EisnerAmper Client Privacy Notice
CLIENT PRIVACY NOTICE CAYMAN ISLANDS DATA PROTECTION LAW, 2017
This Client Privacy Notice applies to any client of any EisnerAmper entity in the EisnerAmper Group (each an “EisnerAmper Entity” and together the “EisnerAmper Entities” or the "EisnerAmper Group") that is a “Data Subject” (as defined in the Cayman Islands Data Protection Law 2017 including any amendments thereto and any associated regulations, guidance notes and/or codes of practice as may be issued by the Ombudsman of the Cayman Islands (the “Ombudsman”) (as the relevant Cayman Islands data protection supervisory authority from time to time) (the “DPL”). The EisnerAmper Entities include EisnerAmper and/or any of its affiliates, namely EA Compensation Resources, LLC, David Wiener and Company LLC, EA RESIG LLC, EA Fund Services LLC, ZenTek Data Systems LLC, EA CARES Compliance LLC, EisnerAmper Israel Ltd, NannyTax LLC, EisnerAmper Global & Regulatory Solutions LLC, EisnerAmper US (Cayman) LLC, EisnerAmper (UK) LLP, and EisnerAmper (India) Consultants Private Limited, so when we mention the "EisnerAmper Group", we", "us" or "our" in this Client Privacy Notice we are referring to any separate EisnerAmper Entity in the EisnerAmper Group.
For the avoidance of doubt, any reference to “client” may also include (as relevant) the Personal Data (defined at section 4.1 below) of any such client’s employees, staff and other contacts of that client whose Personal Data details we process in the provision of our services.
References to “you” made herein are references to you as a “Data Subject”. under the DPL.
For ease of reference this Client Privacy Notice contains a Glossary of definitions (as per the DPL) at Appendix A to assist you to understand the meaning of defined terms where any such definitions are not otherwise defined in the body of this document).
This Client Privacy Notice applies solely to our processing of the Personal Data of Data Subjects where they use our services. It describes how each EisnerAmper Entity in the EisnerAmper Group agrees to collect, use, disclose, retain and secure your Personal Data as part of its business practices.
Each EisnerAmper Entity respects your fundamental right to privacy and entitlement to have all Personal Data processed in accordance with the DPL. We shall apply the following eight data protection principles enshrined in the DPL whenever any Personal Data is being processed:
- Fairness and Lawfulness: We will clarify the purpose for processing any Personal Data at the time of collection and shall only collect Personal Data in a fair, lawful and transparent manner (for example, when you use our website or engage us to provide services, or speak to one of our representatives about our products or service offerings);
- Purpose limitation: We will only collect and disclose Personal Data for specified, explicit and legitimate purposes. Unless explicit consent is received, we will not use any Personal Data obtained for any purpose other than that for which it was provided;
- Data minimization: We will limit the collection of Personal Data to what is directly adequate, relevant and necessary for the relevant services required to be provided;
- Data Accuracy: We will keep Personal Data accurate and up to date and shall take reasonable steps to ensure inaccurate personal information is deleted or corrected without delay while there continues to be a customer relationship, and in certain circumstances after that relationship has ended;
- Retention limitation: We will make all reasonable efforts to retain Personal Data in a manner consistent with the DPL and no longer than is necessary for the purposes for which it has been collected, or to comply with an individual’s request(s) and any legal, regulatory or internal or policy requirements;
- Respect for individual’s rights: We understands and is committed to processing Personal Data in accordance with the rights of the data subject under the DPL;
- Data security, integrity, confidentiality and protection: We implements internal technical and organizational measures to ensure an appropriate level of data security and protection of Personal Data from any unauthorized or malicious attacks, unlawful processing, inadvertent harm through accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise processed; and
- Protection for international transfers: We shall ensure that if Personal Data is transferred outside the Cayman Islands, it is adequately protected or the transfer is otherwise permissible under applicable law.
3. PURPOSE OF THIS PRIVACY NOTICE
The purpose of this Client Privacy Notice is to clearly articulate the legal justifications for the processing of any Personal Data received by us and to inform you how we look after your Personal Data and tell you about your Personal Data privacy rights and how the DPL protects you. It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing Personal Data from you, or about you from other parties as may prove necessary from time to time to enable us to comply with our legal and/or regulatory obligations so that you are fully aware of how and why we are using your Personal Data. This Client Privacy Notice may supplements any other notices and is not intended to override them.
4. THE PERSONAL DATA WE MAY COLLECT
“Personal Data” is defined under the DPL as “data relating to a living individual who can be identified and includes data such as the living individual’s location data, online identifier or one of more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual. Personal data also includes any expression of opinion about the living individual or any indication of the intentions of the data controller or any person in respect of the living individual”.
