Wilshire Advisors, LLC (“Wilshire”) and its affiliates and subsidiaries, have adopted the following policy describing how third party and consumer information is gathered by Wilshire and may be treated (Wilshire’s “Privacy Policy”).
Wilshire is a global company and conducts business around the world, including within regions with unique rules that apply to the collection, processing, and retention of Personal Information (as defined below) from individuals within those areas. Appendices A, B and C include information regarding additional rights, policies and procedures applicable to global data privacy laws, including General Data Protection Regulation (“GDPR”, together with other EEA data privacy laws “EEA Laws”), the California Consumer Privacy Act of 2018 and the Cayman Islands Data Protection Law, 2017, respectively.
Wilshire considers privacy to be a fundamental aspect of our relationships. We are committed to maintaining the confidentiality, integrity, and security of private, personal and confidential information in our possession. In the course of providing our products and services, we may collect, retain, and use private, personal and confidential information for the purpose of administering our operations, and complying with legal and regulatory requirements. The kinds of information we may collect will depend on the nature of the relationship in which we are engaged and may include Personal Information (as defined below) for all applicable global privacy laws. This information may include contact details such as address, email address and telephone number and, where required for contractual, legal or regulatory obligations, additional information (including, but not limited to, date of birth, bank account details and tax identification documents or numbers).
The term “Personal Information” as used in this Privacy Policy, and for purposes of all global privacy laws, means any information that identifies, relates to, describes, is reasonably capable of being associated, or could reasonably be linked, directly or indirectly to an identified or identifiable natural person (“Data Subject” or “ Consumer”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
In most cases, we collect information directly from the person or entity with whom we have the relationship (e.g. through account applications, investment policy statements, website usage, customer surveys, and electronic or verbal correspondence); but may also obtain information from other sources (e.g. transactions; brokers, consultants or financial advisory firms; or public registers for background searches). Wilshire, generally, does not disclose private, personal and confidential information with outside organizations except for third party processors and service providers that are essential in administering our operations, or as otherwise required or permitted by law. As is common in the industry, non-affiliated companies may from time to time be used to provide certain services, such as preparing and mailing prospectuses, reports and account statements. These companies may be provided access to private, personal and confidential information solely to provide the specific service or as otherwise required or permitted by law. We may also provide confidential information to brokerage, financial advisory, or other third party financial intermediaries.
Wilshire reserves the right to disclose private, personal and confidential information where we believe in good faith that disclosure is required either under law or to cooperate with regulators or law enforcement authorities. In addition, we may disclose Personal Information to a non-affiliated third party upon the owner’s written request.
Wilshire takes seriously the obligation to safeguard private, personal and confidential information (including Personal Information). We maintain appropriate safeguards which includes the use of security procedures to prevent revealing such information.
Any questions regarding Wilshire’s Privacy Policy should be referred to the Chief Compliance Officer. As required by regulations, Wilshire will provide to its clients annually a statement regarding their rights to privacy.
Wilshire Associates Incorporated, a leading global independent investment consulting and services firm, provides consulting services, analytics solutions and customized investment products to plan sponsors, investment managers and financial intermediaries. Its business units include Wilshire Analytics, Wilshire Consulting, Wilshire Funds Management and Wilshire Private Markets. Based in Santa Monica, California, Wilshire provides services to clients in more than 20 countries representing more than 500 organizations. With ten offices worldwide, Wilshire Associates and its affiliates are dedicated to providing clients with the highest quality advice, products and services. For more information please visit www.wilshire.com.
The information contained in this document is confidential or proprietary and is intended for the exclusive use of the person(s) to whom it is provided. It may not be modified or otherwise provided, in whole or in part, to any other person or entity without prior written permission from Wilshire.
Wilshire reserves the right to update its Privacy Policy and the attached Privacy Statements and Notices at any time and, in such cases, will make an updated copy available to all relevant parties as required by relevant laws.
Privacy Policy Supplement for Data Subjects Whose Personal Information May Be Collected in or from the European Economic Area
In accordance with applicable EEA Laws, Wilshire has adopted the following additional policies and procedures for gathering and treating Personal Data, further information can be found in the Privacy Notice for Data Subjects Whose Personal Information May Be Collected in or from the European Economic Area.
It is important that the Personal Data we hold is accurate and current. Wilshire personnel must make reasonable efforts to obtain and maintain accurate records for their relevant relationships. Wilshire may need to request specific information from relevant individuals to confirm their identity.
It is in the sole discretion of the owner of Personal Data whether to share the information with Wilshire. Reluctance to provide Wilshire with all or some of the Personal Data requested by Wilshire, may restrict our ability to accept an engagement from a client or prospect, provide all or some of services requested, enter into a contract with a client or prospect or to send information about us (e.g. marketing materials) to that client or prospect. If a client or prospect refuses to provide the Personal Data requested, please contact Wilshire Compliance.
