What U.S.- Based Investment Advisers Should Know

Size: px
Start display at page:

Download "What U.S.- Based Investment Advisers Should Know"

Transcription

1 BulletPoint June 2018 What U.S.- Based Investment Advisers Should Know The European Union s ( EU ) General Data Protection Regulation (the GDPR ) became effective on May 25, 2018, and provides individuals in the EU with greater control over the collection, use, storage, transfer, deletion and other types of processing of their personal data. While investment advisers typically already comply with data protection requirements governing financial services in the U.S. and elsewhere, the recent implementation of the GDPR requires a careful review of the firm s operations, as well as possible changes and enhancements to remain compliant. Below is a summary of GDPR provisions that are relevant to U.S.-based investment advisers, regardless of whether they have a physical presence in the EU. 1 A. What is the GDPR s Territorial Scope? The GDPR s territorial scope is very broad. It applies to (i) investment advisers that are established in the EU, including U.S.-based investment advisers that have a physical presence in the EU and (ii) investment advisers outside of the EU if they are providing investment advisory services to a fund in which an individual in the EU is invested or has entered into an investment advisory relationship directly with an individual in the EU. 2 1 Our November 2017 BulletPoint memo titled General Data Protection Regulation Affects Investment Advisers with EU Clientele provides a general overview of how the GDPR affects U.S.- based investment advisers who have clients in the EU. 2 The applicability of the GDPR does not depend on an individual s citizenship or residency. For example, Accordingly, the GDPR applies to U.S.-based investment advisers that have (i) EU individuals as clients, (ii) EU individuals as investors in the funds they manage, or (iii) employees in the EU. This is the case even if such investment advisers have no physical presence in the EU. The GDPR is also in effect in the United Kingdom, despite Brexit. B. How is Personal Data Defined Under the GDPR? The GDPR protects the rights of data subjects, which are individuals (not entities) in the EU, with respect to their personal data. For investment advisers, data subjects are most likely to be investors in the funds the investment adviser manages, individual investment advisory clients, and employees in the EU. The GDPR defines personal data as any information relating to an identified or identifiable natural person. The GDPR provides that an identifiable natural person is one who can be identified by data such as: Name; Identification number; Location data; An online identifier; or Other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person. the GDPR applies to the personal data of U.S. citizens who are physically present in the EU.

2 Personal data includes data regarding individuals in the EU that is collected by investment advisers from their clients and from investors in their funds, in know your customer documents, and in subscription documents (including the investor s name, national identification number, address, employment information, date of birth and financial and investment qualifications). C. How Can Investment Advisers Obtain Legal Authority to Process Personal Data? Investment advisers are permitted to process the personal data of individuals in the EU (including an investment adviser s employees in the EU) only if they have legal authority to do so. The GDPR provides that processing is lawful only in certain circumstances, such as: The individual has given affirmative opt-in consent to the processing of his or her personal data for one or more specific purposes, after sufficient information is provided to the individual (note that consent can be withdrawn at any time); o The disclosure the investment adviser provides should be in clear and plain language, and ideally include the topics described in Item #4 of Section H. below. Processing is necessary for the performance of a contract to which the individual is party, or to enable the investment adviser to take steps at the request of the individual prior to entering into a contract; Processing is necessary for compliance with a legal obligation to which the investment adviser is subject; or When an individual in the EU becomes a new client of an investment adviser, the most prudent course of action for the investment adviser typically will be to obtain (and document) the affirmative consent of the client to the processing of his or her personal data for the specific purposes that the investment adviser discloses in writing. The disclosure and consent can be obtained via the subscription documents completed by prospective fund investors, and the managed account agreement with an advisory client. With respect to existing clients who are individuals in the EU, investment advisers should consider obtaining affirmative consents or, in lieu of obtaining such consents, the adviser may seek to rely on another method of legal authority (such as the performance of a contract or legitimate interests). As noted above, obtaining and documenting consent is not the only way to obtain legal authority to process the personal data of individuals in the EU, but will typically be the most prudent way to do so, as it is easier to demonstrate that consent was obtained than to argue whether another legal basis such as legitimate interests exists. D. What Other Rights Do Individuals in the EU Have Under the GDPR? The GDPR guarantees other rights to individuals in the EU with respect to their personal data, including: The right to be notified regarding how the investment adviser will use their personal data (such notice must be clear and specific; it cannot be vague and replete with legalese); The right to access their personal data; Processing is necessary for the purposes of the legitimate interests pursued by the investment adviser or by a third party, unless these legitimate interests are overridden by the interests or fundamental rights and freedoms of the individual. The ability to instruct an entity to erase their personal data (a.k.a., the right to be forgotten ); The ability to instruct an investment adviser to correct inaccurate personal data; 2