We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together as follows:
- Identity Data includes first name, maiden name, last name, initials, marital status, title, digitized, electronic or scanned signatures, social security number, and/or company name;
- Contact Data includes billing address, delivery address, email address, and mobile, fax and telephone numbers;
- Financial Data includes bank account and routing number and ACH instructions;
- Transaction Data includes details about payments to and from you and other details of services you have engaged us to provide to you;
- Aggregated Data: We may also collect, use and share aggregated data such as statistical or demographic data for any purpose (“Aggregated Data”). Aggregated Data may be derived from your Personal Data but is not considered Personal Data in law as this data does not directly or indirectly reveal your For example, we may aggregate your Transaction Data to calculate the percentage of clients purchasing a specific service from us. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this privacy notice;
- Sensitive Personal Data: We do not generally collect any Sensitive Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, and trade union membership). Nor do we collect any information about criminal convictions and offences;
5. HOW WE USE YOUR PERSONAL DATA
We will only use your Personal Data in the manners in which the DPL permits us to. Most commonly, we will use your Personal Data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you to provide our professional services to you;
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and
- Where we need to comply with a legal or regulatory obligation(s).
6. IF YOU FAIL TO PROVIDE PERSONAL DATA
Where we need to collect Personal Data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a service you have engaged us to provide but we will notify you if this is the case at the time.
7. LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA
The DPL sets out certain different reasons for which Personal Data may be processed and we do us under the following legal conditions:
- Consent: In specific situations, we may collect and process Personal Data with your consent. Generally, we do not rely on consent as a legal basis for processing your Personal Data;
- Contractual obligations: In certain circumstances, we will need to process certain Personal Data to comply with contractual obligations for which we have been engaged;
- Legal compliance: If the law requires, we may need to process your Personal Data; and
- Legitimate interest: In specific situations, we require your Personal Data to pursue legitimate interests in a way which might reasonably be expected as part of running our businesses and which does not materially impact your rights, freedom or interests (e.g. we may use an email address you have provided to send you information on our services).
8. PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA
We have set out below, in a table format, a description of all the ways we plan to use your Personal Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your Personal Data on more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us using the details provided below if you need details about the specific legal basis we are relying on to process your Personal Data where more than one ground has been set out in the table below.
Type of data
Legal basis for processing Including basis of legitimate interest (per section 7 above)
To register you as a new Client
Performance of a contract with you
To process and deliver our services:
(a) Manage payments, fees and charges
(b) Collect and recover Money owed to us
(c) Provide professional services to you or a person or entity with which you have a business relationship (e.g., tax preparation, tax consulting, audit)
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (e.g. to recover debts due to us)
To manage our relationship with you which will include notifying you about changes to our terms or privacy notice
(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
To make suggestions and recommendations to you about goods or services that may be of interest to you
Necessary for our legitimate interests (to develop our products/services and grow our business)
We strive to provide you with choices regarding certain Personal Data uses, particularly around marketing and advertising. We have established the following Personal Data control mechanisms:
We may use your identity and contact data details to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services may be relevant for you (we call this marketing). As part of our marketing efforts, we may also send you electronic communications which may include updates on regulatory issues that we think may be of interest to you, invitations to events we think you may wish to attend, and thought leadership pieces in which we discuss and provide an in depth understanding of legal, regulatory or business specific issues we think might interest you.
You will receive marketing communications from us if you have requested information from us or engaged us to provide services to you, and you have not opted out of receiving that marketing.
9. OPTING OUT
You may contact us directly at any time to make a request to stop using your Personal Data by contacting our Data Privacy Manager, or by following the "unsubscribe" links on any marketing message sent to you.
Where you opt out of receiving these marketing messages, this will not apply to Personal Data provided as a result of a service we provide to you or to a third party and which may involve your Personal Data.
10. CHANGE OF PURPOSE
We will only use your Personal Data consistent with the terms of this privacy notice, and for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to receive an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the details provided in paragraph 1.
If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your Personal Data without your knowledge or consent, in compliance with the rules contained in this privacy notice, where this is required or permitted by law.
11. DISCLOSURES OF YOUR PERSONAL DATA
We may have to share your Personal Data with certain third parties, as required for the operation of our business, which includes Data Processors (and potentially in certain instances other sub-Data Processors), including
- Internal Third Parties as set out in the Glossary.
- External Third Parties as set out in the Glossary.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this privacy notice.
We require all third parties to respect the security of your Personal Data. We contract with our third-party service providers to require that they do not use your Personal Data for their own purposes and to authorize them to process your Personal Data for specified purposes and in accordance with our instructions.
12. YOUR LEGAL RIGHTS
Under certain circumstances, you have rights under the DPL in relation to your Personal Data. You have the right to:
- Request access to your Personal Data (commonly known as a “Subject Access Request” or “SAR”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it if you make a written request to the Data Privacy Manager, (or alternatively to any representative of any EisnerAmper Entity) to review any of your Personal Data collected, utilized or disclosed by us. Upon receipt of any Data Subject Access Request, we will provide any such Personal Data as permitted or requested law. Any such Personal Data shall be made available in the form that is generally understandable and will also clarify any defined terms or abbreviations used,
- Request rectification or correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you rectified or corrected, though we may need to verify the accuracy of the new data you provide to us prior to amending the same as requested and where appropriate also transmitting the amended Personal Data details to third parties having access to your Personal Data.
- Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal or ethical reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms.
- Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of your Personal Data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. However, keep in mind that we may still be under a legal or ethical obligation to retain the Personal Data, and will do so until the time frame under such legal or ethical obligation lapses, even if we transfer the data to you or a third party.
- Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please contact us using the details provided below.
13. NO FEE USUALLY REQUIRED
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
14. WHAT WE MAY NEED FROM YOU
We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
15. DATA SECURITY
We have appropriate security measures designed to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, or disclosed to unauthorized third parties in place which are adhered to and also regularly tested and updated as may be deemed necessary.
16. DATA RETENTION - HOW LONG WILL WE USE YOUR PERSONAL DATA FOR?
The retention period for holding Personal Data will vary and will be determined by criteria including the purpose for its use and retention periods prescribed by law and other legal obligations.
17. HOW QUICKLY SHALL WE RESPOND TO ANY DATA SUBJECT ACCESS REQUESTS
Unless we advise to the contrary, we shall respond to written requests not later than 30 days after receipt of any written requests. We shall advise if for any reason we are unable to meet your requests within this timeframe (e.g. where a large amount of Personal Data is requested or required to be searched through and meeting the timelines would unreasonably interfere with our day-to-day business operations; (b) where more time may be required to consult with any relevant third party prior to us being able to decide whether or not to provide access to the requested Personal Data; or (c) you provide consent to an extension of the 30 day timeframe. You have the right to make a complaint to the Ombudsman (see contact details below) in respect of this time limit should you choose to do so.
We may request that you provide sufficient identification to permit access to the existence, use or disclosure of your Personal Data. Any such identifying confirmation shall be used only for that purpose.
18. YOUR DUTY TO INFORM US OF CHANGES TO YOUR PERSONAL DATA
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.
19. INTERNATIONAL TRANSFERS
We may share your Personal Data within the EisnerAmper Group, which may involve transferring your data outside the Cayman Islands.
Whenever we transfer your Personal Data out of the EEA, we endeavour to ensure a similar degree of protection is afforded to it at all times as that required of us in compliance with the requirements of the DPL.
Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Data out of the Cayman Islands.
20. CONTACT DETAILS
If you have any questions about this privacy notice or our privacy practices, please contact our data privacy manager in the following ways:
Full name of legal entity:
EisnerAmper US (Cayman) Ltd.
Name of data privacy manager:
EisnerAmper 733 Third Avenue
New York, NY 10017
If you are not satisfied with any responses provided to any access requests made you may lodge a complaint the Ombudsman as per the contact details below.
21. THE OMBUDSMAN CONTACT DETAILS
Should you feel that your Personal Data has not been handled correctly, or you are not satisfied with any responses received to any requests you have made regarding the use of your Personal Data, you have a statutory entitlement under section 43 of the DPL to complain to the Cayman Islands’ Ombudsman. The Ombudsman can be contacted by calling: 1-345-946-6283 or by email at firstname.lastname@example.org.
GLOSSARY OF TERMS PURSUANT TO DPL
Data Controller is a person who, alone or jointly with others determines the purposes, conditions and manner in which any Personal Data are, or are to be processed and includes a local representative (who is required to be appointed where the Data Controller is not established in the Cayman Islands but the Personal Data are processed in the Cayman Islands).
Data Privacy Manager is the person responsible of ensuring compliance with the DPL and any associated regulation or guidance notes in regard thereto as may apply (or be amended from time to time).
Data Processor is any person who processes personal data on behalf of a data controller but, for the avoidance of doubt, does not include and employee of the data controller.
Data Subject is any identified living individual or any living individual who can be identified directly or indirectly by means reasonably likely to be used by the Data Controller or by any other person;
External Third Parties are those service providers of the EisnerAmper Group acting as Data Processors (and their sub-processors) based in the United States who provide various services, including information technology and software or software services. A list of such processors and sub-processors will be provided upon reasonable request.
Internal Third Parties are those other companies in the EisnerAmper Group acting as Joint Controllers or Data Processors and who are based in the United States, India, Cayman or Israel. A list of these parties will be provided upon reasonable request. Internal third parties also includes professional advisers to the EisnerAmper Group acting as Data Processors or Joint Controllers including lawyers, bankers, auditors, insurers based in the United States and Europe and any regulators and other governmental authorities acting as Data Processors or Joint Controllers based in the United States, India and Israel who require reporting of processing activities in certain circumstances.
Joint Controller is any organization or individual with whom the data controller decides how and why personal data will be processed.