By Craig Cordle – Data protection and privacy laws have been reformed across Europe by Regulation (EU) 2016/679, commonly known as the General Data Protection Regulation (GDPR) which came into force on 25 May 2018. The GDPR builds on existing legislation and seeks to harmonise and enhance data protection and privacy laws across the EU. It also introduces significant fines in respect of breaches.
Guernsey’s Data Protection (Bailiwick of Guernsey) Law 2017, which mostly mirrors the requirements of the GDPR, came into force on the same day. The DP Laws apply the requirements of the GDPR on a global basis (that is, not only in respect of data relating to EU-resident individuals). Importantly, this means that Guernsey is likely to continue to be classed by the European Commission as an adequate third country to which data can be transferred, which can only be good news for Guernsey service providers.
The GDPR has immediate effect in EU Member States and, therefore, automatically applies to organisations which are established in the EU. However, it also has extra-territorial scope, and applies to third country organisations which have an establishment in the EU or where the processing of personal data relates to: a) the offering of goods or services to EU residents; or b) the monitoring of the behaviour of EU residents where the behaviour takes place in the EU.
In the context of investment funds, the offering of interests in a fund is generally considered to be an “offer of goods or services”, thereby bringing funds within the scope of the GDPR.
Personal data is any information in respect of which a natural person can be identified, such as their name, address, identification number, as well as online identifiers (including cookies). This type of data is typically collected from investors during the subscription process.
However, the GDPR imposes a higher compliance burden in respect of “special category data” which includes data revealing racial origin, political opinions or religious beliefs. The latter category is unlikely to be relevant for most funds, though sharia funds, socially responsible or ethical investing funds could find that they hold special category data. In addition, political affiliations of PEPs may result in such data being held.
The following action points should assist funds and service providers set their priorities:
• Carry out a full mapping of the types and sources of personal data collected, identify who might potentially control and/or process the data, for what purposes and how the data moves between the fund and its service providers.
• Consider the legal basis on which the data is processed. Under pre-GDPR regimes, investor consent was typically used as the legal basis for processing personal data. This may still be appropriate, particularly where a vehicle is very closely held or where the consent of investors is easy to obtain (and update, if necessary).
• Prepare a notification to investors (commonly referred to as a Privacy Notice) which complies with the prescribed disclosures set out in the GDPR. Privacy Notices are quite lengthy documents as they must detail clearly and in plain language specific information including the purposes for which data is to be used, the legal basis for each such use, an explanation of the rights of investors as data subjects and how to exercise them.
• Amend the fund documents. It is likely that offering documents will contain data protection language requiring updating.
The expectation is that reliance will be placed on fund administrators to provide the resources and infrastructure required for these activities, though it is important to note that data controllers retain responsibility for damage caused by processing data in contravention of the GDPR. Fund and management boards should also, therefore, be trained in the requirements of the GDPR.