AML et Protection des données : un mariage difficile? 26 September 2017

Similar documents
Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

CHARITY & NFP LAW BULLETIN NO. 419

The New EU General Data Protection Regulation (GDPR)

European Savings Directive 2003/48/EC

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

WHY SHOULD YOUR ORGANISATION WORRY ABOUT DATA PROTECTION?

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS

CNPD Course: Data Protection Basics

Pension Trustees. Final Countdown to the GDPR

Appropriate Policy Document

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

ARE YOU READY FOR THE NEW DATA PROTECTION LAWS?

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

All Sorts UK Limited Data Protection Policy 17 th May 2018

Data Processing Addendum

Revising policies and procedures under the new EU GDPR

International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman

The French supplemental Finance Bill for end 2012

Man and Machine - Data Protection Policy

Article 29 Working Party

GDPR : We protect your data

PERSONAL DATA PROCESSOR AGREEMENT

DATA PROCESSING AGREEMENT

SUPPLEMENT N 2 DATED 25 JANUARY 2017 TO THE BASE PROSPECTUS DATED 27 JULY 2016 CRÉDIT MUTUEL ARKÉA 13,000,000,000 EURO MEDIUM TERM NOTE PROGRAMME

The Tax Information, Exchange Agreement between France and Jersey. in force as of 11th October, 2010

DATA PROCESSING AGREEMENT

Thematic Legal Study on assessment of data protection measures and relevant institutions Luxembourg

Alert Franchise & Distribution/ Cybersecurity, Privacy & Crisis Management

Information on the Collection and Processing of your personal data

Moxtra, Inc. DATA PROCESSING ADDENDUM

Archived Content. Contenu archivé

NOTIFICATION FOR PRIOR CHECKING INFORMATION TO BE GIVEN(2)

DATA PROCESSING ADDENDUM

What does GDPR and the new Data Protection Act mean to Brokers/Intermediaries?

LAMP Services Limited Privacy Notice v1.2 4 th March Controller

GDPR: Frequently Asked Questions to Brokers Ireland, February 2018.

Opinion 8/2009 on the protection of passenger data collected and processed by duty-free shops at airports and ports

Data Processing Addendum

European Union General Data Protection Regulation

Data Privacy Notice. Who are we and why do we register and use personal data?

Personal Data. Protection Policy

Firefighters Pension Scheme

Automatic inter-state exchange of data: Safeguarding data protection and fundamental rights

Privacy Statement v 1.1

CLOUDINARY DATA PROCESSING ADDENDUM

HOW TO EXECUTE THIS DPA:

Amgen Binding Corporate Rules (BCRs) Public Document

Multilateral. Instrument Matching Database

Data Processing Appendix

The contract is important so that both parties understand their responsibilities and liabilities.

Pension Trustees Final Countdown To GDPR

PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS

DATA PROCESSING ADDENDUM

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

CLIENT DATA PROCESSING AGREEMENT

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

DATA PROTECTION POLICY

Impact of the European General Data Protection Regulation on U.S. M&A

DATA PROCESSING AGREEMENT/ADDENDUM

INFORMATION ON THE PROCESSING OF PERSONAL DATA

CPI PROPERTY GROUP. Group Data Protection Policy. 25 May Summary

A guide for the insurance industry

DATA PROTECTION LAWS OF THE WORLD. Czech Republic

GDPR CCPA LGPD. Protected information

WHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE

Information about Danica Pension s processing of personal data

DATA PROCESSING TERMS AND CONDITIONS

WHAT DOES THE GDPR MEAN FOR PENSIONS?

SUMMARY OF BINDING CORPORATE RULES

La CSFO publie une ébauche de la ligne directrice sur le traitement équitable des consommateurs

DATA PROCESSING ANNEX

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

Guidance: The new EU General Data Protection Regulation: Implications for Australia

Newsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai

General Data Protection Regulation (GDPR) Data Protection Notice

Data Protection Notice pursuant to the General Data Protection Regulation (GDPR)

Privacy notice. What personal data do we register and use?