Wilshire will only process Personal Data for specific purposes where there is a lawful basis for doing so. The lawful basis, and purposes that we may rely on include but are not limited to:
· We have received consent to do so (consent)
· In limited circumstances, we may obtain consent to send information about our products and services but, in such instances we will also provide a means for individuals to opt out of receiving further communications;
· It is required to perform a contract which we have executed with a third party contract) – this includes, but is not limited to, where we have entered into an agreement and the Personal Data is needed to ensure that the terms of the contract can be fulfilled;
· It is necessary to comply with a legal obligation (legal obligation) – these obligations include, for example, where we have a regulatory obligation to conduct customer due diligence or are required to provide information to tax authorities; or
· We (or a third party) having a legitimate interest which is not overridden by the interests or fundamental rights and freedoms of the person from whom we have obtained Personal Data (legitimate interest) – this includes the provision of services by us and our direct marketing activities. To this end, we may use Personal Data to deliver services to, complete work for or act on behalf of a client. Furthermore, we may also use Personal Data to inform a client about us and our services and to build a relationship with the client.
Where we use Personal Data to inform a client or prospect about us and our services, we will ensure that these are targeted and proportionate.
We may use or disclose Personal Data if we are required by law to do so or if we reasonably believe that use or disclosure is necessary to protect Wilshire’s rights or to comply with judicial or regulatory proceedings, a court order or other legal process.
Change of Purpose and Anonymization
Wilshire may only use Personal Data for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use Personal Data for an unrelated purpose, we must notify the individual and explain the legal basis which allows us to do so.
In some circumstances, and where it is attributable to a lawful basis, we may anonymize Personal Data so that it can no longer be associated with an individual, in which case it is no longer Personal Data.
When using Personal Data for the purposes and on the legal basis described in this Privacy Policy we may share Personal Data with other vendors that we work with. Depending on the nature of the relationship (e.g. a client, an employee, etc.) these other vendors may include, but are not limited to, accountants, tax advisors, payroll agents, auditors, lawyers, regulatory advisors, insurance brokers and IT providers. We may also have to share Personal Data with regulators, public institutions, courts or other third parties. Wilshire may not sell Personal Data nor may we distribute, disseminate or disclose Personal Data to third party sales or marketing agencies. When sharing Personal Data with others, Wilshire will ensure that we have an appropriate legal basis to do so and will take all reasonable steps to ensure that Personal Data is treated in a manner that is consistent with applicable laws and regulations relevant to data protection and is not disclosed to any person who has no right to receive it.
Wilshire is a California corporation and the bulk of our critical operations are based in the United States. For the purposes described above, Personal Data may be stored outside of the European Economic Area (“EEA”). Wilshire must ensure that there is a legal basis and take all reasonable steps to ensure relevant safeguards are taken to secure such data transfer.
Wilshire may only retain Personal Data for as long as necessary to fulfil the purposes for which it was collected, used and otherwise processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.
To determine the appropriate retention period for Personal Data, Wilshire will consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of Personal Data, the purposes for which we process the Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Upon expiry of the applicable retention period Wilshire should take reasonable efforts to securely destroy Personal Data in accordance with applicable laws and regulations.
Individual subject to EEA Laws have rights which they can exercise under certain circumstances in relation to their Personal Data that we hold. These rights include:
· Request access to their Personal Data (commonly known as a “data subject access request”)
· Request certain information in relation to the processing of their Personal Data;
· Request rectification of their Personal Data;
· Request the erasure of their Personal Data;
· Request restrictions regarding the of processing of their Personal Data; or
· Object to the processing of their Personal Data.
Some of the above rights may only be exercised in specific circumstances - they are not absolute. EEA Residents may also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues or, as the case may be, other competent supervisory authority of an EU member state. Should a Wilshire employee become aware of any such complaint being filed, they should contact Wilshire Compliance immediately.
Owners of Personal Data may withdraw consent at any time where consent is the lawful basis for processing such Personal Data. Should such withdrawal impede our ability to comply with applicable laws and regulations, Wilshire may be unable to provide further services to that client.
In general Wilshire will not charge a fee to exercise any of the individual rights mentioned in this Privacy Policy. However, we may charge a reasonable fee if a request to exercise an individual right is manifestly unfounded or excessive. Wilshire may also refuse to comply with any request in such circumstances.
Exhibit 1
Privacy Notice for Data Subjects Whose Personal Information May Be Collected in or from the European Economic Area
The scope and purpose of this Privacy Notice
Wilshire Associates Incorporated (“we” or “Wilshire”) is a global company and thus may conduct business and collect Personal Data (as defined below) from individuals and institutions located within the European Economic Area (“EEA”). This Privacy Notice explains how Wilshire uses Personal Data that we collect from individuals and institutions located within the EEA in accordance with applicable data privacy laws and the General Data Protection Regulation (“GDPR”). Any capitalized terms or other terms not defined herein shall have the meaning ascribed to them in the GDPR. To the extent of any conflict between this Notice and the rest of our Privacy Policy, this Notice shall control only with respect to EEA Individuals and their Personal Data, and to the extent of such conflict.
