What is the GDPR?
Even if an investment adviser or its private funds have no presence in the European Union (EU), it may still need to be concerned about EU data protection laws, in particular the new European General Data Protection Regulation (EU) 2016/679 (the “GDPR”). The GDPR came into force on May 25, 2018, and replaced the prior data protection law, the EU Directive 95/46/EC. The GDPR introduces significant changes from the prior EU Directive, including new jurisdictional scope that makes the GDPR apply not only to businesses established in the EU but also to any non-EU businesses that offer goods or services to individuals within the EU or that monitor individuals in the EU. This means that investment advisers and funds with investors in the EU may potentially be subject to the GDPR, which is significant because of the other changes brought about by the GDPR, including a maximum fine for non-compliance of the higher of 4 percent of an enterprise’s worldwide turnover or €20 million per infringement, a 72-hour data breach notification requirement and new data subject rights (including the “right to be forgotten”). (For more information about these changes, please see our website page on the GDPR.)
Does the GDPR apply to you?
Due to its extraterritorial scope, the GDPR can affect non-EU-based investment advisers and their private funds in a number of ways. If such adviser or fund has an establishment in the EU (e.g., has subsidiaries in the EU or other offices or employees in the EU), then that establishment, and the personal data that it collects, is subject to the GDPR. As a result, any personal data that such establishment transfers to the non-EU-based entity will be subject to the GDPR, and the non-EU-based entity will need to treat such personal data in accordance with the GDPR.
Even if a non-EU-based investment adviser or private fund has no establishment in the EU, it can still be subject to the GDPR if it offers goods or services to individuals in the EU or monitors the behavior of individuals in the EU. An investment adviser or fund may be considered to be offering goods or services to individuals in the EU if its offering of fund interests or investment advisory services somehow targets EU investors or clients. There are a number of factors that are taken into consideration to determine if a company is targeting the EU. Among the factors most relevant for an investment adviser or fund are whether its marketing materials are intended for EU-located investors or clients (e.g., with specific materials or offering legends geared towards Dutch investors, German investors, investors generally located in the European Economic Area (EEA), etc.) and if it conducts a road show in Europe specifically to attract EU-located investors or clients. More nuanced factors can also play a part, though, including whether the adviser or fund provides information to investors or clients in languages used in EU jurisdictions (e.g., French, German, etc.), uses websites that have domain names that are registered in EU jurisdictions (e.g., “.co.uk”) and enables investors to see the performance of their investments denominated in European currencies.
A non-EU-based investment adviser or private fund can also be subject to the GDPR if it monitors the behavior of individuals in the EU. This scenario is less likely to apply, but it still might trigger the GDPR’s application in the context of the private investment fund industry. For example, an investment adviser or fund may be considered to be monitoring EU individuals if it invests in consumer debt and sets up a profile to predict an underlying individual borrower’s behavior, uses tracking technologies on its website or uses personal data in connection with its algorithmic trading strategies.
It is also possible for a non-EU-based investment adviser or private fund to fall within a gray area with respect to the applicability of the GDPR. Generally, under the GDPR, a non-EU-based investment adviser or fund will only be considered to be offering goods or services to the EU if it offers goods or services to investors that are individuals in the EU. However, what is considered to be an “individual” for GDPR purposes may be broader than simply a natural person. For example, some investors that are partnerships and some entities that represent individual interests may also fall within scope here. Another example of a gray area of applicability is if a non-EU-based investment adviser or fund targets only non-EU-based investors but receives indications of interest from individual investors that it knows are located in the EU and sends them marketing or subscription materials to actively induce them to purchase fund interests or advisory services. In that case, too, it is possible that the adviser or fund may be seen as offering goods or services to individuals in the EU. If an investment adviser or fund falls within a gray area as to the applicability of the GDPR, it is safer for the adviser or fund to err on assuming that it is subject to the GDPR with respect to the collected EU personal data, rather than being at risk of incurring the GDPR’s large fines. However, if the entity does not fit the prongs identified above, then simply having EU personal data in its possession does not subject the entity to the GDPR.
How does an investment adviser or private fund obtain EU personal data?
