For several months, CACEIS conducted an exhaustive analysis of its various businesses. This shows that most of the processing carried out by CACEIS uses "non-sensitive" personal data (surname, first name, position and professional contact details of clients' representatives). The sensitive data that exists within its systems relate to employees and, as far as clients are concerned, to the information required for the proper keeping of KYC (Know your customer) files and for the processing of shareholders’ registers or holders of UCI units.
Given the nature of the services provided, CACEIS most often acts as "data processor", as defined by the GDPR, for our clients. In addition, CACEIS also qualifies as "data controller" when processing activities that CACEIS carries out to comply with its own legal and/or regulatory obligations.
Following the inventory of its applications and computer systems that embed personal data, CACEIS made sure that its organisation and processing are in compliance with the new requirements. Its existing data security system has been supplemented with additional measures to guarantee the confidentiality and security of sensitive customer and employee data: traceability, data encryption, anonymisation, etc. These are accompanied by strengthened processes for detecting and reporting any incidents that may occur. Similarly, the internal procedures have been adapted to incorporate the provisions of the Regulation on the rights of individuals: strengthening of prior information and consent, possibility of asking at any time what personal information is processed, how it is processed, and for what purpose.
CACEIS's records of personal data processing is finalised. For each processing operation, it identifies in particular a controller and any subcontractors and qualifies the risks relating to personal data and the appropriate protection measures. The CACEIS Group Data Protection Officer (DPO) has been appointed in accordance with the provisions of the GDPR. He reports directly to a member of the CACEIS Executive Committee and relies on a network of designated correspondents in each Group entity. He has also been declared to the CNIL, the competent French data protection authority. He can be reached at the following email address: firstname.lastname@example.org
CACEIS has also updated its contractual relations with its clients and provided them its "CACEIS Data Protection General Terms & Conditions", which describe the personal data collected within the context of delivering its service, and the rights and obligations of each individual with regard to the processing of personal data.
In addition, contractual relations with CACEIS suppliers and service providers have also been adapted to incorporate the provisions of the GDPR.
For further information, CACEIS has posted on its website its "Group Data Protection and Security Policy", as well as any other documentation relating to the implementation of the GDPR.
CACEIS's approach to protecting clients' personal data is fully in line with a broader programme to strengthen information systems security and data protection, carried out in coordination with the Crédit Agricole Groupe.