Wilshire typically acts as the controller of Personal Data collected regarding EEA Individuals through the Websites or the Services we provide. This Notice describes our general privacy and security practices in connection with your Personal Data. For our contact information, see the section titled “Further Information” below.
The term “Personal Data” as used in this Privacy Notice means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What information do we collect about you, how do we collect it and what do we use it for?
The kinds of Personal Data we may collect depends on the nature of the relationship you have with us. This information may include your contact details such as your address, email address and telephone number and, where required for contractual, legal or regulatory obligations, additional information (including, but not limited to your date of birth, bank account details and tax identification documents or copies of identification documents). In most cases, we will collect the Personal Data directly from you (e.g., through account applications, investment policy statements and electronic or verbal correspondence), but we may also obtain it from other sources (e.g. through public registers for background searches).
In accordance with applicable data privacy laws and the GDPR, we will only process your Personal Data for specific purposes where there is a lawful basis for doing so. The lawful basis, and purposes that we may rely on are:
• You have consented to us doing so (consent) – in limited circumstances, we may obtain your consent to send you information about our products and services (but, in such cases, you can opt out of receiving such communications at any time through the method provided in the communications themselves or by using the contact information provided below);
• We need it to perform the contract we have entered into with you (contract) – this includes, but is not limited to, where we have entered into an agreement with you and the Personal Data is needed to ensure that the terms of the contract can be fulfilled;
• We need it to comply with a legal obligation (legal obligation) – these obligations include, for example, where we have a regulatory obligation to conduct customer due diligence or are required to provide information to tax authorities; or
• We (or a third party) have a legitimate interest which is not overridden by your interests or fundamental rights and freedoms (legitimate interest) – this includes the provision of services by us and our direct marketing activities. To this end, we will use your Personal Data to deliver services to you and/or to work or act for you. Furthermore, we will also use your Personal Data to inform you about us and our services and to build our relationship with you.
Where we use your Personal Data to inform you about us and our services, we will ensure that these are targeted and proportionate.
Please note that we may use or disclose Personal Data if we are required by law to do so or if we reasonably believe that use or disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.
What might we need from you?
We may need to request specific information from you to help us confirm your identity and ensure your right to access Personal Data (or to exercise any of your other rights). This security measure is designed to ensure that Personal Data is not disclosed to any person who has no right to receive it.
Accuracy of information
It is important that the Personal Data we hold about you is accurate and current. Please let us know if your Personal Data changes during your relationship with us.
What if you do not provide the personal data we request?
It is in your sole discretion to provide Personal Data to us. If you do not provide us with all or some of the Personal Data we request, we may not be able to accept an engagement from you, to provide all or some of our services, to enter into a contract with you or to send you information about us (e.g. marketing materials).
Change of purpose and anonymization
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
In some circumstances, and where it is attributable to a lawful basis, we may anonymize your Personal Data so that it can no longer be associated with you, in which case it is no longer Personal Data.
With whom will we share your information?
When using your Personal Data for the purposes and on the legal basis described above we may share your Personal Data with vendors that we work with. Depending on the nature of your relationship with Wilshire these other vendors may include, but are not limited to, accountants, tax advisors, payroll agents, auditors, lawyers, regulatory advisors, insurance brokers and IT providers. We may also have to share your Personal Data with regulators, public institutions or courts. Wilshire will not sell your Personal Data nor will we distribute, disseminate or disclose your Personal Data to third party sales or marketing agencies. When sharing your Personal Data with others, we will ensure that we have an appropriate legal basis to do so and will take all reasonable steps to ensure that your Personal Data is treated in a manner that is consistent with applicable laws and regulations.
Will your information be stored outside of the EEA?
Wilshire is a California corporation and the bulk of our operations are based in the United States. For the purposes described above, your Personal Data will likely be stored outside of the European Economic Area (“EEA”). In such cases, we will always ensure that there is a legal basis and a relevant safeguard method for such data transfer.
We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected, used and otherwise processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements. For retention of data, we abide by applicable law related to the services we provide to you in the jurisdictions where we provide them.
Your rights in relation to your information
You have rights as an individual which you can exercise under certain circumstances in relation to your Personal Data that we hold. These rights are to:
Please note, some of the above rights may only be exercised in specific circumstances ‐ they are not absolute. In addition, you may also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues or, as the case may be, another competent supervisory authority of an EU member state.
Right to withdraw consent
You may withdraw consent at any time where consent is the lawful basis for processing your Personal Data. Should you withdraw consent for processing or otherwise object to processing that impedes our ability to comply with applicable laws and regulations, you may be unable to avail yourself of the services we provide.
