The General Data Protection Regulation Linna Biere Managing
The General Data Protection Regulation Linna Biere, Managing Associate, IP/TMT Josiane Schroeder, Counsel, Investment Funds 3 May 2018
The General Data Protection Regulation (GDPR) “Creating a consistent data protection framework across the EU” > Will apply directly in all Member States from 25 May 2018 > Directly effective in all Member States, without the need for national implementing laws > Primarily applies to businesses established in the EU > However, it will also apply to businesses based outside the EU that offer goods and services to, or monitor, individuals in the EU > These businesses will need to appoint a representative in the EU > It regulates the processing of personal data of individuals in the EU The General Data Protection Regulation │ May 2018 │ 1
Processing of personal data Individuals (e. g. employees, investors, representatives at supplier/customer) Data Subjects Information related to an identified/identifiable individual (directly or indirectly) (e. g. name, contact details, email, account number, IP addresses, cookie identifiers, etc. ) Personal Data Your company Data Controller Processing (= virtually every use of data) The General Data Protection Regulation │ May 2018 │ 2
Processing of data: key principles Fair, lawful, transparent Purpose limitation Adequate, relevant and limited Data accurate and up to date Data Processing No longer than necessary Appropriate security measures The General Data Protection Regulation │ May 2018 │ 3
Processing of data: legal ground No processing allowed without legal ground The processing of personal data is only lawful if it meets one procession condition The General Data Protection Regulation │ May 2018 │ 4
Consent requirements “Can’t we just rely on consent to process personal data? ” Freely given, specific, informed and unambiguous Not always. The requirements for valid consent has been raised significantly. Clear affirmative action (no pre-ticked boxes) Be recorded (proof) . . . and it can be withdrawn at any time When in writing, be clearly distinguished from other matters …and you must stop processing this data, or rely on another legal ground no valid consent when clear imbalance of power (e. g. employees) Process to manage requests to withdraw consent The General Data Protection Regulation │ May 2018 │ 5
Expanded rights for individuals “Am I going to get requests from individuals to withdraw consent, to object to processing, to be forgotten or to restrict their data? ” Possibly. Working out how this affects your business and making the associated process changes is likely to be a must. “Are there any other requests I should be thinking about? ” Yes. Individuals also get right to (or to ask for): > Access > Restrictions > Rectification > Data portability > Erasure > Objection (when based on legitimate or public interest, or for direct marketing) The General Data Protection Regulation │ May 2018 │ 6
Transparency – updating your privacy notice What this means in practice – investment funds Information to be provided to the individuals: > > > > > Your identity (as a data controller) contact details Categories of personal data processed Source of the personal data, including use of public sources Purpose and legal basis of processing. Where legitimate interests is relied upon, details of those interests Recipients or categories of recipients of personal data Details of any safeguards relied upon and the means to obtain copies of transfer agreements Details of any intended transfer outside the EU, with details of safeguards (SCC/BCR) Period for which data will be stored or the criteria used to determine this period A list of all individual’s rights, including the right to withdraw consent if this is the basis for any processing Contact details of your data protection officer, if applicable The General Data Protection Regulation │ May 2018 │ 7
Accountability Obligation to keep record and demonstrate compliance > Notification to DPA abolished Controller plus processor Risk-based approach The key issue is how detailed this information needs to be > Review and update your existing compliance policies. In some cases, you will need to create new policies > Create and maintain a record of all the processing activities The General Data Protection Regulation │ May 2018 │ 8
Data protection officers – one major aspect of the accountability principle Do funds need a DPO? Mandatory If foreseen under national law Core activities consist of regular and systematic monitoring of data subjects on a large scale Core activities consist of large scale processing of sensitive personal data DPO is responsible for monitoring compliance with the Regulation, providing information and advice, and liaising with the supervisory authority. > Must report to highest management level > Can have one DPO (or team of DPOs) for the whole group > Cannot be dismissed for performing duties > Must have expert knowledge of DP law The General Data Protection Regulation │ May 2018 │ 9
Mandatory obligations for data processor contracts Practical application to funds The data processor must: > > > > Only process personal data on the documented instructions of the controller Keep the personal data secure Only use a sub-processor with the consent of the controller Ensure it flows down these obligations to any sub-processor Assist the controller to comply with requests from individuals exercising their rights to access, rectify Erase or object to the processing of their personal data Assist the controller with its security and data breach obligations, including notifying the controller of any personal data breach > Return or delete personal data at the end of the agreement, save to the extent the processor must keep a copy of the personal data Review your contracts with your processors and amend them accordingly The General Data Protection Regulation │ May 2018 │ 10
Transfers outside the EU “Will it have an impact on my cross-border data transfers? ” Adequacy (white listed countries incl. U. S. Privacy Shield) GDPR Principle = prohibition of transfers outside the EU (EEA) But Derogations (eg consent, legitimate interest) Standard clauses Safeguards: BCR Bespoke clauses Certificate/code Review your contracts with your processors and amend them accordingly The General Data Protection Regulation │ May 2018 │ 11
