opennavMenuPhone Icon Email Icon Contact Us
EisnerAmper Global
Go to audit website Previous

Privacy Policy


This privacy notice explains how EisnerAmper Governance Services Ltd. (“EAG”) collects, uses, discloses, retains and secures your personal data as part of its business practices. The policy clearly articulates the legal justifications for the processing of your personal data and also lists your data subject rights under the Cayman Islands’ Data Protection Act as amended (“DPA”). For the avoidance of doubt all references to EAG’s Privacy Policy as contained in client services agreements shall be construed to include the Data Protection Addendum below (“Privacy Policy”).


EAG respects your privacy, and you are entitled to have your personal data processed in accordance with the DPA. The key principles EAG applies when processing your personal data are as follows:

  • Lawfulness: EAG will only collect personal data in a fair, lawful and transparent manner.
  • Data minimisation: EAG will limit the collection of personal data to what is directly relevant and necessary for the services provided.
  • Purpose limitation: EAG will only collect personal data for specified, explicit and legitimate purposes.
  • Accuracy: EAG will keep personal data accurate and up to date while there continues to be a client relationship, and in certain circumstances, after that relationship has ended.
  • Data security and protection: EAG will implement technical and organisational measures to ensure an appropriate level of data security and protection considering the sensitivity of the personal data. Such measures provide for the prevention of any unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to that data.
  • Access and rectification: EAG will process personal data in line with clients’ legal rights.
  • Retention limitation: EAG will retain personal data in a manner consistent with the applicable DPA and DPA Regulations and no longer than is necessary for the purposes for which it has been collected in accordance with its retention policy.
  • Protection for international transfers: EAG will ensure that if personal data is transferred outside the Cayman Islands, it is adequately protected.

What personal data does EAG collect?

EAG collects various personal data which may include the following (this list is not exhaustive):

  • name and address
  • date of birth
  • telephone number
  • email address
  • copy of passport photo/biographical data page
  • financial information included your method of payment such as check or wire transfer to EAG
  • proof of residence

How does EAG use the personal data it collects?

EAG may use your personal data to (this list is not exhaustive):

  • respond to client inquiries
  • manage the client relationship
  • send invoices and collect payment for goods or services rendered
  • conduct promotional activities
  • market goods and services
  • handle complaints
  • prevent fraud or other criminal activity
  • record health and safety details if there is an incident at the EAG office

When does EAG disclose your personal data?

EAG may disclose your personal data in the following circumstances (this list is not exhaustive):

  • if EAG uses a third-party service provider for marketing, marketing research or client relationship management
  • if a data subject requests that personal data be disclosed to a third party
  • if there is a legal request or criminal investigation
  • if it is required to seek legal advice from EAG legal counsel
  • any other circumstance where it may be required by law

International transfer of personal data

Your personal data is stored in the Cayman Islands unless it is transferred to another country for contractual purposes. If at any time EAG transfers personal data outside the Cayman Islands, it will ensure that there are adequate safeguards for the rights and freedoms of data subjects as required by the DPA.

The legal basis for processing your personal data

The DPA protection sets out some different reasons for which a company may process personal data, and EAG does so under the following legal conditions:

  • Consent

In specific situations, EAG may collect and process personal data with your consent.

  • Contractual obligations

In certain circumstances, EAG will need to process certain personal data to comply with contractual obligations for which we have been engaged.

  • Legal compliance

If the law requires, EAG may need to process your personal data.

  • Legitimate interest

In specific situations, EAG requires your personal data to pursue its legitimate interests in a way which might reasonably be expected as part of running its businesses and which does not materially impact your rights, freedom or interests.

For example, EAG may use an email address you have provided to send you information on our services.

How long does EAG retain your personal data?

EAG retains your personal data for as long as a client relationship exists, and the personal data is necessary to manage that relationship. When there is no longer a client relationship, EAG will retain certain types of personal data for varying periods depending on legal requirements and business needs. Personal data that is no longer needed will be destroyed. EAG will always hold your personal data for the least amount of time necessary in accordance with its retention policy. For specific retention periods, clients should contact Isatou Smith at

How does EAG secure your personal data?

EAG employs appropriate technical and organizational measures to protect against unauthorized processing, accidental loss or destruction of, or damage to, your personal data in accordance with its Information Technology policies.

What rights do you have in respect to your personal data?

You have a right to be informed how your personal data is processed and this privacy notice fulfills EAG’s obligation in that respect. If you have further questions or concerns not addressed in this notice, you may contact Isatou Smith at

You have a right to request access to your personal data, the right to request rectification/correction of your personal data, the right to request that processing of your personal data be stopped or restricted and the right to require EAG to cease processing your personal data for direct marketing purposes. If you wish to exercise any of these rights, you should contact Isatou Smith at

If you feel that your personal data has not been handled correctly, or you are not satisfied with EAG’s responses to any requests you have made regarding the use of your personal data, you have the right to complain to the Cayman Islands’ Ombudsman. The Ombudsman can be contacted by calling: 1-345-946-6283 or by email at

Data Protection Addendum

This Data Protection Addendum (Addendum) supplements the Engagement Agreement (Agreement) entered into between EisnerAmper Governance acting as a Processor of Customer Data (Provider) and the customer identified in the applicable Agreement, to whom such services are provided (Customer).