How long will we retain your information?
We will only retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.
To determine the appropriate retention period for your Personal Data, we will consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements. If you would like to know more information about our retention practices, please contact us using the information provided below.
In some circumstances we may anonymize your Personal Data so that it can no longer be associated with you, in which case it is no longer Personal Data. Upon expiry of the applicable period we will destroy your Personal Data in accordance with applicable laws and regulations.
Fees
You will in general not have to pay a fee to exercise any of your individual rights mentioned in this Privacy Notice. However, we may charge a reasonable fee if your request to exercise your individual rights is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Changes to this Privacy Notice
Wilshire reserves the right to update this Privacy Notice at any time and, in such cases, we will make an updated copy available on our website, or where required by law, we will contact you directly.
Further information
If you have any queries, questions, concerns or require any further information in relation to the Privacy Notice or you wish to exercise any of your rights, please do not hesitate to contact Wilshire at: Privacy@Wilshire.com
Appendix B
Privacy Policy Supplement for US Clients
Wilshire Associates Incorporated (‘we’ or "Wilshire") values your trust and wants you to be familiar with how we collect, use, and disclose information. This Privacy Policy describes our practices in connection with information that we may collect, maintain, and use in the course of providing our products and services though our website(s).
Wilshire is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, you can be assured that it will only be used in accordance with this Privacy Notice.
Residents of California should review the Privacy Notice for the California Consumer Privacy Act of 2018 for additional disclosures.
Personal Information We May Collect
The term Personal Information as used in this policy means any information that identifies you as an individual or relates to an identifiable person. The kinds of Personal Information we may collect depends on the nature of the relationship you have with us. This information may include your name, job title, and contact details such as your address, email address and telephone number. Occasionally additional information, such as demographic information, preferences, interests, and other information relevant to customer surveys may also be collected.
How We May Collect Personal Information
In most cases, we collect information directly from the person or entity with whom we have the relationship (e.g. through account applications, customer surveys, or general website usage).
How We May Use Personal Information
We require and use this information to understand your needs and provide you with a better service. More particularly, we use information we gather to do the following:
Security
We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure the information we collect online.
Controlling Your Personal Information
We do not share your Personal Information with third parties for use in marketing their products and services. However, we may share your Personal Information in the following circumstances:
Our service providers are obligated to keep the Personal Information we share with them confidential and use it only to provide services specified by Wilshire.
Retention Period
We will retain your Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law.
Updates to This Privacy Policy
We may change this Privacy Policy. Any changes will become effective when we post the revised Privacy Policy on our website. Your use of our website following these changes means that you accept the revised Privacy Policy.
Contact Us
If you have any questions about this Privacy Policy, please contact Wilshire via email at: Privacy@Wilshire.com
Exhibit 1
Privacy Notice for the California Consumer Privacy Act of 2018
Wilshire Associates Incorporated (“we” or “Wilshire”) is a global company which conducts business and collects, uses, shares and otherwise processes Personal Information (as defined below) from individuals and institutions located across the world and is subject to applicable data privacy laws, including the California Consumer Protection Act of 2019 (“CCPA”).
Personal Information
The term Personal Information as used in this policy means any information that identifies, relates to, describes, is reasonably capable of being associated, or could reasonably be linked, directly or indirectly with you as an individual or household.
Personal Information We May Collect
The kinds of Personal Information we may collect, process, hold and share depends on the nature of the product or service you have with us. This may include your contact details (such as your address, email address and telephone number), on-line identifiers or network activity (such as cookie data, website usage, browsing history and other online identifiers) and, where required for contractual, legal or regulatory obligations, additional information (including, but not limited to, date of birth, bank account details, tax identification numbers, copies of identification documents and numbers). In most cases, we will collect the Personal Information directly from you but may also obtain it from other sources (for example, public registers for background searches).
We may request specific information from you to help us confirm your identity. It is important that the Personal Information we hold about you is accurate and current. Please let us know if your Personal Information changes during your relationship with us.
It is in your sole discretion to provide Personal Information to us. If you do not provide us with all or some of the Personal Information we request, we may not be able to accept an engagement from you, to provide all or some of our services, to enter into a contract with you or to send you information about us (e.g. marketing materials).
Categories of Personal Information
We collect and disclose the following Personal Information for our business purposes, including:
• To perform the contract we have entered into with you (contract) – this includes, but is not limited to, where we have entered into an agreement with you and the Personal Data is needed to ensure that the terms of the contract can be fulfilled;
• To comply with a legal obligation (legal obligation) – these obligations include, for example, where we have a regulatory obligation to conduct customer due diligence or are required to provide information to tax authorities; or
• Our legitimate business purposes (business purposes) – this includes the provision of services by us and our direct marketing activities. To this end, we will use your Personal Data to deliver services to you and/or to work or act for you. Furthermore, we will also use your Personal Data to inform you about us and our services and to build our relationship with you.
