What U.S.- Based Investment Advisers Should Know

Similar documents
Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted

GlobalNote October 2012

New legislation brings changes to how data is handled

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

Aegon Asset Management Europe ICAV ( the Fund ) Data Protection Policy

Pension Trustees. Final Countdown to the GDPR

GROUP PRIVACY POLICY. Adopted June 20th, 2017 by each of the Boards of Carnegie Holding AB and Carnegie Investment Bank AB (publ).

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

General Data Protection Regulation (GDPR)

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

Privacy Statement v 1.1

The General Data Protection Regulation (GDPR): action plan for pension scheme trustees

CLOUDINARY DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM

Management of Personal Information Policy (Privacy Policy)

Privacy Policy Statement

Institutional Investment Advisors Limited

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

All Sorts UK Limited Data Protection Policy 17 th May 2018

GDPR : We protect your data

California s Consumer Privacy Act Vs. GDPR

Man and Machine - Data Protection Policy

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS

Moxtra, Inc. DATA PROCESSING ADDENDUM

Data Processing Appendix

Pension Trustees Final Countdown To GDPR

PREPARING FOR THE EU GDPR IN RESEARCH SETTINGS

CP is licenced and supervised by the Commission de Surveillance du Secteur Financier (hereinafter CSSF ).

Guidance: The new EU General Data Protection Regulation: Implications for Australia

DATA PROTECTION ADDENDUM

EU Data Processing Addendum

Amgen Binding Corporate Rules (BCRs) Public Document

DATA PROCESSING ADDENDUM

We take privacy and security of your information seriously and will only use such personal information as set out in this Privacy Notice.

Even If You Are a U.S. Company, Don t Ignore the GDPR: Complying with the EU s New Data Privacy Law

Customer means any EEA entity that registers for or purchases products or services from SDL or SDL EEA Entities.

DATA PROCESSING ADDENDUM (v1.0)

GDPR CCPA LGPD. Protected information

Southern Golden Retriever Rescue Data Protection Policy

DATA PROCESSING ADDENDUM

New Data Regulation, Brexit and the Pensions Industry.

DATA PRIVACY & FAIR PROCESSING NOTICE

The Risk Manager. Additional Resources. The Latest News on Managing Your Risk. May 2016 INCREASED LIABILITY IN THE FACE OF UNCERTAIN DATA REGULATIONS

CHARITY & NFP LAW BULLETIN NO. 419

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

Rigor, Inc. GDPR Data Processing Addendum

Alert Franchise & Distribution/ Cybersecurity, Privacy & Crisis Management

Data Privacy Notice of Sumitomo Mitsui Banking Corporation, Brussels Branch ( SMBC )

Vanguard Group (Ireland) Limited Vanguard Funds plc Vanguard Investment Series plc Privacy policy. May 2018

ROSETTA STONE LTD. PROCESSING ADDENDUM

Newsletter NEW DATA PROTECTION REGIMES IN THE EU AND JAPAN: Similarities and Differences. Atsumi & Sakai

DATA PROCESSING AGREEMENT

Creating a Big Data Strategy: Managing Risk and Enabling Innovation

DATA PROTECTION NOTICE

FUNDS MANAGED BY GOLDMAN SACHS ASSET MANAGEMENT - FAIR PROCESSING NOTICE EFFECTIVE DATE: 25 MAY 2018

FINANCIAL SERVICES OPPORTUNITIES INVESTMENT FUND LIMITED Company Registration Number: PRIVACY NOTICE

We are the Sanne Group, a listed multinational provider of alternative asset and administration services.

Impact of the European General Data Protection Regulation on U.S. M&A

henriksen limited This document sets out how Henriksen processes data and your rights as the data subject.

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?

