The Policy applies to both Tri-Pro Administrators Ltd (“TPA”) and Tri-Pro Services (Mauritius) Ltd (”TPS”). TPA and TPS are hereinafter collectively referred to as “Tripro”.
In this Policy, “Tripro”, “we”, “our” or “us” may refer to Tripro or any of Tripro’s subsidiaries and affiliates (and their respective successors in title).
1. Who we are
Tripro is a management company, licensed by the Mauritius Financial Services Commission to service individuals and corporate entities in reaching their objectives to manage their assets in the most cost effective way.
Tripro is registered as Data Controller (defined below) with the Data Protection Office in Mauritius and as such is bound to comply with the EU General Data Protection Regulation (“GDPR”) and the Mauritius Data Protection Act 2017 (“DPA”). The Policy forms part of Tripro’s obligation to be fair and transparent with each and every data subject whose personal data we process and to provide full information on how we process such personal data and what we do with it.
2. What is personal data?
Personal data relates to any information about a natural person that makes you identifiable.
We may process your personal data under the following situations:
- While providing our various services to you or to somebody connected to you; or
- In the course of providing services to or dealing with an entity by which you are employed or in which you have an interest.
3. What personal data we collect about you
We collect and process a series of data about people we deal with and those related to our clients and other counterparties. Such data might include (but is not limited to):
(i) Your personal details such as your:
- Date of Birth;
- Occupation/ profession;
- Marital Status;
- Country of residence;
- Tax Identification Numbers/ social security numbers;
- Employment history;
- Your home and professional addresses;
- Your work and personal contact details such as e-mail addresses, postal addresses and/or telephone number;
- Payroll and accounting data; and
- Bank account details.
(ii) Information about entities/ organisations or institution with which you are related such as:
- Banking and/ or any other service providers;
- Entities in which you hold an interest;
- Your advisor;
- Your intermediary/ agent; and
- Your employer.
(iii) Identification documents such as passport, ID card, driving licence or any other documents required by the laws of the Republic of Mauritius.
(iv) Address verification documents such as utility bill, bank statement, credit card statement, bank reference letter or professional reference letter or any other Information required by the laws of the Republic of Mauritius or provided through our recruitment process such as CVs.
(v) Contact details of people with whom you are connected, including your immediate family or next of kin.
(vi) Your marketing preferences.
(vii) Information which you provide to us in the course of corresponding with us.
4. What are sensitive/ special categories of personal data?
Sensitive or special categories personal data refer to the above but includes genetic data and biometric data. For example:
- Racial or ethnic origin;
- Political opinion or adherence;
- Religious or philosophical beliefs;
- Membership of a trade union;
- Physical or mental health or condition;
- Sexual orientation, practices or preferences;
- Genetic data or biometric data uniquely identifying the data subject;
- Commission or alleged commission of an offence by the data subject;
- Any proceeding for an offence committed or alleged to have committed by the data subject, the disposal of such proceedings or the sentence of any Court in the proceedings; or
- Such other personal data as the Commissioner may determine to be sensitive personal data.
We may also collect and process “special categories” of personal data in certain circumstances where we are required to for the purposes of our legal and/ or regulatory obligations including, but not limited to, legislation and regulatory obligations relating to Anti- Money Laundering and Combating the Financing of Terrorism and any other related legislation. This may include information regarding your racial or ethnic origins, political opinion and affiliations or information relating to criminal records.
5. What is a Data Controller?
For the purposes of GDPR and the DPA, the “Data Controller” means the person or organisation, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing.
The identity of the Data Controller for data protection purposes will vary depending on the company with which you are interacting with.
The data controller for TPA is TPA itself. TPA’s data protection officer is Urvashee CHATOORY, Assistant Compliance Manager who can be contacted at the above address or on firstname.lastname@example.org or by calling 4640889.
The data controller for TPS is TPS itself. TPS’sdata protection officer is Jaimie LAI CHOO, Director who can be contacted at the above address or on email@example.com or by calling 4640889.
6. What is a Data Processor?
A “Data Processor” is a person or organisation which processes personal data on behalf of the Data Controller.
7. What information do we collect about you and how?
We principally collect your personal data from the following sources:
(i) From information which you or your authorised representative give to us, including but not limited to:
- Information set out in any agreements entered into with us;
- Such forms and documents as we may request that are completed in relation to the incorporation of your entity and for ongoing administration purposes.
- Customer Due Diligence (“CDD”) documentation as part of our regulatory requirements; and
- Any personal data provided by you by way of correspondence with us by phone, e-mail or any other means.
(ii) Personal data we receive from you or any third party sources which may include:
- Entities in which you or someone connected to you has an interest;
- Your legal and/or financial advisors;
- Other financial institutions that hold and process your personal data to satisfy their own regulatory requirements;
- Credit reference agencies and financial crime databases for the purpose of complying with our regulatory requirements; and
- Information available on a public domain such as websites and media.
We may also collect and process your personal data in the course of dealing with advisors, regulators, official authorities and service providers by whom you are employed or engaged or for whom you act.
8. What is Lawful Processing?
For the processing of data to be lawful under the GDPR and the DPA, there are certain conditions that need to be met before we can process personal data.
Under the DPA, we are allowed to hold and process your personal data on the following six legal bases:
(i) You consent to the processing for one or more specified purposes;
(ii) The processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request before entering into a contract;
(iii) For compliance with any legal and regulatory obligations to which we are subject;
(iv) In order to protect your vital interests or another person;
(v) For the performance of a task carried out in the public interest; and
(vi) For the legitimate interests pursued by us or by a third party to whom data is disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice your rights and freedoms or legitimate interests.
Some of the above mentioned grounds for processing might overlap and there might be more than ground substantiating our use of your personal data.