If, in the future, we intend to process your personal information for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately (either within this Privacy Policy or elsewhere).
Further information
If you have any queries, questions, concerns or require any further information in relation to the Privacy Notice or you wish to exercise any of your rights, please do not hesitate to contact us at: Privacy@Wilshire.com.
Appendix C
Data Protection Policy Supplement for Wilshire’s Cayman Islands Funds Subject to the Cayman Islands Data Protection Law (the “Funds”)
1. Introduction AND PURPOSE
1.1 In the course of business, the Funds and their service providers obtain personal information about investors and others. This information may come from sources such as account applications and related forms, other written, electronic or verbal correspondence, transactional documents, documents provided by investors further to the anti-money laundering and other regulatory requirements, and/or from information captured on websites.
1.2 As the Funds are incorporated or formed in the Cayman Islands, the Data Protection Law, 2017 applies to the Funds' processing of this information to the extent it constitutes Personal Data.
1.3 The purpose of this policy is to set out how we, and persons processing Personal Data on our behalf, shall handle Personal Data, including that of our investors, suppliers, and other relevant third parties. This policy covers Personal Data held by us, and by third parties processing Personal Data on our behalf, regardless of the media on which that data is stored.
1.4 The Funds are committed to the lawful processing of Personal Data, and to upholding the confidentiality, integrity, and security of Personal Data.
1.5 This Policy applies to the Funds and shall be reviewed and updated as and when required. It should be read in conjunction with the Cayman Islands Privacy Notice (see Exhibit 1).
2. Definitions
2.1 "Service Provider" means U.S. Bancorp Fund Services;
2.2 "data controller" has the meaning given in the Data Protection Law, 2017;
2.3 "data subject" has the meaning given in the Data Protection Law, 2017;
2.4 "DPL" means the Data Protection Law, 2017 of the Cayman Islands;
2.5 "Funds" means Wilshire Asia Private Markets Fund VIII (Offshore) L.P., Wilshire European Private Markets Fund VIII (Offshore) L.P., Wilshire Institutional Master Fund II SPC, Wilshire Institutional Master Fund SPC, Wilshire Private Markets Japan Master Fund III, Ltd., Wilshire U.S. Private Markets Fund VI (Offshore) L.P., and Wilshire European Private Markets Fund VIII (Offshore) L.P. (each a "Fund");
2.6 "Manager" means Wilshire Associates Incorporated;
2.7 "Personal Data" has the meaning given in the DPL. Examples of Personal Data include an individual's name, address, email address, date of birth, passport details or other national identifier, driving licence number, national insurance or social security number, income, employment information, tax identifier and tax residence, account numbers, and economic information. It also includes data which, when aggregated with other data, enables an individual to be identified, such as an IP address and geolocation data;
2.8 "Processing" has the meaning given in the DPL. It is widely construed and includes obtaining, recording and holding data, as well as carrying out any operation on Personal Data, such as sharing, destroying and mining the Personal Data; and
2.9 "we", "us" and "our" in this notice refer to the Funds.
3. The DPL, the role of the Funds and Service Providers
3.1 The Funds are the decision makers as to the purposes, conditions and manner in which Personal Data are processed, and as such, are data controllers. This is so even though the Funds have appointed Service Providers to carry out certain processing operations in relation to Personal Data.
3.2 The Service Providers appointed on behalf of the Funds have confirmed in writing that they shall only act in accordance with the instructions of the Funds and that appropriate arrangements related to the security of any processing undertaken by that Service Provider. Appropriate arrangements have also been put in place for any cross border processing of personal data. A summary of Service Provider agreements is included at clause 13 below.
3.3 The Funds may be data controllers jointly with another person where that person is also a decision maker. As data controllers, whether joint or sole, the Funds recognise we are responsible and accountable for compliance with the DPL.
3.4 The Wilshire Associates Incorporated Compliance Department (“Wilshire Compliance”) is the relevant point of contact for any correspondence, issues or queries related to the DPL. All escalations related to data breaches and or subject access requests (as discussed below) shall be made to Wilshire at Privacy@Wilshire.com.
4. Ombudsman
4.1 The Ombudsman is the supervisory authority of the Cayman Islands for oversight of the DPL. The primary roles of the Ombudsman are to investigate, mediate and make determinations on complaints made by data subjects. The Ombudsman also provides guidance to data controllers and data subjects through publishing information resources and template documentation.
4.2 The Ombudsman also has the power to impose monetary penalties under the DPL for serious contraventions. Information orders and enforcement orders can also be imposed.
4.3 In the case of a data breach as further described below, a report must be made by the Funds to the Ombudsman. The Ombudsman's recommended form for breach notification is included at Exhibit 2.
4.4 Wilshire Compliance is responsible for considering any notifications received from staff or persons providing services to the Funds and determining if a data breach notification is required to be made to the Ombudsman.