DATA PROCESSING AGREEMENT/ADDENDUM

TEREX CORPORATION DATA PROTECTION POLICY

Recent privacy legislation in the European Union has posed specific

PRC Data Privacy Laws in a Nutshell

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

Data Protection Post-Brexit

The General Data Protection Regulation s Impact on M&A

EMPLOYEE NOTICE OF DATA PRIVACY POLICIES AND PROCEDURES

SILCHESTER INTERNATIONAL INVESTORS DATA PROTECTION POLICY

Privacy Shield Notice

The Race to GDPR: A Study of Companies in the United States & Europe

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

Building a Program to Manage the Vendor Management Lifecycle

DATA PROCESSING ANNEX

Data Processing Addendum

Privacy Policy and Personal Data

WHAT DECISIONS WILL YOU NEED TO TAKE? GETTING READY FOR THE GDPR PART FOUR LEGAL ISSUES AND TRUSTEE DECISIONS

H. KEMP & SON LTD. FUNERAL DIRECTORS (ESTABLISHED 1893) Privacy Policy

Privacy Policy. This privacy policy shall be valid even if you have reserved your transfers through the other sales partners of Plus Group Kft.

ON24 DATA PROCESSING ADDENDUM

EU GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CLOUDFLARE CUSTOMERS

GDPR update and its impact on accountancy practices

DATA PROCESSING ADDENDUM

Appropriate Policy Document

CUSTOMER DATA PROCESSING ADDENDUM

TIFFANY AND COMPANY: EU-U.S. PRIVACY SHIELD PRIVACY POLICY - CONSUMER DATA

European Union General Data Protection Regulation

HOW TO EXECUTE THIS DPA:

Customer GDPR Data Processing Agreement

The California Consumer Privacy Act: Overview and Comparison to the EU GDPR

a publication of the health care compliance association SEPTEMBER 2018

Data Processing Addendum

The Allied Group Privacy Shield Policy

LOCAL GOVERNMENT PENSION SCHEME (LGPS) GENERAL DATA PROTECTION REGULATION - THE IMPLICATIONS FOR THE LGPS

LAMP Services Limited Privacy Notice v1.2 4 th March Controller

The New EU General Data Protection Regulation (GDPR)

DEAL BY SEA LTD PRIVACY NOTICE

DATA PROCESSING ADDENDUM (INCLUDING EU STANDARD CONTRACTUAL CLAUSES)

CPI PROPERTY GROUP. Group Data Protection Policy. 25 May Summary

Transcription:

BulletPoint June 2018 What U.S.- Based Investment Advisers Should Know The European Union s ( EU ) General Data Protection Regulation (the GDPR ) became effective on May 25, 2018, and provides individuals in the EU with greater control over the collection, use, storage, transfer, deletion and other types of processing of their personal data. While investment advisers typically already comply with data protection requirements governing financial services in the U.S. and elsewhere, the recent implementation of the GDPR requires a careful review of the firm s operations, as well as possible changes and enhancements to remain compliant. Below is a summary of GDPR provisions that are relevant to U.S.-based investment advisers, regardless of whether they have a physical presence in the EU. 1 A. What is the GDPR s Territorial Scope? The GDPR s territorial scope is very broad. It applies to (i) investment advisers that are established in the EU, including U.S.-based investment advisers that have a physical presence in the EU and (ii) investment advisers outside of the EU if they are providing investment advisory services to a fund in which an individual in the EU is invested or has entered into an investment advisory relationship directly with an individual in the EU. 2 1 Our November 2017 BulletPoint memo titled General Data Protection Regulation Affects Investment Advisers with EU Clientele provides a general overview of how the GDPR affects U.S.- based investment advisers who have clients in the EU. 2 The applicability of the GDPR does not depend on an individual s citizenship or residency. For example, Accordingly, the GDPR applies to U.S.-based investment advisers that have (i) EU individuals as clients, (ii) EU individuals as investors in the funds they manage, or (iii) employees in the EU. This is the case even if such investment advisers have no physical presence in the EU. The GDPR is also in effect in the United Kingdom, despite Brexit. B. How is Personal Data Defined Under the GDPR? The GDPR protects the rights of data subjects, which are individuals (not entities) in the EU, with respect to their personal data. For investment advisers, data subjects are most likely to be investors in the funds the investment adviser manages, individual investment advisory clients, and employees in the EU. The GDPR defines personal data as any information relating to an identified or identifiable natural person. The GDPR provides that an identifiable natural person is one who can be identified by data such as: Name; Identification number; Location data; An online identifier; or Other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person. the GDPR applies to the personal data of U.S. citizens who are physically present in the EU.

