GDPR: How New EU Data Protection Rules Will Impact US Fund Managers

In 2016, the European Union adopted a revised and reinforced data protection framework, called the General Data Protection Regulation.

Looking at the regulation’s material scope, it will apply from 25 May 2018 to all types of businesses, including the financial services and investment funds sector. The protection of the GDPR will cover natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. Both the processing of personal data wholly or partly by automated means and the processing other than by automated means are in the scope. Personal data processed by investment funds and their managers typically include data of their employees, data obtained from fund investors and counterparties, data collected regarding portfolio investments and data of third party service providers or other third parties. The regulation provides that personal data shall be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject;
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accurate and, where necessary, kept up to date;
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Typically, the funds and their managers – either one of them or jointly – are considered as data controllers, i.e. as those who set the purposes and means. Data processors in fund structures can also be, for example, transfer agents, paying agents, corporate secretariat services or providers of tax reporting services. In order to avoid gaps or misunderstandings, it is crucial that the fund and manager on the one hand and the service providers on the other hand share and discuss their analyses.

The data controller will be responsible for compliance with the above-mentioned principles, and he must be able to demonstrate compliance. To this end, the fund or its managers (but also the data processors) should keep records of all processing activities.

But how do these rules impact non-EU fund managers for instance in the US?

The territorial scope of European data protection was broadened by the GDPR. If both the data controller and data processor are established in the EU, the new rules will apply. This will also be the case if the data subject (be it an EU or non-EU citizen) is residing in the EU whereas the controller and processor are not established in the Union, provided the processing activities are related to:

• the offering of goods or services, irrespective of whether a payment of the data subject is required, or:
• the monitoring of the data subjects’ behaviour as far as their behaviour takes place within the EU.

#Compliance/Legal
#DataAnalytics