FIDLEG SOLUTION - News 5/2018

The impact of the EU Regulation on General Data Protection (GDPR) on Swiss Asset Managers

INTRODUCTION

This issue of FIDLEG SOLUTION – News 5/2018 discusses the impact of the EU General Data Protection Regulation (GDPR) on Swiss Asset Managers.

YOU REALLY THINK THAT DATA PROTECTION ONLY RELATES TO FACEBOOK? – DREAM ON

It is undisputed that data protection did not play a famous role in Switzerland so far. Attention was principally caught by the hearings of Mark Zuckerberg, the CEO of Facebook by the US Parliament. This, however, does not mean that this won’t change in the future – very much to the contrary. The main reason is that the European Parliament enacted on 14 April 2016 the European Data Protection Regulation (GDPR; here). Its provisions will be directly applicable from 25 May 2018 on. So, only few days remain. In addition, the Swiss Data Protection Act (DPA) will be completely revised too, in order to bring the Swiss rules at least partially in line with GDPR.

As the GDPR has been enacted as a regulation, its provisions will be directly applicable as of 25 May 2018 (compared to directives such as MiFID II, UCITSD or AIFMD). So, no national implementing laws will be required. Nevertheless, different rules may still be applicable in the various EU member states as several provisions in GDPR grant the member states a certain liberty to have their own rules.

WHY DOES GDPR AFFECT SWISS ASSET MANAGERS? BECAUSE OF ITS EXTRATERRITORIAL APPLICATION

A Swiss Asset Manager may think that GDPR does not have an impact on him, it as it lacks a presence in the European Union. This conclusion, however, is wrong. GDPR has a strong extraterritorial application as it has previously principally been known from US legislative acts. Therefore, GDPR may also apply to Swiss Asset Managers without a presence in the EU.

Art. 3 GDPR provides two alternative criteria which may lead to an applicability of GDPR – the presence and the target market:

Criterium of Presence (art. 3 para. 1 GDPR): The residence of the entity which processes personal data or which mandates personal data to be processed causes GDPR to apply. This holds true irrelevant of the fact whether the processed data relate to persons in the EU or outside the EU:

“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

This complies more or less with the scope of application of the Swiss Data Protection Act (DPA). New, however, is the additional criterium of the target market (Art. 3 para. 2 and 3 GDPR): GDPR is also applicable if the controller (i.e. the entity which determines the purpose and means of the processing of personal data) or the processor (i.e. the entity which processes personal data on behalf of the controller) is located outside the EU such as in Switzerland but if the data subject is in the EU and goods or services (e.g. investment management services) are offered or the behaviour of the data subject is monitored:

“This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”

It follows that a Swiss Asset Manager is subject to GDPR e.g. if it offers services to natural persons in the EU or monitors these persons’ behaviour (e.g. by way of website trackers, cookies etc).

WHAT DOES “PROCESSING OF DATA” MEAN? THERE IS ALSO AN EXTENSIVE MATERIAL SCOPE OF APPLICATION

This extraterritorial approach is accompanied by an extensive understanding of the material scope of application, i.e. by an extensive understanding of “processing data”. This, however, is not really new.

Art. 2 para. 1 GDPR reads: “This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” All this provided that the data to be processed relate to a natural person and not to a legal entity.

A processing of data is already given if such data are just saved, let alone if such data are systematically processed for an effective marketing.

PROCESSING OF DATA IS PRINCIPALLY UNLAWFUL

Under GDPR, the processing of data – such as e.g. the saving of contact details – unlawful. For a lawful processing, one of the following conditions needs to be satisfied (art. 6 GDPR):

  • The affected person has given its consent to the processing data.
  • The processing is necessary for the performance of a contract.
  • The processing is necessary for compliance with a legal obligation.
  • The processing is necessary in order to protect the vital interests of the affected person.
  • The processing is necessary for the performance of a task carried out in the public interest.
  • The processing is necessary for the purposes of the legitimate interests of the processing entity (balancing of interests).

For a Swiss Asset Manager, the main arguments for processing data might be the consent, the performance of contractual obligations and the balancing of interests. Consequently, either of these two reasons must be given so that the processing of data is lawful. This makes the processing of data of so-called “prospects” problematic, i.e. of persons with which no investment management agreement is concluded yet and which cannot have been requested for a consent.

SO WHAT NEEDS TO BE DONE?

Once the GDPR has come into force, the impact on Swiss Asset Managers are very broad and cannot be discussed here in their entirety. The main impact, however, is briefly discussed hereinafter.

The impact of GDPR can be summarized under the aspects of information / transparency and control of the own personal data. Any person shall know whether and how its personal data are processed.

Therefore, each Swiss Asset Manager subject to GDPR whose data processing is subject to GDPR has to issue an internal regulation which provides how the affected persons can exercise their controlling rights. These are among others:

  • Right of information (art. 13 / 14 GDPR): At the time of collection of personal data, the data subject is to be informed that data are collected. This even applies if the data are collected from a third party. The data subject shall know that, from whom and for what purpose his/her data are processed.
  • Right of access (art. 15 GDPR): The right of access has two aspects: the data subject has the right to know whether his data are processed or not. In the positive case, he has the right to get access to these data and to get copies.
  • Right to rectification (art. 16 GDPR): Once the data subject has exercised his / her right of access and come to the conclusion that the collected data are wrong or incomplete, he / she has the right that the data are rectified.
  • Right to erasure (art. 17 GDPR): In specific circumstances enumerated in art. 17 § 1 GDPR, the data subject has the right to request the erasure of the data.
  • Right to restriction of processing (art. 18 GDPR): In specific circumstances, the data subject has the right to request that his data are only processed in a restricted way.
  • Right to data portability (art. 20 GDPR): The data subject has the right to request the delivery of his data in a structured, commonly used and machine-readable format. This shall give the option to transfer the data to another service provider (i.e. competitor), e.g. when he decides to change the asset manager. Therefore, any Swiss Asset Manager is advised to clearly separate personal data of clients from business secrets so that the latter is not transferred to competitors for free.

In order to make sure that the data subject can exercise his rights, but also in order to satisfy the accountability under GDPR, the processing entity has to draw up a register on its processing activities (art. 30 GDPR). Depending on the number of employees of the processing entity (i.e. the Swiss Asset Manager), the register has to be more or less extensive.

In addition, the processing entity shall take organisational and technical measures. The purpose of these measures is to make sure the security of the processing activities and of the data protection (art. 32 GDPR).

Finally, any Swiss Asset Manager subject to GDPR needs to know that it has to be able to demonstrate its compliance with GDPR. This leads to a shift of the burden of proof onto the Swiss Asset Manager.

DUTY TO APPOINT A REPRESENTATIVE

The function of the representative is well known to anyone active in the distribution of funds in Switzerland (art. 123 CISA). A similar function is implemented under GDPR. Art. 27 GDRP states that any controller or processor subject to GDPR but without a presence in the EU shall appoint a representative in the EU. Exemptions are granted e.g. in cases where data are only processed occasionally.

This representative principally serves as contact person for supervisory authorities and for data subject, similar to the representative of foreign funds in Switzerland.

Interestingly enough: this GDPR representative comes up exactly now when the requirement of the Swiss representative shall be partially given up for the distribution of funds to qualified investors under FIDLEG and FINIG.

DATA PROTECTION VS. FINANCIAL MARKETS REGULATION

Entities subject to financial market regulation are well advised to take special care such as Swiss Asset Managers with cross border activities. Their processing activities shall not contradict their license. As an example, a Swiss Asset Manager without any license to provide cross border services to Germany shall not process personal data of German residents for distributing activities – as it is not allowed to distribute anything in Germany.

THERE IS MORE TO COME…

The next issue of the MiFID II series of FIDLEG SOLUTION – News 6/2018 shall discuss the impact of the de-minimis rule on asset managers of collective investment schemes.

Your FIDLEG SOLUTION Team
www.fidlegsolution.ch


© 2019 FIDLEG SOLUTION. All rights reserved.