5. Data Protection Principles
5.1 Each Fund is committed to processing Personal Data in accordance with the data protection principles set out in the DPL. The Funds require all persons processing Personal Data on our behalf to adhere to these principles which are:
(a) First Principle: personal data shall be processed fairly, and only if at least one of the conditions set out in paragraphs 1 to 6 of Schedule 2 of the DPL is met. When the data is sensitive personal data (as defined), additional conditions must be met.
(b) Second Principle: personal data shall only be obtained for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
(c) Third Principle: personal data shall be adequate, relevant and not excessive in relation to the purposes
(d) Fourth Principle: personal data shall be accurate and, where necessary, kept up to date
(e) Fifth Principle: personal data processed for any purpose shall not be kept for longer than is necessary for that purpose
(f) Sixth Principle: personal data shall be processed in accordance with the rights of data subjects under the DPL.
(g) Seventh Principle: appropriate technical and organizational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
(h) Eighth Principle: personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
6. The rights of data subjects
6.1 The Funds recognise that individual data subjects have specific rights conferred on them by the DPL, including:
(a) the right to be informed about the purposes for which the individual's Personal Data are processed;
(b) the right to access the individual's Personal Data (known as a “subject access request”). Where a request is received on or behalf of a data subject pursuant to this right, it should be reported;
(c) the right to restrict the processing of the individual's Personal Data;
(d) the right to have incomplete or inaccurate Personal Data corrected;
(e) the right to ask the Funds to stop processing the individual's Personal Data;
(f) the right to be informed of a Personal Data breach (unless the breach is unlikely to be prejudicial);
(g) the right to complain to the Data Protection Ombudsman; and
(h) the right to require the deletion of the individual's Personal Data in some limited circumstances.
6.2 As mentioned above at 6.1 b), individual data subjects have the right to access their own personal data and receive information about its use. There are some exemptions to this right. Such a request must be made in writing. However, a request does not have to include the phrase 'subject access request' or refer to the DPL, as long as it is clear that the individual is asking for their own personal data. This may present a challenge as any staff could receive a valid request.
6.3 A copy of the personal data must be provided within a 30 day deadline. An individual is only entitled to their own personal data and certain information about the data, but not to information relating to other people (unless the information is also about them or they are acting on behalf of someone else). Therefore, it is important to vet and potentially redact the information provided. No fee can be imposed for providing a copy of the personal data, except in exceptional circumstances. Details of subject access requests received should be recorded. Cayman counsel can advise further if required.
6.4 In relation to the above rights, the Funds:
(a) have disclosed the purposes for processing individuals' Personal Data in the Funds' data protection notice;
(b) will act on a legitimate request from a data subject promptly; and
(c) will disclose breaches in accordance with the DPL.
7. Lawfulness, fairness and transparency
7.1 The Funds recognise that Personal Data must be processed lawfully, fairly and in a manner that is transparent to the individual whose Personal Data is being processed. We also recognise that Personal Data may only be processed for specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
7.2 The basis for the Funds' processing of Personal Data, including the purposes for which Personal Data are processed and the persons with whom Personal Data are shared, are disclosed in a data protection notice issued to investors. In summary, each Fund processes Personal Data: where it is necessary to perform contracts to which the data subjects are party or in the interests of the data subjects; where the processing is necessary for compliance with an applicable legal or regulatory obligation to which the Funds are subject; and for the Funds' legitimate interests, or those of a third party.
7.3 The Funds only rely on these legitimate interests where it is considered that, on balance, the Funds' legitimate interests are not overridden by data subjects' interests, fundamental rights or freedoms.
7.4 The Funds prohibit any processing for purposes not already disclosed in the notice unless the purpose is obvious. The Funds also prohibit disclosure to third parties not already specified in the notice unless such disclosure would be lawful. The Funds do not buy or sell Personal Data or otherwise seek to monetise it, and require those acting on our behalf to act accordingly.
8. Purpose limitation, data minimisation and accuracy
8.1 The Funds require that Personal Data be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Irrelevant or unnecessary data must not be collected and, if collected, it must be deleted without delay.
8.2 The Funds also require that Personal Data be accurate and, where necessary, kept up to date. Any inaccurate Personal Data must be erased or rectified without delay.
8.3 Personal Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data is processed. If there is no longer any legal, regulatory or legitimate business purpose to keep Personal Data, the Funds require that the data be erased or anonymised.
9. Storage limitation
9.1 The Funds keep Personal Data for as long as the Funds require it for legitimate business purposes, to perform contractual obligations, or such longer period as is required by law or regulation. The Funds will generally retain Personal Data relating to investors throughout the life cycle of any investment. Some Personal Data will be retained after an investor relationship ends.
9.2 As a general principle, the Funds do not retain Personal Data for longer than necessary. The Funds will usually delete Personal Data (at the latest) after an investor relationship ceases and there is no longer any legal or regulatory requirement or business purpose for retaining Personal Data.