3 The ability to restrict an investment adviser s processing of personal data in certain circumstances; Assist the investment adviser in complying with certain other obligations under the GDPR (such as data breach notification); The ability to move their personal data from one organization to another in certain circumstances; and The right to be notified of data breaches in most situations. Delete or return all the personal data to the investment adviser once the third party no longer is providing services, and delete existing copies of such data unless applicable law requires the storage of the personal data; and E. Third Party Vendors When an investment adviser uses the services of a third party (such as an administrator) to process the personal data of individuals in the EU, the GDPR requires that investment adviser to use only those third parties who have implemented appropriate technical and organizational measures to satisfy the requirements of the GDPR. An investment adviser, therefore, must conduct appropriate due diligence on the vendors that it selects to process personal data on its behalf. The GDPR also requires that the processing of personal data by a third party be governed by a contract or other legal act under EU or national law. Among other things, that contract or other legal act must provide that the third party will: Process personal data only in accordance with documented instructions from the investment adviser; Commit to confidentiality; Implement appropriate technical and organizational measures to protect the security of the personal data it processes for the investment adviser; Not engage another entity to process the personal data, without prior written authorization of the investment adviser; Assist the investment adviser in complying with its obligation to respond to individuals requests to exercise their rights under the GDPR; Allow for, and contribute to, audits by the investment adviser. F. Data Protection Officer or Representative Investment advisers should determine whether they need to hire or retain a Data Protection Officer ( DPO ). DPOs have specific enumerated rights and duties under the GDPR, including being the point of contact for EU regulators and EU individuals concerning the organization s compliance with the GDPR. The types of entities listed below are required to hire or otherwise retain a DPO. (It would likely not be typical for an investment adviser to need a DPO). Entities whose core activities involve regular and systematic monitoring of data subjects on a large scale, or Entities that conduct large-scale processing of special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like. Even where a DPO is not required, however, the GDPR requires organizations to designate in writing a representative to be in charge of ensuring compliance with the GDPR. Such representative would be the point of contact for EU regulators and EU individuals concerning the organization s compliance with the regulation. Furthermore, the text of the GDPR provides that the representative must be established in an EU country in which one or more individuals whose personal data the adviser processes reside. The data representative can be an employee, or 3

4 the adviser may hire a company in the EU to act as the representative. G. How Can Personal Data Legally Be Transferred Out of the EU? An investment adviser must have a valid legal basis to transfer personal data from the EU to a country outside the EU. Currently, three methods are available to legally transfer personal data from the EU to the United States: The EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework: Self-certification under either framework is voluntary. However, once an investment adviser commits to comply with either framework, that commitment becomes enforceable under U.S. law. Binding Corporate Rules: Binding corporate rules are internal rules that would be established by the investment adviser to address data transfers out of the EU. Such rules enable multinational investment advisers to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of data protection. The GDPR provides a lengthy list of subjects that an investment adviser s binding corporate rules must address, and an investment adviser s draft binding corporate rules must be approved by data privacy regulators in the EU countries in which it operates. Model Contractual Clauses: These are specific standard clauses to be included within contracts (or as stand-alone contracts) between entities or individuals in the EU and entities outside the EU. 3 If parties modify the language in those model clauses, however, there is a risk that regulators will determine that the modified language is insufficient to grant legal protection to the transfers. H. What Steps Should Investment Advisers Consider Taking to Prepare for GDPR s Implementation? Investment advisers should consider taking the following steps to prepare for GDPR s implementation: 1. Determine whether you are subject to the GDPR. As noted above, investment advisers who either have a physical presence in the EU, have employees in the EU or have investors or clients in the EU (even without a physical presence in the EU) will most likely be subject to the GDPR. 2. Determine what personal data you currently process, and determine what personal data must be processed for your legitimate business purposes. Investment advisers should not process more personal data than is necessary to operate their normal business activities. 3. Determine where personal data is stored, and who has access to such data. Only personnel within the firm who need to access the personal data should be able to do so. 4. Review subscription agreements, prospectus disclosures, data protection policies, investor onboarding documentation and other documents to address compliance with the GDPR. Disclosures regarding personal data should be in clear and plain language, and ideally would cover at least the following topics: The types of personal data being collected; The manner in which personal data may be collected, used, stored, transferred, erased or otherwise processed; Disclosure of the third parties to whom the investment adviser might transfer or otherwise disclose personal data; 3 Courts in the EU may later determine that the model contractual clauses will no longer be a valid method to transfer personal data outside the EU. The length of time personal data will be retained (or alternatively, the criteria used to determine how long personal data will be retained); 4

5 Description of individuals data protection rights under the GDPR; and How individuals can withdraw their consent to the processing of their personal data; 5. Determine whether you need to obtain consent from individuals in the EU to process their personal data, and maintain a record of all consents obtained. Such consent can be obtained from new investors in a fund in the subscription documents completed by such investors, and from new clients as part of their managed account agreement with the investment adviser. With respect to existing clients and investors, any necessary consents can be obtained via a new communication (operating as a standalone consent or an amendment to a current agreement). The request for consent must be clearly distinguishable from the other matters addressed in those agreements. Moreover, consent can be withdrawn at any time. 6. If you have any employees in the EU, review relevant employment agreements and employee handbooks. 7. Determine whether you have the organizational and technological means in place to handle requests from individuals in the EU regarding their personal data in a timely manner (typically within one month). 8. Update your data breach incident response plan as necessary. The GDPR provides that where feasible, the applicable data protection authority should be notified within 72 hours after you have become aware of a data breach (unless an exception applies). Moreover, in many cases you must also notify affected individuals without undue delay. 9. Determine whether you transfer personal data to any third parties for processing (e.g., to service providers such as administrators, paying agents and distributors). Conduct appropriate diligence on each third party s privacy and security measures, and put contracts in place with each of those third parties that meet the GDPR s requirements. 10. Ensure that your employees are aware of the GDPR s requirements that relate to their normal duties, and train employees as necessary. 11. If you transfer personal data from the EU to countries outside the EU, establish a mechanism to do so legally (See Section G., above). 12. Hire or engage a DPO (if required) or a representative to handle compliance with the GDPR. 13. Review existing insurance coverage to determine whether it is sufficient in light of the GDPR. I. What Are the Potential Penalties for Non- Compliance With the GDPR? Regulators can assess steep penalties for noncompliance with GDPR. Lower tier violations may result in penalties of the greater of 10 million or 2% of the entity s global gross revenue for the preceding financial year. Upper tier violations may result in penalties of the greater of 20 million or 4% of the entity's global gross revenue for the preceding financial year. For more information on the topic discussed, contact Michael Riela at riela@thsh.com or (212) or Beth Smigel at smigel@thsh.com or (212) , or your usual contact at Tannenbaum Helpern. About Tannenbaum Helpern s Cybersecurity and Data Privacy Practice Tannenbaum Helpern s Cybersecurity and Data Privacy practice regularly advises investment advisers and other types of clients in managing and responding to the ever-evolving data privacy and cybersecurity landscape. We provide the following types of services: 1. Prevention: Helping clients develop proactive procedures and policies designed to mitigate their risk of data security breaches, and to help 5