ARTICLE 29 Data Protection Working Party

DATA PROTECTION LAWS OF THE WORLD. Angola vs Czech Republic

The impact on Equity Plans of EU Discrimination Law

THE IRON MOUNTAIN GDPR JARGON BUSTER

Privacy Policy Statement

Data Processing Addendum

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. on information accompanying transfers of funds. (Text with EEA relevance)

DATA SUBJECT ACCESS REQUEST POLICY AND PROCEDURE

Alerte de votre conseiller Point de vue sur les IFRS Classement des emprunts comportant des clauses restrictives

RBI GDPR DATA PROCESSING ADDENDUM

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

14 March MedTech Europe: GDPR National Legislation State of Play Webinar

DISPOSITIONS PARTICULIÈRES APPLICABLES DE "THE PENSION PLAN FOR THE EMPLOYEES OF LAURIER LIFE HOLDINGS LIMITED AND ITS ASSOCIATED COMPANIES"

We protect your data and privacy by taking all relevant measures in accordance with applicable legislation.

AppLovin Data Processing Agreement

General Data Protection Regulation (GDPR)

European Parliament and Council Formally Approve Fifth Update to AML Directive

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

The EU s General Data Protection Regulation enters into force on 25 May 2018

Southern Golden Retriever Rescue Data Protection Policy

ON24 DATA PROCESSING ADDENDUM

Transcription:

AML et Protection des données : un mariage difficile? 26 September 2017

Outline 1. Data protection current regime 2. GDPR overview & key novelties 3. GDPR and AML Attempt for peaceful coexistence Potential frictions and conflicting areas 4. In practice: points of attention regarding implementation 2

1. Data Protection current regime v Core principles 1) Legitimacy 2) Purpose limitation 3) Proportionality 4) Transparency v Rule of thumb What is the reasonable privacy expectation of the data subject? 3

1. Data Protection current regime v Core concepts Data subject: natural person whose data is being processed Personal data: information relating to an identified or identifiable natural person Processing: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction Data controller: determines the purposes and means of the processing Data processor: processing personal data on behalf of the controller 4

1. Data Protection current regime v Role based approach Data subject Data controller Data processor 5

2. GDPR - overview v What is it about? General Data Protection Regulation 2016/679 Règlement relatif à la protection des personnes physiques à l égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la Directive 95/46/CE Why a new Regulation? o Need to adapt to the digital age o Direct applicability + uniformity o Penalties not effective enough o Need to enhance harmonization 6

2. GDPR overview v By when? o Regulation adopted 27 April 2016 o Entry into force 24 May 2016 o 2-year transition period: applicable from 25 May 2018 27 April 2016 24 May 2016 25 May 2018 Adopted Entry into force Applicable 7

2. GDPR key novelties 1) New privacy rights for the data subject: Transparency (art. 12 13) Right to erasure / Right to be forgotten (art. 17) à Google Spain case Right to data portability (art. 20) Right to receive the personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller - If the processing is based on (i) consent of (ii) a contract - Supports user choice, user control and consumer empowerment - Facilitate switching between service providers Recent guidance of the Article 29 Working Party 8

2. GDPR: key novelties 2) Enhanced responsibilities for the data controller and processor Accountability principle (art. 5.2) Data protection by design and by default (art. 25) e.g. data minimisation, pseudonymisation More responsibilities for the processor (art. 28) Implementation of security measures: DC/DP Record of processing activities : DC/DP Notification of any data breach to the DC 9

2. GDPR: key novelties 3) Additional operational obligations: Records of processing activities (art. 30) : DC/DP Data Protection Impact Assessment (art. 35) o o o High risk processing: Processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons Supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the PIA requirement High risk à Prior consultation of supervisory authority 10

2. GDPR: key novelties Appointment of a Data Protection Officer ( DPO ) (art. 37-39) Compulsory a. Processing carried out by a public authority or body b. Processing operations which require regular and systematic monitoring of data subjects on a large scale c. Processing on a large scale of special categories of sensitive data Voluntary Recent guidance from the 29 Article WP Notification of personal data breaches (art. 33-34) è GDPR = very process-driven 11

2. GDPR: key novelties Significant fines and enforcement: Up to 4% of total worldwide annual turnover New powers to national DPA s Cooperation and consistency mechanisms between DPA s New European Data Protection Board Need for additional guidance by national DPA s 12