10. Security, integrity and confidentiality
10.1 The Funds take seriously the obligation that Personal Data be processed in a manner that ensures the security of the Personal Data. This is particularly the case given the data includes financial information, and evidence of identity. The Funds recognise that protection against unauthorised or unlawful processing and against accidental loss, destruction or damage is critical.
10.2 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the rights and freedoms of individuals, each Fund implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, and requires those processing Personal Data on its behalf to do so.
11. Breach/INTERNAL COMMUNICATION AND CORRESPONDENCE WITH THE OMBUDSMAN
11.1 The Funds, and those processing Personal Data on the Funds' behalf, must have effective measures in place to enable the detection, investigation, and (where appropriate) timely reporting by the Funds to the Ombudsman (and impacted individuals) of Personal Data breaches.
11.2 If there is a Personal Data breach, the Funds will, without undue delay and, in any event, not later than 5 days after having become aware, notify the personal Data Breach to the Ombudsman and the impacted individuals. As also set out above the Ombudsman's recommended form for breach notification is included at Exhibit 2.
11.3 Wilshire Compliance on behalf of the Funds will also specify in such notice the measures taken in light of the breach, and those which individuals are recommended to take. The Funds will only refrain from reporting where the Personal Data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
11.4 The Funds, and those processing Personal Data on the Funds' behalf, shall document any Personal Data breaches, setting out the facts relating to the Personal Data breach, its effects and the remedial action taken. Given that trust is of paramount importance to the Funds' business, it is critical that the breach be appropriately investigated and reported without delay.
11.5 Staff and those associated with the Funds should make breach notifications as soon as possible after becoming aware of them to Wilshire Compliance.
11.6 Wilshire Compliance is responsible for considering any notifications and making any breach notifications to the Ombudsman.
11.7 Failing to notify a breach when required to do so is an offence under the DPL and can result in a conviction and a fine of up to one hundred thousand dollars. Failing to notify may also be subject to a monetary penalty imposed by the Ombudsman.
11.8 As with any security incident, Funds should investigate whether the breach was a result of human error or a systemic issue and see how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps. Cayman counsel can advise further on data breaches if required
12. Cross-border transfer
12.1 The DPL requires specific measures to be taken where there is any transfer of Personal Data to jurisdictions which do not have a level of data protection comparable to that of the Cayman Islands. The Funds commit to transferring Personal Data to such jurisdictions only where they are satisfied that specific measures have been taken to ensure an adequate level of protection for data subjects and their Personal Data.
12.2 In particular, the Funds will require any such data transfers be performed pursuant to appropriate contractual terms. These provisions are addressed in agreements with Service Providers. The Funds will reserve the right to audit the measures put in place by the transferee so as to ensure an adequate degree of protection for data subjects and any Personal Data transferred.
13. Service PRovider Agreements
Service Provider
Agreement
U.S. Bancorp Fund Services
Amended and Restated Administration Agreement
Exhibit 1
Each of Wilshire Asia Private Markets Fund VIII (Offshore) L.P., Wilshire European Private Markets Fund VIII (Offshore) L.P., Wilshire Institutional Master Fund II SPC, Wilshire Institutional Master Fund SPC, Wilshire Private Markets Japan Master Fund III, Ltd., Wilshire U.S. Private Markets Fund VI (Offshore) L.P., and Wilshire European Private Markets Fund VIII (Offshore) L.P. (each, the “Fund”) is a fund created under the laws of the Cayman Islands. The purpose of this document is to provide you with information on the Fund's use of your personal data in accordance with the Cayman Islands Data Protection Law, 2017 (the " Data Protection Legislation").
If you are an individual investor, this will affect you directly. If you are an institutional investor that provides us with personal data on individuals connected to you for any reason in relation to your investment with us, this will be relevant for those individuals and you should transmit this document to such individuals or otherwise advise them of its content.
Your personal data will be processed by the Fund, and by persons engaged by the Fund. Under the Data Protection Legislation, you have rights, and the Fund has obligations, with respect to your personal data. The purpose of this notice is to explain how and why the Fund, and persons engaged by the Fund, will use, store, share and otherwise process your personal data. This notice also sets out your rights under the Data Protection Legislation, and how you may exercise them.
Your personal data
By virtue of making an investment in the Fund (including the initial application and ongoing interactions with the Fund and persons engaged by the Fund) or by virtue of you otherwise providing us with personal information on individuals connected with you as an investor (for example directors, trustees, employees, representatives, shareholders, investors, clients, beneficial owners or agents), you will provide us with certain personal information which constitutes personal data within the meaning of the Data Protection Legislation.
In particular, you will provide us with personal information within the forms and any associated documentation that you complete when subscribing for shares; when you provide it to us or our service providers in correspondence and conversations (including by email); when you make transactions with respect to the Fund; and when you provide remittance instructions.