6 them be prepared to deal with security breaches efficiently when they inevitably do occur; 2. Compliance: Helping clients comply with applicable privacy and security laws and regulations, including the GDPR and the SEC s cybersecurity rules and guidance; 3. Risk Reduction: Negotiating contractual protections with vendors and contractors who have access to clients and their customers information, conducting employee training to recognize and avoid security threats, and directing clients in how to obtain appropriate cybersecurity insurance protection; 4. Response: Responding to data breach incidents when they occur, including implementing breach response and notification plans as required by applicable law, and liaising with law enforcement and other immediate responders such as insurance companies, forensic experts, technical consultants, and public relations professionals; and 5. Dispute Resolution: Defending clients in connection with any disputes and legal claims that arise from cyber breaches. BulletPoint is a newsletter of Tannenbaum Helpern Syracuse & Hirschtritt LLP s Financial Services, Private Funds and Capital Markets Department. It is an alert covering recent regulatory and tax developments impacting the financial services industry. To subscribe for the newsletter, send to marketing@thsh.com. About Tannenbaum Helpern Syracuse & Hirschtritt LLP Since 1978, Tannenbaum Helpern Syracuse & Hirschtritt LLP has combined a powerful mix of insight, creativity, industry knowledge, senior talent and transaction expertise to successfully guide clients through periods of challenge and opportunity. Our mission is to deliver the highest quality legal services in a practical and efficient manner, bringing to bear the judgment, common sense and expertise of well trained, business minded lawyers. Through our commitment to service and successful results, Tannenbaum Helpern continues to earn the loyalty of our clients and a reputation for excellence. For more information, visit Follow us on LinkedIn and The effective management of cyber risk often requires input from insurance professionals, information technology experts, forensics experts, public relations experts and others. Our Cybersecurity and Data Privacy practice can connect you with qualified professionals in these fields. 6

Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted

Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted 2018 Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted After only a few days of legislative debate, Governor Jerry Brown of California signed a bill enacting the California Consumer

More information

GlobalNote October 2012

GlobalNote October 2012 GlobalNote October 2012 Selected Exemption Provisions in the US Affecting Non-US Investment Advisers This memorandum addresses regulatory matters in the United States that most affect non-us investment

More information

New legislation brings changes to how data is handled

New legislation brings changes to how data is handled New legislation brings changes to how data is handled April 2018 Lockton Companies New European Union (EU) data protection rules may require changes to how businesses handle personal data even if the businesses

More information

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR) Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty Overview of the EU General Data Protection Regulation (GDPR) WHAT YOU NEED TO KNOW ABOUT THE EU GENERAL DATA PROTECTION REGULATION (GDPR) What is the GDPR?

More information

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018 The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018 GDPR so far The EU General Data Protection Regulation (Regulation (EU) 2016/679) comes into effect on 25 May 2018 Aims to protect:

More information

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy Contents Definitions.. 2 The Product... 2 Fund Board Governance... 2 Delegation of the Processing of Personal Data... 2 Data Protection

More information

Pension Trustees. Final Countdown to the GDPR

Pension Trustees. Final Countdown to the GDPR Pension Trustees Final Countdown to the GDPR Introduction The General Data Protection Regulation (GDPR) will come into force in all EU Member States in May 2018. It is not a radical departure from the

More information

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ). GROUP PRIVACY POLICY Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ). 1 PURPOSE AND SCOPE 1.1 The aim of this policy is to establish uniform,

More information

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members Member Circular March 2018 Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members Introduction Regulation (EU) 2016/679 containing the General Data Protection

More information

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR) January 2018 Lockton Companies After several years of extensive negotiation, the European Union (EU) adopted the General Data Protection Regulation (GDPR) 1 on

More information

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors February 14, 2017 The GDPR Possible Impact on the Life Sciences and Healthcare Sectors Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016, (the GDPR ) came into force

More information

Privacy Statement v 1.1

Privacy Statement v 1.1 Privacy Statement v 1.1 Context and Overview This notice will take effect from 25/05/2018 Burke Insurances Ltd. is committed to protecting and respecting your privacy. It is the intention of this privacy

More information

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees The General Data Protection Regulation (GDPR): action plan for pension scheme trustees July 2017 (revised March 2018) Pension briefing HIGHLIGHTS The European General Data Protection Regulation (GDPR)

More information

CLOUDINARY DATA PROCESSING ADDENDUM

CLOUDINARY DATA PROCESSING ADDENDUM CLOUDINARY DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms part of the agreement for the subscription by the Customer to the Cloudinary Service ("Subscription Agreement") between Cloudinary

