The European Regulation 2016/679 of 27 April 2016 known as GDPR (General Data Protection Regulation) aims to harmonise and strengthen European legislation on the storage, processing and flow of personal data.
More precisely, it enables to:
- Strengthen the rights of data subjects: Natural persons can better manage their personal data;
- Reinforce responsibilities: The regulation reverses the burden of proof: responsible person should define measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection personal data and demonstrate compliance with this Regulation.
- Stregthen and harmonise European cooperation: The regulation harmonises data privacy across Europe;
- Stiffer administrative sanctions: Under the GDPR rules, companies will face more stringent sanctions and could be fined up to 4% of global turnover at Group level or €20 million - whichever is higher - for a breach.
GDPR regulation (General Data Protection Regulation) refers to the Regulation (EU) 2016/679 of the European parliament and of the Council of 26 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).
The Regulation comes into force on May 28th, 2018.
SCOPE OF APPLICATION
The Regulation applies to any company established within the European Union that collects, processes and stores data whose use can directly or indirectly identify a physical person or data subject, and to its partners and software providers. It also concerns companies located outside the EU that offer goods and services or collects data on European citizens.
The GDPR regulation concerns natural persons, it deals with the data of employees, customers, prospects and all other personal data used by the institution (subcontractors, service providers, visitors ...). This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. It also does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law.
- Governance requirements
|DPO (Data Protection Officer) appointment|
|Ensure continuous compliance|
|Personal data breach notification|
|Adequacy of personal data|
|Clear affirmative consent|
- Increase transparency
|Right to data portability|
|Right to erase personal data|
|Integrity and confidentiality||Personal data shall be:|
- Scope of data
Two kinds of data fall within the scope of this Regulation:
- Personal data relating to identified or identifiable natural person: Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Sensitive personal data: Sensitive personal data means personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms and merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing:
- Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership;
- Genetic or biometric data;
- Health condition;
- Sexual orientation or sex life;
- Criminal offences and convictions;
- National identification number allowing the unique identification or authentication of a natural person.
Such personal data should not be processed, unless processing is allowed in specific cases. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
CHALLENGES AND SOLUTIONS
CACEIS Group is committed to comply with the GDPR and guarantee the protection of the personal data processed in its systems, whether these data concern its customers or its employees.
Your usual sales contact remains at your disposal for further information.
FIND OUT MORE
> Décryptage and Scanning, our regulatory watch newsletters, publish the latest MiFID II and MiFIR developments in French and English. They are well worth consulting.
4 May 2016
PUBLICATION IN OJEU - Regulation (EU) n° 2016/679 on the protection of natural persons iwith regard to the processing of personal data and on the free movement of such data
25 May 2018
ENTRY INTO FORCE - The Regulation comes into force on May 25th, 2018