We may also obtain personal data on you from other public accessible directories and sources. These may include websites; bankruptcy registers; tax authorities; governmental agencies and departments, and regulatory authorities, to whom we have regulatory obligations; credit reference agencies; sanctions screening databases; and fraud prevention and detection agencies and organizations, including law enforcement.
This includes information relating to you and/or any individuals connected with you as an investor in the Fund such as: name, residential address, email address, contact details, corporate contact information, signature, nationality, place of birth, date of birth, tax identification, credit history, correspondence records, passport number, bank account details, source of funds details and details relating to your investment activity.
How the Fund may use your personal data
The Fund, as the data controller, may collect, store and use your personal data for purposes including the following.
The processing is necessary for the performance of a contract, including:
The processing is necessary for compliance with applicable legal or regulatory obligations, including:
In pursuance of our legitimate interests, or those of a third party to whom your personal data are disclosed, including:
We will only process your personal data in pursuance of our legitimate interests where we have considered that the processing is necessary and, on balance, our legitimate interests are not overridden by your legitimate interests, rights or freedoms.
The Fund continues to be a data controller even though it has engaged the service providers (the " Service Provider") and other third parties to perform certain activities on the Fund's behalf.
Sharing your personal data
We may share your personal data with our affiliates and delegates. In certain circumstances we may be legally obliged to share your personal data and other financial information with respect to your interest in the Fund with relevant regulatory authorities such as the Cayman Islands Monetary Authority or the Tax Information Authority. They, in turn, may exchange this information with foreign authorities, including tax authorities and other applicable regulatory authorities.
The Fund’s affiliates and delegates may process your personal data on the Fund’s behalf, including with our banks, accountants, auditors and lawyers which may be data controllers in their own right. The Fund's services providers, such as the Service Provider, are generally processors acting on the instructions of the Fund. Additionally, a service provider may use your personal data where this is necessary for compliance with a legal obligation to which it is directly subject (for example, to comply with applicable law in the area of anti-money laundering and counter terrorist financing or where mandated by a court order or regulatory sanction). The service provider, in respect of this specific use of personal data, acts as a data controller.
In exceptional circumstances, we will share your Personal Data with regulatory, prosecuting and other governmental agencies or departments, and parties to litigation (whether pending or threatened) in any country or territory.
Sending your personal data internationally
Due to the international nature of our business, your personal data may be transferred to jurisdictions that do not offer equivalent protection of personal data as under the Data Protection Legislation. In such cases, we will process personal data or procure that it be processed in accordance with the requirements of the Data Protection Legislation, which may include having appropriate contractual undertakings in legal agreements with service providers who process personal data on our behalf.
Retention and deletion of your personal data
We will keep your personal data for as long as it is required by us. For example, we may require it for our legitimate business purposes, to perform our contractual obligations, or where law or regulation obliges us to. We will generally retain your personal data throughout the lifecycle of the investment you are involved in. Some personal data will be retained after your relationship with us ends. We expect to delete your personal data (at the latest) once there is no longer any legal or regulatory requirement or legitimate business purpose for retaining your personal data.
Automated decision-making
We will not make decisions producing legal effects concerning you, or otherwise significantly affecting you, based solely on automated processing of your personal data, unless we have considered the proposed processing in a particular case and concluded in writing that it meets the applicable requirements under the Data Protection Legislation.
Your rights
You have certain data protection rights, including the right to:
Contact us
We are committed to processing your personal data lawfully and to respecting your data protection rights. Please contact us if you have any questions about this notice or the personal data we hold about you. Our contact details are: c/o Wilshire Associates Incorporated, 1299 Ocean Avenue, Suite 700, Santa Monica, CA 90401, U.S.A., Email: Privacy@Wilshire.com marking your communication "Cayman Fund Data Protection Enquiry".
Exhibit 2
Please complete this form to the extent possible when notifying a personal data breach to the Office of the Ombudsman.
Please submit the completed form to: info@ombudsman.ky
Description
Answer
1.
Name and registered address of the reporting organization
2.
Nature of the incident
2.1.
Categories of data subjects concerned
2.2.
Types of personal data concerned
2.3.
Approximate number of data subjects concerned
2.4.
Approximate number of personal data records concerned
2.5.
Date and time the incident occurred
2.6.
Date and time the incident was first noticed
2.7.
Duration of the incident
2.8.
Location of the incident
2.9.
How the incident was discovered
3.
Name and contact details for communication purposes regarding the incident
3.1.
If the breach occurred at a data processor: Name and contact details of contact point at the data processor
4.
Likely consequence of the incident for the data subjects
5.
Measures taken to address the breach and/or mitigate its effect
6.
Measures proposed to address the breach and/or mitigate its effect
Wilshire has been applying highly tested theories and approaches to our client solutions since 1981.
Our clients rely on us to improve investment outcomes for a better future.