More information

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM Page 1 of 20 DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms a part of the Customer Terms of Service found at https://slack.com/terms-of-service, unless Customer has entered into a

More information

Management of Personal Information Policy (Privacy Policy)

Management of Personal Information Policy (Privacy Policy) Management of Personal Information Policy (Privacy Policy) Henkel Australia and New Zealand Prepared by: Reviewed by: Human Resources Henkel Australia ANZ EXCOM Henkel Australia & New Zealand Approved

More information

Privacy Policy Statement

Privacy Policy Statement Privacy Policy Statement QuoteDevil is committed to protecting and respecting your privacy. It is the intention of this privacy policy statement to explain to you the information practices of QuoteDevil

More information

Institutional Investment Advisors Limited

Institutional Investment Advisors Limited Institutional Investment Advisors Limited Privacy Notice This Privacy Notice explains how we use the personal information that Institutional Investment Advisors collects or generates in relation to our

More information

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018 Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018 1. Introduction This Policy sets out the obligations of Banks Sheridan Limited ( the Company ) regarding data protection and the rights

More information

All Sorts UK Limited Data Protection Policy 17 th May 2018

All Sorts UK Limited Data Protection Policy 17 th May 2018 All Sorts UK Limited Data Protection Policy 17 th May 2018 1. Introduction This Policy sets out the obligations of All Sorts UK Limited, a company registered in England under number 03534972, whose registered

More information

GDPR : We protect your data

GDPR : We protect your data GDPR : We protect your data Dear customer, From the 25th May 2018 the new law of Personal Data Protection (GDPR) will enter into force. At Almagest Wealth Management S.A., we understand your need to be

More information

California s Consumer Privacy Act Vs. GDPR

California s Consumer Privacy Act Vs. GDPR Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY 10011 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com California s Consumer Privacy Act Vs. GDPR

More information

Man and Machine - Data Protection Policy

Man and Machine - Data Protection Policy Man and Machine - Data Protection Policy 1. Introduction This Policy sets out the obligations of Man and Machine Ltd, whose registered office is at Unit 8 Thame 40, Jane Morbey Road, Thame, Oxfordshire,

More information

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS WHO SHOULD EXECUTE THIS DPA: If you have determined that you qualify as a data controller under the GDPR, and need a data processing addendum

More information

Moxtra, Inc. DATA PROCESSING ADDENDUM

Moxtra, Inc. DATA PROCESSING ADDENDUM Moxtra, Inc. DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms a part of the Terms of Service found at http://moxtra.com/terms-of-service/, unless Company has entered into a superseding

More information

Data Processing Appendix

Data Processing Appendix Data Processing Appendix This Data Processing Appendix (the Appendix ) is attached to and forms part of the Supplier General Terms and Conditions (the Agreement ) between Nebula Oy ( Supplier ) and customer

More information

Pension Trustees Final Countdown To GDPR

Pension Trustees Final Countdown To GDPR Pension Trustees Final Countdown To GDPR " ROBERT HANIVER SENIOR ASSOCIATE/TECHNOLOGY MASON HAYES & CURRAN " STEPHEN GILLICK PARTNER/PENSIONS MASON HAYES & CURRAN The General Data Protection Regulation

More information

PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS

PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS May 22, 2018 1 1 This guidance document is based on information available as of May 22, 2018. As the GDPR is enforced and further guidance is provided this

More information

CP is licenced and supervised by the Commission de Surveillance du Secteur Financier (hereinafter CSSF ).

CP is licenced and supervised by the Commission de Surveillance du Secteur Financier (hereinafter CSSF ). PRIVACY NOTICE Introduction -Who Are We? Compliance Partners S.A. (hereinafter CP ) is a service provide headquartered in Luxembourg, providing a full range of services in all areas of compliance, substance

More information

Guidance: The new EU General Data Protection Regulation: Implications for Australia

Guidance: The new EU General Data Protection Regulation: Implications for Australia Guidance: The new EU General Data Protection Regulation: Implications for Australia Introduction After years of negotiations, the new EU General Data Protection Regulation (GDPR) was passed in 2016, bringing

More information

DATA PROTECTION ADDENDUM

DATA PROTECTION ADDENDUM DATA PROTECTION ADDENDUM In the event an agreement ( Underlying Agreement ) entered into by and between (i) either Sunovion Pharmaceuticals Inc. or its subsidiary, Sunovion Pharmaceuticals Europe Ltd.

More information

EU Data Processing Addendum

EU Data Processing Addendum EU Data Processing Addendum This EU Data Processing Addendum ( Addendum ) is made and entered into by and between AlienVault, Inc., a Delaware corporation ( AlienVault ) and the customer specified in the

More information

Amgen Binding Corporate Rules (BCRs) Public Document

Amgen Binding Corporate Rules (BCRs) Public Document Amgen Binding Corporate Rules (BCRs) Public Document Introduction: Amgen is a biotechnology leader committed to serving patients with grievous illness. Binding Corporate Rules (BCRs) express Amgen s commitment

More information

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM This Data Processing Addendum (the DPA ) forms part of Telia Bedriftsavtale or other written or electronic agreement between the Parties for the purchase of telecommunication services, and regulates any

More information

We take privacy and security of your information seriously and will only use such personal information as set out in this Privacy Notice.