Personal data includes data regarding individuals in the EU that is collected by investment advisers from their clients and from investors in their funds, in know your customer documents, and in subscription documents (including the investor s name, national identification number, address, employment information, date of birth and financial and investment qualifications). C. How Can Investment Advisers Obtain Legal Authority to Process Personal Data? Investment advisers are permitted to process the personal data of individuals in the EU (including an investment adviser s employees in the EU) only if they have legal authority to do so. The GDPR provides that processing is lawful only in certain circumstances, such as: The individual has given affirmative opt-in consent to the processing of his or her personal data for one or more specific purposes, after sufficient information is provided to the individual (note that consent can be withdrawn at any time); o The disclosure the investment adviser provides should be in clear and plain language, and ideally include the topics described in Item #4 of Section H. below. Processing is necessary for the performance of a contract to which the individual is party, or to enable the investment adviser to take steps at the request of the individual prior to entering into a contract; Processing is necessary for compliance with a legal obligation to which the investment adviser is subject; or When an individual in the EU becomes a new client of an investment adviser, the most prudent course of action for the investment adviser typically will be to obtain (and document) the affirmative consent of the client to the processing of his or her personal data for the specific purposes that the investment adviser discloses in writing. The disclosure and consent can be obtained via the subscription documents completed by prospective fund investors, and the managed account agreement with an advisory client. With respect to existing clients who are individuals in the EU, investment advisers should consider obtaining affirmative consents or, in lieu of obtaining such consents, the adviser may seek to rely on another method of legal authority (such as the performance of a contract or legitimate interests). As noted above, obtaining and documenting consent is not the only way to obtain legal authority to process the personal data of individuals in the EU, but will typically be the most prudent way to do so, as it is easier to demonstrate that consent was obtained than to argue whether another legal basis such as legitimate interests exists. D. What Other Rights Do Individuals in the EU Have Under the GDPR? The GDPR guarantees other rights to individuals in the EU with respect to their personal data, including: The right to be notified regarding how the investment adviser will use their personal data (such notice must be clear and specific; it cannot be vague and replete with legalese); The right to access their personal data; Processing is necessary for the purposes of the legitimate interests pursued by the investment adviser or by a third party, unless these legitimate interests are overridden by the interests or fundamental rights and freedoms of the individual. The ability to instruct an entity to erase their personal data (a.k.a., the right to be forgotten ); The ability to instruct an investment adviser to correct inaccurate personal data; 2

The ability to restrict an investment adviser s processing of personal data in certain circumstances; Assist the investment adviser in complying with certain other obligations under the GDPR (such as data breach notification); The ability to move their personal data from one organization to another in certain circumstances; and The right to be notified of data breaches in most situations. Delete or return all the personal data to the investment adviser once the third party no longer is providing services, and delete existing copies of such data unless applicable law requires the storage of the personal data; and E. Third Party Vendors When an investment adviser uses the services of a third party (such as an administrator) to process the personal data of individuals in the EU, the GDPR requires that investment adviser to use only those third parties who have implemented appropriate technical and organizational measures to satisfy the requirements of the GDPR. An investment adviser, therefore, must conduct appropriate due diligence on the vendors that it selects to process personal data on its behalf. The GDPR also requires that the processing of personal data by a third party be governed by a contract or other legal act under EU or national law. Among other things, that contract or other legal act must provide that the third party will: Process personal data only in accordance with documented instructions from the investment adviser; Commit to confidentiality; Implement appropriate technical and organizational measures to protect the security of the personal data it processes for the investment adviser; Not engage another entity to process the personal data, without prior written authorization of the investment adviser; Assist the investment adviser in complying with its obligation to respond to individuals requests to exercise their rights under the GDPR; Allow for, and contribute to, audits by the investment adviser. F. Data Protection Officer or Representative Investment advisers should determine whether they need to hire or retain a Data Protection Officer ( DPO ). DPOs have specific enumerated rights and duties under the GDPR, including being the point of contact for EU regulators and EU individuals concerning the organization s compliance with the GDPR. The types of entities listed below are required to hire or otherwise retain a DPO. (It would likely not be typical for an investment adviser to need a DPO). Entities whose core activities involve regular and systematic monitoring of data subjects on a large scale, or Entities that conduct large-scale processing of special categories of personal data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and the like. Even where a DPO is not required, however, the GDPR requires organizations to designate in writing a representative to be in charge of ensuring compliance with the GDPR. Such representative would be the point of contact for EU regulators and EU individuals concerning the organization s compliance with the regulation. Furthermore, the text of the GDPR provides that the representative must be established in an EU country in which one or more individuals whose personal data the adviser processes reside. The data representative can be an employee, or 3

the adviser may hire a company in the EU to act as the representative. G. How Can Personal Data Legally Be Transferred Out of the EU? An investment adviser must have a valid legal basis to transfer personal data from the EU to a country outside the EU. Currently, three methods are available to legally transfer personal data from the EU to the United States: The EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework: Self-certification under either framework is voluntary. However, once an investment adviser commits to comply with either framework, that commitment becomes enforceable under U.S. law. Binding Corporate Rules: Binding corporate rules are internal rules that would be established by the investment adviser to address data transfers out of the EU. Such rules enable multinational investment advisers to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of data protection. The GDPR provides a lengthy list of subjects that an investment adviser s binding corporate rules must address, and an investment adviser s draft binding corporate rules must be approved by data privacy regulators in the EU countries in which it operates. Model Contractual Clauses: These are specific standard clauses to be included within contracts (or as stand-alone contracts) between entities or individuals in the EU and entities outside the EU. 3 If parties modify the language in those model clauses, however, there is a risk that regulators will determine that the modified language is insufficient to grant legal protection to the transfers. H. What Steps Should Investment Advisers Consider Taking to Prepare for GDPR s Implementation? Investment advisers should consider taking the following steps to prepare for GDPR s implementation: 1. Determine whether you are subject to the GDPR. As noted above, investment advisers who either have a physical presence in the EU, have employees in the EU or have investors or clients in the EU (even without a physical presence in the EU) will most likely be subject to the GDPR. 2. Determine what personal data you currently process, and determine what personal data must be processed for your legitimate business purposes. Investment advisers should not process more personal data than is necessary to operate their normal business activities. 3. Determine where personal data is stored, and who has access to such data. Only personnel within the firm who need to access the personal data should be able to do so. 4. Review subscription agreements, prospectus disclosures, data protection policies, investor onboarding documentation and other documents to address compliance with the GDPR. Disclosures regarding personal data should be in clear and plain language, and ideally would cover at least the following topics: The types of personal data being collected; The manner in which personal data may be collected, used, stored, transferred, erased or otherwise processed; Disclosure of the third parties to whom the investment adviser might transfer or otherwise disclose personal data; 3 Courts in the EU may later determine that the model contractual clauses will no longer be a valid method to transfer personal data outside the EU. The length of time personal data will be retained (or alternatively, the criteria used to determine how long personal data will be retained); 4

Description of individuals data protection rights under the GDPR; and How individuals can withdraw their consent to the processing of their personal data; 5. Determine whether you need to obtain consent from individuals in the EU to process their personal data, and maintain a record of all consents obtained. Such consent can be obtained from new investors in a fund in the subscription documents completed by such investors, and from new clients as part of their managed account agreement with the investment adviser. With respect to existing clients and investors, any necessary consents can be obtained via a new communication (operating as a standalone consent or an amendment to a current agreement). The request for consent must be clearly distinguishable from the other matters addressed in those agreements. Moreover, consent can be withdrawn at any time. 6. If you have any employees in the EU, review relevant employment agreements and employee handbooks. 7. Determine whether you have the organizational and technological means in place to handle requests from individuals in the EU regarding their personal data in a timely manner (typically within one month). 8. Update your data breach incident response plan as necessary. The GDPR provides that where feasible, the applicable data protection authority should be notified within 72 hours after you have become aware of a data breach (unless an exception applies). Moreover, in many cases you must also notify affected individuals without undue delay. 9. Determine whether you transfer personal data to any third parties for processing (e.g., to service providers such as administrators, paying agents and distributors). Conduct appropriate diligence on each third party s privacy and security measures, and put contracts in place with each of those third parties that meet the GDPR s requirements. 10. Ensure that your employees are aware of the GDPR s requirements that relate to their normal duties, and train employees as necessary. 11. If you transfer personal data from the EU to countries outside the EU, establish a mechanism to do so legally (See Section G., above). 12. Hire or engage a DPO (if required) or a representative to handle compliance with the GDPR. 13. Review existing insurance coverage to determine whether it is sufficient in light of the GDPR. I. What Are the Potential Penalties for Non- Compliance With the GDPR? Regulators can assess steep penalties for noncompliance with GDPR. Lower tier violations may result in penalties of the greater of 10 million or 2% of the entity s global gross revenue for the preceding financial year. Upper tier violations may result in penalties of the greater of 20 million or 4% of the entity's global gross revenue for the preceding financial year. For more information on the topic discussed, contact Michael Riela at riela@thsh.com or (212) 508-6773 or Beth Smigel at smigel@thsh.com or (212) 702-3176, or your usual contact at Tannenbaum Helpern. About Tannenbaum Helpern s Cybersecurity and Data Privacy Practice Tannenbaum Helpern s Cybersecurity and Data Privacy practice regularly advises investment advisers and other types of clients in managing and responding to the ever-evolving data privacy and cybersecurity landscape. We provide the following types of services: 1. Prevention: Helping clients develop proactive procedures and policies designed to mitigate their risk of data security breaches, and to help 5

them be prepared to deal with security breaches efficiently when they inevitably do occur; 2. Compliance: Helping clients comply with applicable privacy and security laws and regulations, including the GDPR and the SEC s cybersecurity rules and guidance; 3. Risk Reduction: Negotiating contractual protections with vendors and contractors who have access to clients and their customers information, conducting employee training to recognize and avoid security threats, and directing clients in how to obtain appropriate cybersecurity insurance protection; 4. Response: Responding to data breach incidents when they occur, including implementing breach response and notification plans as required by applicable law, and liaising with law enforcement and other immediate responders such as insurance companies, forensic experts, technical consultants, and public relations professionals; and 5. Dispute Resolution: Defending clients in connection with any disputes and legal claims that arise from cyber breaches. BulletPoint is a newsletter of Tannenbaum Helpern Syracuse & Hirschtritt LLP s Financial Services, Private Funds and Capital Markets Department. It is an alert covering recent regulatory and tax developments impacting the financial services industry. To subscribe for the newsletter, send email to marketing@thsh.com. About Tannenbaum Helpern Syracuse & Hirschtritt LLP Since 1978, Tannenbaum Helpern Syracuse & Hirschtritt LLP has combined a powerful mix of insight, creativity, industry knowledge, senior talent and transaction expertise to successfully guide clients through periods of challenge and opportunity. Our mission is to deliver the highest quality legal services in a practical and efficient manner, bringing to bear the judgment, common sense and expertise of well trained, business minded lawyers. Through our commitment to service and successful results, Tannenbaum Helpern continues to earn the loyalty of our clients and a reputation for excellence. For more information, visit www.thsh.com. Follow us on LinkedIn and Twitter: @THSHLAW. The effective management of cyber risk often requires input from insurance professionals, information technology experts, forensics experts, public relations experts and others. Our Cybersecurity and Data Privacy practice can connect you with qualified professionals in these fields. 6

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback