As of May 25, 2018 the new EU General Data Protection Regulation (GDPR) shall apply, complemented by the new Federal Data Protection Act (BDSG).
The new data protection regime builds on existing data protection laws and improves their implementation by holding companies more accountable while data subjects are granted more extensive rights.
This client information presents important developments in the data protection law and (extended) obligations of an Alternative Investment Fund Manager (AIFM) when handling personal data.
- Lawfulness of Processing
An AIFM regularly comes into contact with data of natural persons (data subjects) that is to be protected, at various points in the life cycle of a Private Equity Fund. This includes in particular the data from investors in the course of the subscription process, from executives or employees of (potential) portfolio companies or from other business relationships.
Generally, it is only permitted to process data if at least one of the permissions given in Article 6(1) GDPR applies. In particular, this includes processing of personal data, provided it is necessary for
- the performance of a contract between the AIFM and the data subject;
- compliance with a legal obligation adopted by the European Union (EU) or a Member State to which the AIFM is subject; or
- the purposes of the legitimate interests pursued by the AIFM, except where such interests are overridden by the interests or fundamental rights of the data subject.
If none of the other permissions pursuant to the GDPR is available, processing is only permitted with the data subject's consent.
Broad and generic consents should not be the means of choice in the future, as we believe that these are not compatible with the principles of the new data protection regime. Moreover, adverse interactions with other permissions of the GDPR may occur if a supplementing consent is obtained.
Therefore, it is always necessary to check the respective requirements and special features of each and every permission individually. This applies in particular both to the wording and the scope of the respective declaration of consent, as well as to the question of whether the data subject's consent is actually necessary. Existing consent templates or general terms and conditions must therefore be carefully adapted to the new data protection law.
If there is no (longer a) permission for processing, existing data must be deleted immediately, as the GDPR does not permit data storage without a legal basis.
- Transparency Obligations
In the future, extended transparency obligations shall apply, consisting of comprehensive documentation, information and accountability obligations. Data subjects are now to be informed about i.a. the purposes of and the legal basis for the processing, any (intended) transfer of their data to a non-EU-country (so-called third country) and their extended rights in connection with data processing. Extended rights of the data subjects include
- a right to obtain confirmation as to whether or not personal data of a data subject is being processed and information concerning this processing;
- a right to rectification;
- a right to block;
- a right to erasure (as far as no permission to process applies);
- a right to object (in case of some permissions) and
- a right to data portability (e.g., when changing providers).
In case a data subject exercises one of his or her rights, a timely implementation is to be ensured by the AIFM, since relatively short response deadlines apply.
Thus, an AIFM should review and, if necessary, adjust its information on data protection, in particular within its respective subscription documents, privacy statements and other contractual documentation, by May 25, 2018.
- Third Parties in Processing and Data Transfer to Third Countries
In the fund segment, third parties are regularly involved in processing personal data. Data transmission to third countries is always subject to additional requirements.
Processing can be outsourced on behalf of the AIFM by using an external service provider (such as cloud services or data rooms). However, this service provider (so-called processor) is not a third party within the meaning of GDPR; thus, data transfer between the AIFM and its processor is permitted without additional permission. Still, the GDPR provides minimum requirements for the selection and monitoring of its processor to the AIFM and specifies minimum contractual content, including, for example, the subject-matter and duration as well as nature and purpose of processing.
- Forwarding of Data to Third Parties
An AIFM will regularly (be obliged to) pass on personal data to third parties, such as banks, government agencies or lawyers. This is only permissible within the framework of the respective permission, for example, if the disclosure is necessary for the performance of a contract or due to a legal obligation. Otherwise, a separate consent of the data subject will regularly be required.
- Receiving Data from Third Parties
An AIFM may also receive data from third parties that are to be protected. This is the case, for example, when a company investing in a fund makes data from natural persons (such as its representatives, beneficial owners or ownership structures) available to the AIFM in the course of the subscription process or, when acquiring portfolio companies, employee data is disclosed by the seller within the course of due diligence proceedings. Again, this is permissible under certain conditions, but triggers special transparency obligations, which can only be omitted in exceptional cases.
- Transfer of Data to Third Countries
Third country reference is e.g. given when an AIFM structures its fund (of funds) by incorporating companies in non-EU states or makes investments in non-European markets and thereby submits investor data. Whilst data transfer within the EU is readily permitted, the transmission of data to recipients in third countries is subject to additional requirements.
A transmission of data to a third country may i.a. take place only where the EU Commission has decided that the third country ensures an adequate level of protection, or if the AIFM has provided appropriate safeguards (e.g. from data protection contracts based on standard contractual clauses) or if binding internal data protection regulations are in place and have been approved by the authorities.
- Data Protection Management System
The GDPR requires the implementation of appropriate technical and organizational measures to ensure adequate protection of processing based on a risk-based approach.
- New Organizational and Technical Measures
For example, the GDPR has newly introduced the obligation to keep a record of processing activities, containing certain minimum contents such as the purposes of the processing and, where applicable, the transmission of personal data to third countries.
Based on this record of processing activities, an AIFM should be in a position to identify and remedy any weak points of its data protection management (system). When identifying any deficiencies, the principles relating to processing of personal data laid down in Article 5(1) GDPR (e.g. lawfulness, purpose limitation, data minimization and storage limitation) should be used.
From now on, each AIFM must be able to demonstrate compliance with providing risk-adequate measures for data protection following the necessary technical and organizational requirements and the principles of data protection to supervisory authorities and data subjects at any time.
- Data Protection Officer
Also, according to the new BDSG, an AIFM has to designate a data protection officer, provided that at least ten employees are constantly involved in processing using automated means. An external service provider can also be appointed as data protection officer.
The data protection officer shall be designated on the basis of professional qualities and expert knowledge of data protection law and practices. The tasks of the data protection officer stem from the GDPR and also follow a risk-based approach.
- Reporting Obligation in case of Personal Data Breach
In the case of a personal data breach, the AIFM shall without undue delay and, in any event, within 72 hours, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the affected natural persons.
When the personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, such personal data breach must also be communicated to the data subject.
- Authority: One-Stop Shop
From now on, the supervisory authority of the main establishment of a company is competent to act as lead supervisory authority also for cross-border processing ("one-stop shop").
- Possible Consequences of a Breach
The new GDPR schedule of fines outlines some significant fines. Infringements of technical and organizational obligations can henceforth be punished with fines up to 10 million Euro or 2% of the worldwide annual turnover. Infringements of material rules can even be sanctioned with fines up to 20 million Euro or 4% of worldwide annual turnover. In both cases, the respective higher amount applies.
In addition to administrative fines, the GDPR makes a direct claim available to any data subject who has suffered material or non-material damage as a result of a GDPR infringement.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.