We take privacy and security of your information seriously and will only use such personal information as set out in this Privacy Notice. Data Protection Privacy Notice for Shareholders This Privacy Notice sets out how personal data is collected, processed and disclosed in connection with The Renewables Infrastructure Group Limited (the

More information

Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law

Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law On May 25, 2018, the European Union (EU)'s General Data Protection Regulation (GDPR) comes into force,

More information

Customer means any EEA entity that registers for or purchases products or services from SDL or SDL EEA Entities.

Customer means any EEA entity that registers for or purchases products or services from SDL or SDL EEA Entities. SDL Inc. : EU-US Privacy Shield Notice Policy version: 1.01 Effective Date: 26 September 2016 The SDL Group of companies is an international commercial organization which due to the nature of modern business

More information

DATA PROCESSING ADDENDUM (v1.0)

DATA PROCESSING ADDENDUM (v1.0) DATA PROCESSING ADDENDUM (v1.0) Progressive Voice Services Limited trading as Meetupcall of Premier House, Carolina Court, Doncaster, DN45RA ( Meetupcall ) and having its place of business at, ( Customer

More information

GDPR CCPA LGPD. Protected information

GDPR CCPA LGPD. Protected information Stricter data protection laws are on the rise. While only a couple of years ago, data protection legislations and requirements were frequently marginalized and the position of the data protection officer

More information

Southern Golden Retriever Rescue Data Protection Policy

Southern Golden Retriever Rescue Data Protection Policy Southern Golden Retriever Rescue Data Protection Policy Date: 16.05.18 V3 Next Policy Review Date by Trustees: May 2019 Contents 1. Introduction... 2 2. Policy... 2 3. Responsibilities... 2 4. Definitions...

More information

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM DATA PROCESSING ADDENDUM (European Union GDPR) (May 2018) This Data Processing Addendum ( DPA ) forms part of the Pancake Laboratories Inc, DBA ShortStack.com ( ShortStack) Terms and Conditions (https://www.shortstack.com/terms-andconditions/),

More information

New Data Regulation, Brexit and the Pensions Industry.

New Data Regulation, Brexit and the Pensions Industry. December 2016 New Data Regulation, Brexit and the Pensions Industry. Thanks to high profile news coverage of data breaches and increasingly sophisticated cyber-crime, the public s awareness of privacy

More information

DATA PRIVACY & FAIR PROCESSING NOTICE

DATA PRIVACY & FAIR PROCESSING NOTICE Scope All data subjects whose data is processed by TC Debt Solutions, which is part of Thomson Cooper Accountants. Responsibilities Thomson Cooper Partner Mark Mitchell (mmitchell@thomsoncooper.com) is

More information

The Risk Manager. Additional Resources. The Latest News on Managing Your Risk. May 2016 INCREASED LIABILITY IN THE FACE OF UNCERTAIN DATA REGULATIONS

The Risk Manager. Additional Resources. The Latest News on Managing Your Risk. May 2016 INCREASED LIABILITY IN THE FACE OF UNCERTAIN DATA REGULATIONS The Risk Manager The Latest News on Managing Your Risk May 2016 INCREASED LIABILITY IN THE FACE OF UNCERTAIN DATA REGULATIONS By Beata Aldridge The new Privacy Shield and other proposed changes to European

More information

CHARITY & NFP LAW BULLETIN NO. 419

CHARITY & NFP LAW BULLETIN NO. 419 CHARITY & NFP LAW BULLETIN NO. 419 APRIL 25, 2018 EDITOR: TERRANCE S. CARTER IMPLICATIONS OF THE EU S GENERAL DATA PROTECTION REGULATION IN CANADA By Esther Shainblum & Sepal Bonni * A. INTRODUCTION The

More information

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

Privacy vs Data Protection: The Impact of EU Data Protection Legislation Privacy vs Data Protection: The Impact of EU Data Protection Legislation Thomas Rivera / Hitachi Data Systems Original Author: SNIA Security TWG SNIA Legal Notice The material contained in this tutorial

More information

Rigor, Inc. GDPR Data Processing Addendum

Rigor, Inc. GDPR Data Processing Addendum Rigor, Inc. GDPR Data Processing Addendum This GDPR Data Processing Addendum, including the Standard Contractual Clauses referenced herein ( DPA ), supplements any existing and currently valid Rigor license

More information

Alert Franchise & Distribution/ Cybersecurity, Privacy & Crisis Management

Alert Franchise & Distribution/ Cybersecurity, Privacy & Crisis Management Alert Franchise & Distribution/ Cybersecurity, Privacy & Crisis Management EU General Data Protection Regulation: What Impact for Franchise Businesses? November 2017 One of the most important assets that

More information

Data Privacy Notice of Sumitomo Mitsui Banking Corporation, Brussels Branch ( SMBC )

Data Privacy Notice of Sumitomo Mitsui Banking Corporation, Brussels Branch ( SMBC ) Data Privacy Notice of Sumitomo Mitsui Banking Corporation, Brussels Branch ( SMBC ) 1 ABOUT THIS NOTICE 1.1 Company issuing this Notice Sumitomo Mitsui Banking Corporation Brussels Branch, Neo Building,

More information

Vanguard Group (Ireland) Limited Vanguard Funds plc Vanguard Investment Series plc Privacy policy. May 2018

Vanguard Group (Ireland) Limited Vanguard Funds plc Vanguard Investment Series plc Privacy policy. May 2018 Vanguard Group (Ireland) Limited Vanguard Funds plc Vanguard Investment Series plc Privacy policy May 2018 Vanguard Group (Ireland) Limited (the Manager ), Vanguard Funds plc ( VF ), and Vanguard Investment

More information

ROSETTA STONE LTD. PROCESSING ADDENDUM

ROSETTA STONE LTD. PROCESSING ADDENDUM ROSETTA STONE LTD. PROCESSING ADDENDUM This Data Processing Addendum (this DPA ) forms part of the order document(s) (each a Service Order ) and Services Agreement (collectively, the Agreement ), entered

More information

Newsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai

Newsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai Newsletter Atsumi & Sakai NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences ATSUMI & SAKAI TOKYO LONDON FRANKFURT www.aplaw.jp/en NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN:

More information

DATA PROCESSING AGREEMENT

DATA PROCESSING AGREEMENT DATA PROCESSING AGREEMENT This Data Processing Agreement ( DPA or Agreement ), entered into by the CPI customer identified on the applicable CPI services agreement for CPI services ( Customer ) and the

More information

Creating a Big Data Strategy: Managing Risk and Enabling Innovation

Creating a Big Data Strategy: Managing Risk and Enabling Innovation Creating a Big Data Strategy: Managing Risk and Enabling Innovation Meghan Farmer and Brooke McGuffey 2016 Kilpatrick Townsend What is Big Data? Traditional definition: high-volume, high-velocity and/

More information

DATA PROTECTION NOTICE

DATA PROTECTION NOTICE DATA PROTECTION NOTICE Who are we? We are the Trustees of the Pension Scheme for the Nursing and Midwifery Council and Associated Employers (the Scheme). We collect, hold and use personal information to

More information

FUNDS MANAGED BY GOLDMAN SACHS ASSET MANAGEMENT - FAIR PROCESSING NOTICE EFFECTIVE DATE: 25 MAY 2018

FUNDS MANAGED BY GOLDMAN SACHS ASSET MANAGEMENT - FAIR PROCESSING NOTICE EFFECTIVE DATE: 25 MAY 2018 FUNDS MANAGED BY GOLDMAN SACHS ASSET MANAGEMENT - FAIR PROCESSING NOTICE EFFECTIVE DATE: 25 MAY 2018 PURPOSE AND APPLICATION OF THIS NOTICE Goldman Sachs Group, Inc. and its subsidiaries (each a Goldman

More information

FINANCIAL SERVICES OPPORTUNITIES INVESTMENT FUND LIMITED Company Registration Number: PRIVACY NOTICE

FINANCIAL SERVICES OPPORTUNITIES INVESTMENT FUND LIMITED Company Registration Number: PRIVACY NOTICE FINANCIAL SERVICES OPPORTUNITIES INVESTMENT FUND LIMITED Company Registration Number: 62421 PRIVACY NOTICE This Privacy Notice sets out how your personal data is collected, processed and disclosed in connection

More information

We are the Sanne Group, a listed multinational provider of alternative asset and administration services.

We are the Sanne Group, a listed multinational provider of alternative asset and administration services. PRIVACY NOTICE Introduction - Who Are We? We are the Sanne Group, a listed multinational provider of alternative asset and administration services. In this policy, "Sanne", "we", "our" or "us" may refer

More information

Impact of the European General Data Protection Regulation on U.S. M&A

Impact of the European General Data Protection Regulation on U.S. M&A CLIENT MEMORANDUM Impact of the European General Data Protection Regulation on U.S. M&A March 26, 2018 The winds of change will shortly sweep across the data privacy landscape in the European Union ( E.U.

More information

henriksen limited This document sets out how Henriksen processes data and your rights as the data subject.

henriksen limited This document sets out how Henriksen processes data and your rights as the data subject. henriksen limited Henriksen Limited Fair Processing and Privacy Notice Henriksen is committed to protecting the rights and privacy of data subjects and ensuring all data is processed in line with the requirements

More information

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA? OVERVIEW of this Policy and Commitments to Privacy within Dual At Dual ("we", "us", "our"), we regularly collect and use information which may identify individuals ("personal data"), including insured

More information

DATA PROCESSING AGREEMENT/ADDENDUM

DATA PROCESSING AGREEMENT/ADDENDUM DATA PROCESSING AGREEMENT/ADDENDUM This Data Processing Agreement ( DPA ) is made and entered into as of this day of, 2018 forms part of our Terms and Conditions (available at www.storemaven.com/terms-of-service)

More information

TEREX CORPORATION DATA PROTECTION POLICY

TEREX CORPORATION DATA PROTECTION POLICY TEREX CORPORATION DATA PROTECTION POLICY Terex Data Protection Policy Page 1 Index 1.0 Policy Statement, Purpose and Scope... 3 2.0 Requirements... 3 2.1 Data Protection Principles... 3 2.2 Communication

More information

Recent privacy legislation in the European Union has posed specific

Recent privacy legislation in the European Union has posed specific Recent Developments in EU Employee Data Privacy Law SEBASTIEN DUCAMP, CHERYL TAMA OBLANDER, AND HEATHER BENNO The authors explain how U.S. businesses with operations in Europe can reduce the risk of liability

More information

PRC Data Privacy Laws in a Nutshell

PRC Data Privacy Laws in a Nutshell PRC Data Privacy Laws in a Nutshell New developments in personal data protection regulations reflect a growing trend in China, in which maintaining the privacy of personal data and effecting reasonable

More information

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

INTERNATIONAL SOS. Data Protection Policy. Version 1.8 INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 2017 All copyright in these materials are reserved to AEA International

More information

Data Protection Post-Brexit

Data Protection Post-Brexit Brexit Law your business, the EU and the way ahead Data Protection Post-Brexit What to expect and how to prepare March 2019 Understanding the practical implications of Brexit for data protection compliance,