9. What are the purposes for processing your data?
Pursuant to paragraph 8 of the Policy, we may process your personal data for the following purposes:
- To comply with anti-money laundering and terrorist financing legislations and requirements which include collecting, processing, transferring and storing CDD documentation, source of funds, source of wealth information and verification of data;
- To perform incorporation, administration and management of entities of our clients;
- For communication with you in relation to the administration services being offered by us;
- To liaise with or report to regulatory authorities with such as Registrar of Companies (“ROC”), Financial Services Commission Mauritius (“FSC”), Financial Intelligence Unit (“FIU”), Mauritius Revenue Authority (“MRA”) amongst others;
- To disclose your personal data to any bank or third party financial institution;
- To enforce or defend our rights, or those of third parties to whom we may delegate responsibilities in order to comply with a legal or regulatory obligations imposed on us;
- To send you newsletters, newsflash, important notices/ communiqué and general updates on the Mauritius and Global International Financial Services industry; and
- For marketing purposes.
Your personal data will only be used for the purposes for which we collected it (as listed above) except in circumstances where we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. In case we might need to use your personal information for an unrelated purpose, we shall notify you and explain the legal basis which allows us to do so.
10. To whom we may disclose your personal data?
We may disclose your personal data:
- To authorities such as ROC, FSC, MRA and FIU for performance of a legal or regulatory requirement; and
- To third parties including but not limited to banks, financial institutions, legal professionals, auditors, IT service providers under the terms and conditions of a contractual arrangement or appropriate delegation.
However, the authorised third parties may process your personal data abroad and may have to disclose it to foreign authorities for examples for anti money laundering and combating financing of terrorism.
In cases where such third parties act as data processors, we shall ensure that there is an appropriate agreement in place and that your personal data is processed according to applicable laws.
11. How long do we keep hold of your data for?
Your personal data will be retained as long as required:
- To fulfill the purposes for which the data was collected;
- In order to establish or defend legal rights or obligations or to satisfy any reporting or accounting obligations; and/or
- As required by other applicable laws or regulatory requirements.
12. Limitation of Liability
We respect your privacy and your personal data is always treated diligently and cautiously by our organisation. We aim to store and process your personal data in accordance with accepted market standards.
Whilst we have taken every reasonable care to ensure the implementation of appropriate technical and security measures, we cannot guarantee the security of your personal data over the internet, via email or via our website nor do we accept, to the fullest extent permitted by law, any liability for any errors in data transmission, machine, software or operating error or any other cause.
13. Keeping in mind Your Rights as Data Subject
The DPA introduces greater rights for you as data subject so as to be aligned with the enhanced rights afforded under the GDPR. These are:
(i) Right of Access;
(ii) Right of Rectification;
(iii) Right of Erasure;
(iv) Right of Restriction; and
(v) Right to Object.
What is Right of Access?
It is your right to request a copy of the information that we hold about you. If you would like a copy of some or all of your processed personal data, please email or write to us at the address mentioned in paragraph 15.8. We will respond to your request within one month of receipt of the request.
What is Right of Rectification?
We want to make sure your personal information is accurate and up to date. You may ask us to correct data you think is inaccurate by emailing or writing to us.
What is Right of Erasure?
You have the right to ask us to delete your personal data in the following course of events:
- The data is no longer necessary in relation to the purpose for which it was collected or otherwise processed;
- You withdraw your consent on which the processing is based and there is no other legal ground for processing;
- You object to the processing of your personal data and there is no legitimate ground to override this objection; and
- Your personal data has been unlawfully processed.
Right of restriction
In some situations, this right gives an individual an alternative to requiring data to be erased; in others, it allows the individual to require data to be held in limbo whilst other challenges are resolved.
If personal data is ‘restricted’, then we may only store the data, and not process it by any means. You may ask us to restrict the processing of your personal data under the following circumstances:
- You give us consent;
- The accuracy of the personal data is contested by an individual, for a period enabling the controller to verify the accuracy of the data;
- The controller no longer needs the personal data for the purpose of the processing, but the data subject requires them for the establishment, exercise or defence of a legal claim;
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; or
- When an individual has objected to processing (based on legitimate interests), then the individual can require the data to be restricted whilst the controller verifies the grounds for processing.
Right to object
You have a specific right to object. It is not an absolute right and it applies only in the following circumstances:
- When the processing of data falls in the category of direct marketing. In this case you can object at any time when your data is processed for direct marketing purposes.
- You can object if your data is processed for research or statistical purposes. This time, objecting is not an absolute right as it can be overridden is the research is necessary for the performance of a task carried out in the public interest.
- If the data is processed based on public or legitimate interests, objection is possible. In this case, the controller will need to demonstrate it has compelling legitimate interest to process the data that override the data subject’s rights and freedoms.
However, if we have processed your personal data under lawful processing conditions mentioned in paragraph 10, and you choose to object, we might no longer be in a position in that case to continue providing our services to you.
You have a right at any time to stop us sending you newsletters, newsflash, important notices/ communiqué and general updates on the Mauritius and Global International Financial Services industry.
To opt out please email us at: firstname.lastname@example.org
If you would like to exercise your rights in relation to the processing of your personal data, you may contact us on:
In Writing to: the Data Protection Officer,
Tripro Administrators Ltd, Level 5,
Maeva Tower, Bank Street,
Republic of Mauritius
Right to make a complaint
If you feel that your personal data has been processed in a way that does not meet the GDPR or DPA, you have a specific right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then guide you of the progress and outcome of your complaint.
The supervisory authority in the Republic of Mauritius is the Data Protection Office, whose contact details are as follows:
The Data Protection Office,
5th floor, SICOM Tower,
Wall Street, Cybercity, Ebène,
Republic of Mauritius
Web address: http://dataprotection.govmu.org