The parties wish to include provision for the requirements of the Cayman Islands’ DPA and the Data Protection Regulations (as amended) (“DPR”) in the Agreement. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms set out below shall be added as an Addendum to the Agreement.

The terms set out in this Addendum will take effect from 30 September 2019 and in the event of a conflict between this Addendum and the Agreement, the terms of this Addendum shall supersede the Agreement.


Appropriate Safeguards means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time.

Data Controller has the meaning given in applicable Data Protection Laws from time to time.

Data Processor has the meaning given in applicable Data Protection Laws from time to time.

Data Protection Laws means, as binding on either party or the services provided under the Agreement:

  • the DPA and the DPR;
  • any laws which implement any such law;
  • any laws that replace, extend, re-enact, consolidate or amend any of the foregoing; any ‘code of practice’ promulgated under section 42 of DPA; and any binding decision of the courts and tribunals of the Cayman Islands that relate to the application or interpretation of any of the foregoing.
  • Data Subject has the meaning given in applicable Data Protection Laws from time to time.

Personal Data has the meaning given in applicable Data Protection Laws from time to time.

    1. Both parties will comply with all applicable requirements of the Data Protection Laws. This clause 1 is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Laws.
    2. The parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Data Controller and Provider is the Data Processor. Schedule 1 sets out the scope, nature and purpose of processing by Provider, the duration of the processing and the types of Personal Data and categories of Data Subject.
    3. Without prejudice to the generality of clause 1.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Provider for the duration and purposes of this Addendum. The Customer shall ensure all instructions given by it to Provider in respect of Personal Data shall at all times be in accordance with Data Protection Laws.
    4. Without prejudice to the generality of clause 1.1, Provider shall, in relation to any Personal Data processed in connection with the performance by the Provider of its obligations under the Agreement, where applicable:
      • process that Personal Data only on the written instructions of the Customer unless Provider is required by law to process that Personal Data in some other way; immediately inform the Customer if Provider is requested to take any action which may infringe the DPA and DPR; taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected; ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject pursuant to information rights under part 2 of the DPL and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; notify the Customer without undue delay on becoming aware of a Personal Data breach; at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the Agreement unless required by applicable law to store the Personal Data; maintain complete and accurate records and information to demonstrate its compliance with the Data Protection Laws and to assist with any further information required to ensure that both parties meet their obligations under the DPL; and permit audits by the Customer or the Customer’s designated auditor, subject to a maximum of one audit request in any 12 month period, at Customer’s cost.
    5. The Customer acknowledges that Provider’s primary processing facilities are based in the United States of America. The Customer agrees that Provider may transfer Personal Data outside of the Cayman Islands, provided all such transfers by Provider of Personal Data outside of the Cayman Islands (and any onward transfer) shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws.
    6. The Customer consents to Provider appointing sub-processor(s) as third-party processors of Personal Data under the Agreement, and provides a general authorisation for Provider to appoint further sub-processors. Provider confirms that it has entered or (as the case may be) will enter into a written agreement with the third-party processor incorporating terms which are substantially similar to those set out in this clause 1. As between the Customer and Provider, Provider shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. The list of sub-processors engaged by Provider will be provided upon request. Provider will inform the Customer of any addition, replacement, or other changes of sub-processors and provide the Customer with the opportunity to reasonably object to such changes on legitimate grounds.
    7. Provider may, at any time on not less than 30 days’ notice, revise this clause 1 by replacing it with any applicable controller to processor standard clauses or similar terms forming party of an applicable certification scheme (which shall apply when replaced by attachment to this Addendum).

Schedule 1

  • Processing, Personal Data and Data Subjects
  • Processing of Personal Data by Provider under the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subject set out in this Schedule 1.
  • Processing by Provider
  • Subject-matter of processing
  • The subject matter of the data processing under this Addendum is the Customer Personal Data processed by Provider pursuant to the services provided to the Customer under the Agreement.
  • Nature and purpose of processing
  • Provider will process Personal Data for the purposes of providing the services to the Customer in accordance with the Agreement.
  • Duration of the processing
  • The duration of the processing under the Agreement is determined by the Customer and as set forth in the Agreement.
  • Types of personal data
  • Data relating to individuals processed by Provider in order to provide services under the Agreement, including of the Customer’s personnel and customers, including but not limited to the following:
  • First and last name
  • Mailing address
  • Bank account information
  • Categories of data subject
  • Fund employees, managers and investors



Latest News


EisnerAmper Cayman Affiliate EA Governance Offers Governance Services

By Elana Margulies-SnydermanThe Cayman Islands recently enacted legislative changes (which EisnerAmper previously

News Icon



Considerations for Alternative Investment Funds During COVID-19: The Cayman Islands — Sea, Sand, Sun, and Fun(ds)

By Isatou Smith, Managing Director, EisnerAmper Governance Services Ltd.Renowned for

News Icon