GDPR and its impacts on investment funds

Adopted in 2016, the EU General Data Protection Regulation [1] will apply from 25 May 2018 to all types of businesses, including the financial services and investment funds sector. The regulation builds up on the existing data protection framework, but reinforces the latter in many respects.
 
ALFI set up in 2017 a dedicated working group which is in the process of publishing a first Question-and-Answer document for the membership of ALFI. The first issue will probably be followed by further editions over the coming months.
The protection imposed by the GDPR, will apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. Both the processing of personal data wholly or partly by automated means and the processing other than by automated means is in the scope.
Personal data processed by investment funds and their managers typically include data of their employees, data obtained from fund investors and counterparties, data collected regarding portfolio investments and data of third party service providers or other third parties.
 
Who is the data controller and who is the data processor?
Before updating fund documentation, data privacy notices and service agreements, it is crucial to analyse all data flows between all internal and external parties. This mapping of data processing activities will help to determine the respective roles of the data controller and data processor. Typically, the funds and their managers – either one of them or jointly – are considered as controllers, i.e. as those who set the purposes and means. Data processors in fund structures can also be, for example, transfer agents, paying agents, corporate secretariat services or tax reporting services. In order to avoid gaps or misunderstandings, it is crucial that the fund and manager on the one hand and the service providers on the other hand share and discuss their analyses. It is important to note that the roles cannot be determined consistently for all cases, which means that individual analyses need to be conducted.
Regarding investment funds, the purposes and means include e.g. the subscription of fund shares/units, the execution of AML/KYC checks on investors, the maintenance of share-/unitholder registers, the sending of investment information to existing investors, the execution of corporate actions, the distribution of cash flows, the provision of corporate secretariat services and the performance of tax reporting.
 
Once the parties involved have sorted out their respective roles, they can process data by respecting six basic principles. According to the GDPR, personal data shall be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject;
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accurate and, where necessary, kept up to date;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The data controller will be responsible for compliance with these principles, and he must be able to demonstrate compliance. To this end, the fund or its managers (but also the processor) should keep records of all processing activities.
In order to avoid fines of up to 20 million euros or even more for non-compliance, funds, their managers and service providers should duly review their processes, train staff and be transparent towards both investors and supervisory authorities.
 
Communiqué par Susanne Weismüller, Senior Legal Adviser, ALFI
Source photo: ALFI

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the ‘GDPR’