Safeguards for transfers outside the EU Safeguard Comments Pros BCRs are a set of binding obligations under which a group of undertakings commit to process personal data in accordance with the Regulation Will become BCRs do not cover transfers made to third increasingly important parties Prior approval from the CNPD required Model Contracts It will be possible to transfer personal data to a person outside the Union where the importer and exporter enter into the so-called Model Contracts Quick to implement and involve limited formalities Code of Conduct Transfers to inadequate jurisdiction are possible if the importer has signed up to suitable Codes of Conduct of obtained suitable Certification Potentially covers a Certification may be time consuming wide range of transfer Privacy Shield Replacement to the U. S. Safe Harbor scheme Cons Can be cumbersome for multiparty transfers unless adapted to operate as an intra-group agreement (for which authorisation might still be needed) Potentially covers a Only covers transfer to the U. S. wide range of transfer Companies certified under the Privacy Shield The General Data Protection Regulation │ May 2018 │ 12
Data breach notification Breach Controller plus Processor Obligation to keep data secure When “risk” Notify the DPA Without undue delay and, where feasible 72 hours after become aware of the breach When “high risk” Notify data subjects “Without undue delay” The General Data Protection Regulation │ May 2018 │ 13
Sanctions “Is it really that bad if we don’t comply? ” Yes! Due to the combination of increased enforceability and higher fines, this now becomes a boardroom issue: Fines up to the greater of: > € 20 m or > 4% annual worldwide turnover Turnover on “undertaking” basis in principle group turnover > Data subjects can seek compensation in courts; > Joint and several liability for controllers and processors (but contributory liability) The General Data Protection Regulation │ May 2018 │ 14
Getting compliant – what do I need to do? > Keep track of guidance issued by supervisory authorities and the European Data Protection Board > Consent: consider if you can rely on an alternative basis for processing, especially in light of the right to withdraw consent. If you do rely on consent, put in place processes to record and act on a withdrawal of consent > Data subjects’ rights: based on that analysis, set up processes to capture, record and act on those requests > Privacy notices: update your existing privacy notices to reflect new disclosure requirements > Accountability: review and update your existing compliance policies. In some cases, you will need to create new policies. You will need to create and maintain a record of the processing you are carrying out (unless exempt) > Data protection officers: work out if you need to appoint a data protection officer or consider if you want to make a voluntary appointment > Data security: consider setting up a central breach management unit to collate, review and notify breaches, where appropriate > Transfers outside the EU: review your current transfers and consider if they are justified under the Regulation The General Data Protection Regulation │ May 2018 │ 15
Questions The General Data Protection Regulation │ May 2018 │ 16
Your key contact Linna Biere Josiane Schroeder IP/TMT Managing Associate, Luxembourg Investment Funds Counsel, Luxembourg Tel: +352 2608 8354 Email: linna. biere@linklaters. com Tel: +352 2608 8275 Email: josiane. schroeder@linklaters. com Linna joined the Linklaters Luxembourg IP TMT practice in 2012. Josiane specialises in all types of investment fund-related matters, for both traditional and alternative funds. She advises major international fund houses and asset managers, including U. S. and Asia-based clients. Since joining Linklaters, Linna acquired experience in advising clients, in particular within the financial sector, in aspects of outsourcing, e-commerce, epayment solutions and in copyright, trademark and patent law, regulatory compliance as well as data protection law compliance. Linna also advises clients on environmental and administrative law as well as on litigation matters. Linna is a Member of the Bar of Frankfurt, Germany and a member of the Luxembourg Bar. As a highly experienced and versatile funds lawyer, Josiane advises on matters managing, on the setting up of funds, on eligible investments and on investment restrictions, on fund mergers (both domestic and international), demergers, on liquidations and restructurings. She has particular expertise on funds set up under the Undertakings for Collective Investment in Transferable Securities (UCITS) directives. She has assisted many funds and fund management companies in dealing with the requirements of the successive UCITS directives. The General Data Protection Regulation │ May 2018 │ 17
Linklaters 35 Avenue John F. Kennedy P. O. Box 1107 L-1011 Luxembourg Tel: +352 26 08 1 Fax: +352 26 08 88 88 Linklaters LLP is a limited liability partnership registered in England Wales with registered number OC 326345. It is a law firm authorised and regulated by the Solicitors Regulation Authority. The term partner in relation to Linklaters LLP is used to refer to a member of Linklaters LLP or an employee or consultant of Linklaters LLP or any of its affiliated firms or entities with equivalent standing and qualifications. A list of the names of the members of Linklaters LLP and of the non-members who are designated as partners and their professional qualifications is open to inspection at its registered office, One Silk Street, London EC 2 Y 8 HQ, England or on www. linklaters. com. This document contains confidential and proprietary information. It is provided on condition that its contents are kept confidential and are not disclosed to any third party without the prior written consent of Linklaters. Please refer to www. linklaters. com/regulation for important information on our regulatory position. Data Protection Regulation │ March 2018 │ 18
- Slides: 19