3. GDPR & AML Attempt for peaceful coexistence Directive AML 4 Recital (42): Directive 95/46/EC of the European Parliament and of the Council, as transposed into national law, applies to the processing of personal data for the purposes of this Directive [ ] Belgian AML Act of 6 July 2017 implementing AML 4 ( Belgian AML Act ) Article 64 : Le traitement des données à caractère personnel en vertu de la présente loi est soumis aux dispositions à (sic) la loi du 8 décembre 1992 relative à la protection de la vie privée à l égard des traitements de données à caractère personnel, ainsi qu à celles des règlements européens directement applicables. 13

3. GDPR & AML Attempt for peaceful coexistence Proposal Directive AML 5 Explanatory memorandum - [ ] balancing the need to increase security with the need to protect fundamental rights, including data protection [ ] - Consistency with other Union policies: the proposed amendments to the 4 AMLD are in line with [ ] the GDPR Preamble - (40) This Directive respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, in particular the rights to respect for private and family life (Article 7 of the Charter), the right to the protection of personal data (Article 8 of the Charter) [ ] 14

3. GDPR & AML Potential frictions and conflicting areas 1) Purpose limitation Personal data may only be collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes (art 5.1.b) GDPR) Art 64 2 Belgian AML Act: les données à caractère personnel ne sont traitées en application de la présente loi, par des entités assujetties, qu aux fins de la prévention du BC/FT et ne font pas l objet d un traitement ultérieur d une manière incompatible avec lesdites finalités. Le traitement des données à caractère personnel recueillies sur la base de la présente loi pour toute autre finalité que celle prévue par cette loi, notamment à des fins commerciales, est interdit. BUT AML 5 : new policy purposes : fights against tax evasion Various controllers: authorities in charge of investigating anti-money laundering, tax evasion, authorities investigating terrorism, FIUs, press and public at large Uncertainty as to the purpose(s) pursued 15

3. GDPR & AML Potential frictions and conflicting areas 2) Proportionality Digital Right Ireland case : Fight against terrorism = public interest BUT measure must be proportionate Data retention : data cannot be kept for longer than necessary for the purposes for which personal data are processed (art 5.1.e) GDPR) // EU : 10 y (art. 60 Belgian AML Act) Access right to the UBO register: legitimate interest? Necessity to implement differentiated access 16

3. GDPR & AML Potential frictions and conflicting areas 3) Data subjects rights Information obligation / transparency obligation: Art 13 GDPR Art 64 3 Belgian AML Act : les entités assujetties communiques à leurs clients les informations [...] Access right (art 15 GDPR), right to rectification (art 16 GDPR), right to erasure (art 17 GDPR), right to data portability(art 20 GDPR), right to object (art 21 GDPR), communication of a personal data breach to the data subject (art 34 GDPR) Art 65 Belgian AML Act Art 23 GDPR : Are the conditions met? 17

3. GDPR & AML Potential frictions and conflicting areas 4) High risk processing Processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons Stricter obligations under the GDPR: Appropriate technical and organisational security measures Notification of data breaches Data Protection Impact Assessment & Prior consultation Data Protection Officer Avis 24/2017 Commission vie privée: obligation pour les entités assujetties de procéder à une analyse d impact relative à la protection des données de leur risk-based approach 18

3. GDPR & AML Potential frictions and conflicting areas 5) International (intra-group) data transfers Article 13 1 Belgian AML Act: Les entités assujetties qui font partie d un groupe sont tenues de mettre en oeuvre des politiques et des procédures de prévention du BC/FT à l échelle du groupe, qui incluent, notamment, des politiques de protection des données [ ] ECJ Schrems case, C-362, 6 October 2015 Avis n 12/2017 Commission pour la protection de la vie privée 19

4. In practice: points of attention Compliance Being compliant offers a competitive advantage Increasing enforcement Corporate reputation is at stake Increased attention Privacy by design AML and GDPR compliance / legal teams need to work in close collaboration 20

Questions? 21

Contact details Carol Evrard Associate TMT/IP T +32 2 533 57 42 M +32 470 90 81 02 carol.evrard@stibbe.com Sarah De Dijn Associate Corporate/Finance T +32 2 533 53 28 M +32 470 90 60 93 sarah.dedijn@stibbe.com

Thank you Stibbe.com 23

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback