By Brice Hellinckx, Counsel at Brucher Thieltgen & Partners Avocat à la Cour
BRICE HELLINCKX IS SPECIALIZED IN BANKING AND FINANCIAL LAW AND IN THE STRUCTURING OF INVESTMENT VEHICLES, AS WELL AS IN SHAREHOLDER LITIGATION.
More than four years have passed since the adoption of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the “GDPR”) and the initial uproar caused by it amongst players of the financial and banking industry.
A lot of ink has dried since then, but yet the precise outlines and, most of all, practical implications of the GDPR on the operating of investment funds and investment vehicles often remain (too) vaguely perceived. This short article aims at raising awareness on sometimes forgotten or ignored legal requirements as well as giving a quick overview of some hand-picked critical situations that may arise for financial entities in that context.
Determination of the processor of personal data
Investment vehicles (irrespective of their form) generally rely on the services of external providers (such as investment managers, administrative agents, depositaries etc.) to conduct their business. Of course, those service providers are then inclined to also get a hold of personal data belonging to potential investors of the investment vehicle, on top of data processed by the latter itself.
The GDPR states that if two entities are treating the same personal data for the same purposes (being, for example, the treatment of subscription or redemption orders, global fund administration, respect of AML provisions etc.), two distinct types of qualification of the relations are possible. The vehicle and the service provider can either be qualified as data controller and data processor respectively on the basis of a delegation (article 28 of the GDPR, scenario 1), or as joint controllers (article 26 of the GDPR, scenario 2).
The applicable regime and implied liabilities vary in consequence.
The main criteria for determining whether scenario 1 or 2 applies is the existence or non-existence of a subordination link between the two entities. If one entity can be considered as determining the purpose and the means of the treatment of data, while the other acts solely for the account of the former, then scenario 1 should be applicable.
Furthermore, even if some purposes of treatment of investor data are identical between the fund and the service provider, one should bear in mind that some purposes of treatment may not be similar or comparable. If such is the case, the service provider, even if considered as a data processor with respect to purposes shared with the investment vehicle as data controller, may simultaneously be considered a data controller with respect to purposes of data treatment that are personal to the provider. We can therefore only emphasize the relevance of establishing a detailed list of all purposes for treatment of data at both the level of the investment vehicle and its service provider. In any case, the relationship between the data controller and the data processor (or between two joint data controllers) needs to be governed by a written contract.
THE TOPIC OF DATA PROTECTION BEARS MULTIPLE ADDITIONAL
CHALLENGES FOR THE INVESTMENT FUND INDUSTRY.
Brice Hellinckx
Recording of processing activities
Article 30 of the GDPR obliges data controllers to maintain a record of processing activities under its responsibility. Though an exemption may, in principle, be granted to entities employing less than 250 employees, such exemption is likely not applicable to most investment vehicles, as they are bound to process data (inter alia through the collection of copies of passports of investors) which may considered as sensitive under the GDPR. Actors of the fund industry should be aware that identification requirements of investors pertaining to the Registry of the Beneficial Owners (“RBE”) generally trigger the collection of sensitive personal data and applicability of associated GDPR rules.
In such case, the exemption may not be practicable. As a prudent approach, the holding of the above mentioned record should therefore be privileged. Service providers that intervene as data processors on the basis of a delegation are also bound by the obligation to keep such a record when processing data on behalf of the investment vehicle. A template is available on the Internet site of the CNPD.
Adequate medium of information for investors
As we know, the GDPR (article 13) provides for extensive information requirements that are borne by the data controller. The relevant information must be concise and easily accessible, yet complete. Electronic means such as websites that allow for visualization are encouraged. The European Data Protection Board has underlined in its Guidelines 3/2019 that even a layered approach may be followed, meaning that not all information systematically needs to be provided in one single document, if such “oneshot” approach is not practicable.
Nevertheless, given the requirement to dispatch such information entirely before any data is collected or treated, the offering document (prospectus, offering memorandum, LPA…) appears to be the sole relevant instrument to provide the information. Application or subscription forms are usually too succinct to be convenient, and information provided on the Internet would not allow to make sure that an investor has received the information prior to its data being collected. Investment entities should be aware of the important volume of information that needs to be provided in the prospectus and should seek further advice from their legal counsel regarding the most suitable way to include all needed information.
A dedicated section on an Internet site containing also the data protection policy of the entity should also be privileged, as amendments to the policy may be required on short notice which cannot be quickly reflected in a rigid document such as a prospectus. Of course, the topic of data protection bears multiple additional challenges for the investment fund industry. The importance of a continuous awareness of the relevant actors can therefore only be emphasized, without losing sight that a well-conceived data collection tool can also enhance and optimize information flows within the entity.