General Data Protection Regulation. Asked Questions

Transcription

1 General Data Protection Regulation ( GDPR ) Frequently Asked Questions

2 Contents This booklet includes: What is the GDPR? What information does the GDPR apply to? What relevance does the GDPR have in the Isle of Man, Mauritius and Jersey? Does the GDPR only apply to EU organisations? What is a data processor and a data controller? What s new with the GDPR and the new data protection laws in Jersey, Isle of Man and Mauritius? What are the data protection principles? Does Standard Bank always need consent to process my personal data? What are Standard Bank doing to prepare? Where do I find information on what you do with my personal data? 2

3 What is the GDPR? The General Data Protection Regulation is a new European law that replaces existing data protection legislation in the countries of the European Union ( EU ). It places greater obligations on how organisations handle personal data. It comes into full force and effect on 25 May What information does the GDPR apply to? The GDPR applies to personal data which means any information relating to an identified or identifiable natural (that is, human) person. An identifiable person is someone who can be directly or indirectly identified, in particular by reference to an identifier such as a name, identification number, location data, an online identifier (for example, ISP addresses, cookie identifiers, radio frequency IDs) or one or more factors specific to their physical, mental, physiological, genetic, economic, cultural or social identity. It applies to the personal data of persons in the EU wheresoever that personal data is processed. 3

4 What relevance does the GDPR have in the Isle of Man, Mauritius and Jersey? The Isle of Man and Jersey, which are not part of the EU, presently have EU Adequacy Rulings from a data protection perspective. This means that the EU recognises that the Isle of Man and Jersey have data protection legislation that provides effectively equivalent rights and safeguards to the protection of personal data as do their European neighbours. There are a dozen or so such territories/countries in the World with EU Adequacy Rulings. The Isle of Man s existing data protection legislation is the Data Protection Act It is due to be replaced in 2018 with a new Data Protection Act 2018 which is designed to usher in equivalent provisions to the GDPR for the Isle of Man. Jersey s existing data protection legislation is the Data Protection (Jersey) Law It is due to be replaced in 2018 with a new Data Protection (Jersey) Law 2018 and a new Data Protection Authority (Jersey) Law 2018 which are also designed to usher in equivalent provisions to the GDPR for Jersey. Mauritius (not part of the European Union) does not presently have an EU Adequacy Ruling but replaced its Data Protection Act 2004 with a new Data Protection Act 2017, and this is also designed to usher in various provisions from the GDPR for Mauritius. Isle of Man Jersey Mauritius 4

5 Does the GDPR only apply to EU organisations? The GDPR applies to processing of personal data carried out by organisations operating within the EU. GDPR also applies to organisations outside the EU that offer goods or services to individuals in the EU or monitor the activities of persons in the EU. The new laws in Jersey, Isle of Man and Mauritius will apply to processing of personal data carried out by organisations operating in those jurisdictions including Standard Bank Offshore Group companies that are located there. The GDPR and the new laws differentiate between those processing personal data as data controllers of that personal data and those processing personal data as data processors on behalf of another data controller. What is a data processor and a data controller? A data controller determines the purposes and means (why and how) of processing personal data. A data processor is responsible for processing personal data on behalf of a data controller. Because of our structure then in most cases Standard Bank Offshore Group companies will be both data controllers of personal data and data processors of personal data on behalf of other Standard Bank Group companies. 5

6 What s new with the GDPR and the new data protection laws in Jersey, Isle of Man and Mauritius? Amongst other things the new laws require compliance with certain data protection principles and primarily usher in: Increased and new rights for individuals in respect to their personal data including access rights, data portability, right to erase, right to object to processing, right to restrict processing, rights in relation to automated decision making and profiling. For further information on these please refer to our separate Your Data Your Rights booklet); Greater requirements around transparency (informing people what you do with their data) and accountability; Greater requirements around consent to processing (when this is required); Greater record keeping requirements in respect to processing activities; Mandatory breach reporting requirements within 72 hours, subject to very limited exceptions; The mandatory appointment of a Data Protection Officer and an EU Representative in certain circumstances; Greater fines and penalties that can be imposed by data protection supervisory authorities; and The concept of data protection by design and by default and the mandatory requirement for data protection impact assessments to be carried out in certain circumstances. 6

7 What are the data protection principles? The new laws, like the existing laws, remain principles based. The following are the broad principles that the new laws state must be adhered to: 7

8 Does Standard Bank always need consent to process my personal data? In short, no. Consent is one lawful basis for processing personal data, but there are five others, and additional ones in respect to the processing of sensitive/special category personal data (for example, health information). It is Standard Bank s responsibility to ensure it has identified and meets one or more lawful bases for processing personal data under the new laws. How are Standard Bank preparing? Standard Bank Offshore Group has a GDPR Project team which is helping the business deliver the changes required to ensure compliance with the GDPR and the new legislation applicable in the Isle of Man, Jersey and Mauritius. Where do I find information on what you do with my personal data? When a Standard Bank company handles your personal data we are obliged to provide you with certain information in respect to our handling of that data. 8 This information, in respect to Standard Bank companies which form part of the Standard Bank Offshore Group of companies which includes Standard Bank Isle of Man Limited, Standard Bank Jersey Limited, Standard Bank International Investments Limited, Standard Bank Offshore Trust Company Jersey Limited and Standard Bank Offshore Trust Company (Mauritius) Limited, is contained in our client privacy notice which can be found at com/pbbinternational/aboutus/footer/privacy-statement.

9 The information contained within that client privacy notice will help you to identify, amongst other things: Who the Standard Bank data controller(s) of your personal data is/are; Who the Data Protection Officer(s) is/are and how to contact them; Why we process your personal data and the lawful basis upon which we rely to process it; Who we share it with and if they are in countries considered higher risk from a data protection perspective; What measures we take to protect your personal data when we do share it; Information relating to how long we hold on to your personal data; and Information regarding your rights in respect to that personal data. Disclaimer Whilst every care has been taken in preparing this booklet, no member of the Standard Bank Group gives any representation, warranty or undertaking and accepts no responsibility or liability as to the accuracy, or completeness, of the information. The information contained does not purport to be complete and is subject to change. For the avoidance of doubt, our duties and responsibilities do not include legal, or other specialist or technical advice or services. You are to rely on your independent appraisal of and investigations into the information provided, and we advise you received specialist legal advice if you have any concerns regarding your data protection rights. 9

10 Standard Bank Jersey Limited, Standard Bank Offshore Trust Company Jersey Limited and Standard Bank International Investments Limited are regulated by the Jersey Financial Services Commission. They are registered in Jersey as Company numbers 12999, 9153 and respectively. Their business address is Standard Bank House, La Motte Street, St Helier, Jersey, JE2 4SZ. Standard Bank Isle of Man Limited is licensed by the Isle of Man Financial Services Authority. Standard Bank House, One Circular Road, Douglas, Isle of Man, IM1 1SB. Registered in the Isle of Man No. 4713C. Standard Bank Trust Company (Mauritius) Limited is regulated by the Financial Services Commission, Mauritius, to provide corporate and trust services and does not fall under the regulatory and supervisory purview of the Bank of Mauritius. Business registration number: C Level 10, Tower A, 1 Cyber City, Ebene, Mauritius. The above entities are wholly owned subsidiaries of Standard Bank Offshore Group Limited whose registered office is Standard Bank House, La Motte Street, St. Helier, Jersey, JE2 4SZ. GMS /18