More information

The General Data Protection Regulation s Impact on M&A

The General Data Protection Regulation s Impact on M&A The General Data Protection Regulation s Impact on M&A PRACTICAL ADVICE ON HOW TO CONTINUE A SMOOTH M&A PROCESS Presented by Avi Gesser, Davis Polk partner, Litigation/Cybersecurity Pritesh P. Shah, Davis

More information

EMPLOYEE NOTICE OF DATA PRIVACY POLICIES AND PROCEDURES

EMPLOYEE NOTICE OF DATA PRIVACY POLICIES AND PROCEDURES EMPLOYEE NOTICE OF DATA PRIVACY POLICIES TABLE OF CONTENTS A. Ecolab s Commitment to Data Privacy... 2 B. Definitions... 2 C. Scope... 3 D. Application of Local Law... 3 E. Employee Data Collected... 3

More information

SILCHESTER INTERNATIONAL INVESTORS DATA PROTECTION POLICY

SILCHESTER INTERNATIONAL INVESTORS DATA PROTECTION POLICY SILCHESTER INTERNATIONAL INVESTORS DATA PROTECTION POLICY INTRODUCTION Silchester International Investors LLP, Silchester International Investors, Inc., Silchester Partners Limited and Silchester Capital

More information

Privacy Shield Notice

Privacy Shield Notice PRIVACY SHIELD NOTICE Fidelity National Information Services, Inc. ( FIS ) created this ( Notice ) to help you learn about how we handle Personal Data transferred to FIS in the United States from the European

More information

The Race to GDPR: A Study of Companies in the United States & Europe

The Race to GDPR: A Study of Companies in the United States & Europe The Race to GDPR: A Study of Companies in the United States & Europe Sponsored by McDermott Will & Emery LLP Independently conducted by Ponemon Institute LLC Publication Date: April 2018 2018 McDermott

More information

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment CI Advisory EU General Data Protection Regulation (GDPR) - High-level impact assessment Basis for this report This document has been prepared only for the and solely for the purpose and on the terms agreed

More information

Building a Program to Manage the Vendor Management Lifecycle

Building a Program to Manage the Vendor Management Lifecycle Building a Program to Manage the Vendor Management Lifecycle Libbie Canter Amelia Hukoveh Daniel Nazar October 5, 2017 Overview 1. Introduction and Background 2. Three Pillars of Third-Party Risk Management

More information

DATA PROCESSING ANNEX

DATA PROCESSING ANNEX Page 1 (5) 1 BACKGROUND AND PURPOSE DATA PROCESSING ANNEX 1.1 The terms of this Annex shall apply to the Agreement between Solibri Oy and/or its Subsidiary/Subsidiaries (Solibri Oy and the Subsidiaries

More information

Data Processing Addendum

Data Processing Addendum Data Processing Addendum This Data Processing Addendum ( DPA ) forms part of the Agreement(s) and is entered by and between the Customer and the Service Provider on the Effective Date. For the avoidance

More information

Privacy Policy and Personal Data

Privacy Policy and Personal Data ERGO Insurance SE Lithuanian Branch Privacy Policy and Personal Data ERGO Insurance SE Lithuanian Branch and ERGO Life Insurance SE (hereinafter referred to as ERGO or we ) understand that personal data

More information

WHAT DECISIONS WILL YOU NEED TO TAKE? GETTING READY FOR THE GDPR PART FOUR LEGAL ISSUES AND TRUSTEE DECISIONS

WHAT DECISIONS WILL YOU NEED TO TAKE? GETTING READY FOR THE GDPR PART FOUR LEGAL ISSUES AND TRUSTEE DECISIONS WHAT DECISIONS WILL YOU NEED TO TAKE? GETTING READY FOR THE GDPR PART FOUR LEGAL ISSUES AND TRUSTEE DECISIONS LEGAL ISSUES AND TRUSTEE DECISIONS As data controllers, pension scheme trustees will need to

More information

H. KEMP & SON LTD. FUNERAL DIRECTORS (ESTABLISHED 1893) Privacy Policy

H. KEMP & SON LTD. FUNERAL DIRECTORS (ESTABLISHED 1893) Privacy Policy 1. Scope All data subjects whose personal data is collected, in line with the requirements of the General Data Protection Regulation. 2. Responsibilities 2.1 H Kemp and Son limited is responsible for ensuring

More information

Privacy Policy. This privacy policy shall be valid even if you have reserved your transfers through the other sales partners of Plus Group Kft.

Privacy Policy. This privacy policy shall be valid even if you have reserved your transfers through the other sales partners of Plus Group Kft. Privacy Policy Plus Group Kft. (1033 Budapest, Polgár utca 8-10., www.plusairsolutions.com, informationsecurity@plusairsolutions.com, tax number: 22976309-2-41, hereinafter: Plus Group Kft., service provider

More information

ON24 DATA PROCESSING ADDENDUM

ON24 DATA PROCESSING ADDENDUM ON24 DATA PROCESSING ADDENDUM This Data Processing Addendum ( Addendum ) is entered into by and between ON24 Inc., on behalf of itself and its Affiliates ( ON24 ), and Client, on behalf of itself and its

More information

EU GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CLOUDFLARE CUSTOMERS

EU GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CLOUDFLARE CUSTOMERS EU GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS WHO SHOULD EXECUTE THIS DPA: FOR CLOUDFLARE CUSTOMERS If you have determined that you qualify as a data controller under the GDPR, and need a data processing