If an investment adviser or fund determines that it is subject to the GDPR based on the above, then it will need to treat all EU personal data that it processes in accordance with the GDPR. It is worth noting that even if an investment adviser or fund deals only with corporate entities, it may still collect personal data from the EU. The GDPR defines personal data much more broadly than US laws do. Rather than limiting personal data to sensitive personal data, such as social security numbers, the GDPR defines personal data as “any information relating to an indentified or identifiable natural person” and defines an identifiable natural person as “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.” This means that even business contact information and other non-sensitive personal data, such as individuals’ names, mailing addresses and background information, are considered to be personal data under the GDPR.
As a result, EU personal data may be collected in connection with the establishment and day-to-day operation of private investment funds and accounts (for example, if the investment adviser or fund sends a subscription booklet or other questionnaire to potential investors or clients in the EU to complete or if it otherwise communicates with actual or potential investors or clients located in the EU). That is the case even where the adviser or fund only deals with institutional investors or clients because such entities may provide personal data regarding their officers, directors, employees or beneficial owners. In fact, such personal data will likely be provided for anti-money-laundering, “know-your-customer” and/or investor communication purposes.
In addition, an investment adviser or fund may be collecting EU personal data in connection with its due diligence, acquisition or monitoring of portfolio investments. For example, a buy-out fund may collect personal data regarding its portfolio companies’ officers, directors or employees, and a debt fund may collect personal data regarding its investments’ underlying borrowers.
Finally, if an investment adviser or fund has an establishment in the EU, it may also be collecting personal data from its EU-based employees.
What do you need to do to comply with the GDPR?
If you are subject to the GDPR, consider taking steps such as these to comply with the GDPR:
- Map the flows of personal data. It is crucial to conduct a detailed investigation into the flows of personal data, particularly from the EU. For that purpose, you should review all relevant processes and systems that deal with the collection, processing and use of EU personal data. The outcome of this exercise should ideally be a comprehensive overview of all processing activities that you perform or that you have third parties perform on your behalf.
- Draft and maintain records of processing activities. Based on the information in the data flow map, you should draft detailed records of processing activities that specify, among other things, a description of the processing activity, the categories of data subjects and personal data concerned, the purposes of the processing activity and the parties with whom the personal data is being shared. These records must be kept in writing, and electronic form is sufficient. It is equally important to establish a process for ensuring that these records are kept up to date, as processes change over time.
- Review the grounds under which personal data is being processed. You should determine the legal basis under which EU personal data is being lawfully collected, processed and used and whether any changes need to be made to ensure compliance with the GDPR.
- Update data governance. Your policies, procedures and other governance controls should be updated to detail how you will practically comply with the new requirements under the GDPR. For example, you will want to update your website privacy notice to comply with the GDPR’s transparency requirements, as well as your fund offering and subscription documentation to include the GDPR’s required disclosures.
- Implement new compliance systems. You will need to put in place plans and mechanisms to ensure that you can respond to a data breach within the GDPR’s notification timeframes. You will also want to make sure that your systems meet the GDPR’s security requirements and are capable of responding to and fulfilling data subject access requests, including the rights to be forgotten, to data portability and to object to automated data profiling and other rights that individuals can exercise in relation to their personal data.
- Appoint a data protection officer. You will need to decide whether you are required under the GDPR or supplementary local legislation to appoint a data protection officer. The data protection officer will be responsible for monitoring compliance with the GDPR. This person should act as the head of the data protection governance structure, report directly to leadership and be tasked with putting controls in place to implement and monitor compliance and educating the wider workforce on the GDPR rules and their operational impact.
- Address the risks. You should conduct data protection impact assessments to identify and minimize the risks associated with your processing of EU personal data, particularly where there are high risks to the rights and freedoms of the individuals concerned by the activities that are being carried out.
- Review supply chain contracts. The contracts with your service providers and other parties with which you share EU personal data should be reviewed and, where necessary, renegotiated to ensure that you are appropriately supervising the manner in which they process personal data and that those contracts meet the new GDPR contractual requirements for processors.
- Assess international data transfers. You should assess the manner in which you currently carry out any international transfers of EU personal data, in particular to third countries outside the EU/EEA, and whether any mechanisms for carrying out these transfers within your organization or to third parties need to be updated to comply with the GDPR requirements.
Visit us at mayerbrown.com.