance, via you signing up for our newsletter or other notifications, and you wish to withdraw your consent
|Require that processing of your personal data cease, if a decision that significantly affects you is made based solely on the processing of your personal data by automatic means.
|If there is a situation where we perform automated decision-making based on your personal data we will inform you. You can then inform us to reconsider the decision being made on that basis.
|Seek rectification, blocking, erasure or destruction of inaccurate personal data
|If the personal data we hold is inaccurate, you state your preference on how this should be handled.
|Complain to the Ombudsman regarding your personal data or on behalf of another person regarding their personal data (with proper authorization)
|You can make a complaint to the Ombudsman. See www.ombudsman.ky for more details.
To make a request relating to your personal data, please contact us using any means convenient to you. To improve efficiency and accuracy, we encourage you to put your requests in writing, though this is not always required. You may contact us at:
SIX, Cricket Square
Data Privacy Officer
Cayman Islands Monetary Authority
P.O. Box 10052
Grand Cayman, KY1-1001
CIMA has the discretion to update this Privacy Notice at any time. We encourage you to frequently check this page for any changes to stay informed about how we are processing your personal data. If any changes are made to this Privacy Notice, we will provide a prominent notice on our website so that you can review the updated Privacy Notice.