More information

GDPR update and its impact on accountancy practices

GDPR update and its impact on accountancy practices GDPR update and its impact on accountancy practices Richard Kemp, Kemp IT Law 29 March 2017 Presentation to The Alternative Accountancy Strategic IT Conference Elizabeth Denham speech to ICAEW, 17.01.17

More information

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) forms part of the End User License and Services Agreement (the Agreement ) between Customer and Ivanti, to reflect the parties agreement about

More information

Appropriate Policy Document

Appropriate Policy Document Appropriate Policy Document Schedule 1, Part 4, Data Protection Act 2018 July 2018 Privacy Notice - Appropriate Policy Document v2.docx Page 1 of 8 Contents 1 Introduction... 3 2 Relevant Schedule 1 conditions

More information

CUSTOMER DATA PROCESSING ADDENDUM

CUSTOMER DATA PROCESSING ADDENDUM CUSTOMER DATA PROCESSING ADDENDUM This Data Processing Addendum ( DPA ) and applicable Attachments apply when HP acts as a Data Processor and processes Customer Personal Data on behalf of Customer in order

More information

TIFFANY AND COMPANY: EU-U.S. PRIVACY SHIELD PRIVACY POLICY - CONSUMER DATA

TIFFANY AND COMPANY: EU-U.S. PRIVACY SHIELD PRIVACY POLICY - CONSUMER DATA Last Updated: September 20, 2016 Tiffany and Company ( Tiffany ) respects your concerns about privacy. Tiffany participates in the EU-U.S. Privacy Shield ( Privacy Shield ) framework issued by the U.S.

More information

European Union General Data Protection Regulation

European Union General Data Protection Regulation European Union General Data Protection Regulation Policy 25 May 2018 Bendigo and Adelaide Bank Limited ABN 11 068 049 178 General Data Protection Regulation (GDPR) Application This GDPR section of our

More information

HOW TO EXECUTE THIS DPA:

HOW TO EXECUTE THIS DPA: DATA PROCESSING ADDENDUM (GDPR, and EU Standard Contractual Clauses) (Rev. April 20, 2018) This Data Processing Addendum ( DPA ) forms part of the Master Subscription Agreement or other written or electronic

More information

Customer GDPR Data Processing Agreement

Customer GDPR Data Processing Agreement Customer GDPR Data Processing Agreement This Customer Data Processing Agreement reflects the requirements of the European Data Protection Regulation ( GDPR ) as it comes into effect on May 25, 2018. Bench

More information

The California Consumer Privacy Act: Overview and Comparison to the EU GDPR

The California Consumer Privacy Act: Overview and Comparison to the EU GDPR The California Consumer Privacy Act: Overview and Comparison to the EU GDPR Introduction During the months preceding the European Union s General Data Protection Regulation (GDPR) go-live, which occurred

More information

a publication of the health care compliance association SEPTEMBER 2018

a publication of the health care compliance association SEPTEMBER 2018 hcca-info.org Compliance TODAY a publication of the health care compliance association SEPTEMBER 2018 Strengthening the relationship between DOJ attorneys and compliance professionals an interview with

More information

Data Processing Addendum

Data Processing Addendum Data Processing Addendum This Data Processing Addendum (" DPA "), forms part of the Agreement or other written or electronic agreement between Pleo Technologies ApS (" Pleo ) and Customer for the purchase

More information

The Allied Group Privacy Shield Policy

The Allied Group Privacy Shield Policy The Allied Group Privacy Shield Policy The Allied Group, Inc. ("Allied") has adopted this Privacy Shield Policy ("Policy") to establish and maintain an adequate level of Personal Data privacy protection.

More information

LOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS

LOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS LOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS INTRODUCTION Thank you for providing us with a list of questions and background information in

More information

LAMP Services Limited Privacy Notice v1.2 4 th March Controller

LAMP Services Limited Privacy Notice v1.2 4 th March Controller 1. Controller LAMP Services Limited is the Controller under the EU General Data Protection Regulation (EU GDPR). LAMP Services Limited is incorporated in England, company registration number 04967967.

More information

The New EU General Data Protection Regulation (GDPR)

The New EU General Data Protection Regulation (GDPR) The New EU General Data Protection Regulation (GDPR) The clock has started on the biggest change to the European data protection regime in 20 years. After four years of negotiation, the new EU General

More information

DEAL BY SEA LTD PRIVACY NOTICE

DEAL BY SEA LTD PRIVACY NOTICE DEAL BY SEA LTD PRIVACY NOTICE 1. Scope All data subjects whose personal data is collected, in line with the requirements of the GDPR. 2. Responsibilities 2.1. The Data Protection Officer is responsible

More information

DATA PROCESSING ADDENDUM (INCLUDING EU STANDARD CONTRACTUAL CLAUSES)

DATA PROCESSING ADDENDUM (INCLUDING EU STANDARD CONTRACTUAL CLAUSES) DATA PROCESSING ADDENDUM (INCLUDING EU STANDARD CONTRACTUAL CLAUSES) This Data Processing Addendum ( DPA ) shall become effective without any further action by the parties: (a) if Customer signing this

More information

CPI PROPERTY GROUP. Group Data Protection Policy. 25 May Summary

CPI PROPERTY GROUP. Group Data Protection Policy. 25 May Summary CPI PROPERTY GROUP Group Data Protection Policy Summary This Group Data Protection Policy ( Data Protection Policy ) stipulates the rules for personal data protection in the CPI PROPERTY GROUP ( CPIPG

More information