The European Regulation 2016/679 of 27th April 2016 known as GDPR (General Data Protection Regulation) aims to harmonise and strengthen European legislation on the storage, processing and flow of personal data.
More precisely, it ensures:
- Strengthening of data subjects' rights: Natural persons can better manage their personal data;
- Reinforce responsibilities: The regulation reverses the burden of proof: a responsible person should define measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection personal data and demonstrate compliance with this Regulation.
- Stregthen and harmonise European cooperation: The regulation harmonises data privacy across Europe;
- Stiffer administrative sanctions: Under the GDPR rules, companies will face more stringent sanctions and could be fined up to 4% of global turnover at Group level or €20 million, whichever is higher, for a breach.
GDPR regulation (General Data Protection Regulation) refers to Regulation (EU) 2016/679 of the European parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).
The Regulation comes into force on 25th May 2018.
SCOPE OF APPLICATION
The Regulation applies to any company established within the European Union that collects, processes and stores data whose use can directly or indirectly identify a physical person or data subject, and extends to its partners and software providers. It also concerns companies located outside the EU that offer goods and services or collect data on European citizens.
The GDPR regulation concerns natural persons, it deals with the data of employees, customers, prospects and all other personal data used by the institution (subcontractors, service providers, visitors, etc.). This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. It also does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law.
- Governance requirements
|DPO (Data Protection Officer) appointment|
|Ensure continuous compliance|
|Personal data breach notification|
|Adequacy of personal data|
|Clear affirmative consent|
- Increase transparency
|Right to data portability|
|Right to erase personal data|
|Integrity and confidentiality||Personal data shall be:|
- Scope of data
Two kinds of data fall within the scope of this Regulation:
- Personal data relating to identified or identifiable natural person: Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Sensitive personal data: Sensitive personal data means personal data which is, by its nature, particularly sensitive in relation to fundamental rights and freedoms and merits specific protection as the context of its processing could create significant risks to the fundamental rights and freedoms. Such personal data should include personal data revealing:
- Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership;
- Genetic or biometric data;
- Health condition;
- Sexual orientation or sex life;
- Criminal offences and convictions;
- National identification numbers allowing the unique identification or authentication of a natural person.
Such personal data should not be processed, unless processing is allowed in specific cases. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
CHALLENGES AND SOLUTIONS
CACEIS Group is committed to complying with the GDPR and guarantees the protection of personal data processed in its systems, whether such data concerns its clients or its employees.
How is CACEIS getting prepared?
CACEIS has published its Group Data Protection and Security Policy. In reponse to the main challenges ahead, CACEIS is delivering its three-year Information Security Plan to identify innovative solutions to address the protection of corporate assets, including personal data and cyber-security.
This 2016-2018 Strategic Plan notably summarises:
- Four strategic objectives and ten accompanying actions among which mesures taken in accordance with GDPR (point 1.4),
- How to deliver the policy, through effective resource management, clear communication and evaluation of our performance.
Your usual sales contact remains at your disposal for further information.
FIND OUT MORE
> Décryptage and Scanning, our regulatory watch newsletters, publish the latest MiFID II and MiFIR developments in French and English.
> Other links of interest:
- Guidance - European Commission
The European Commission has published a guidance on the direct application of the GDPR.
- Questions-answers - European Commission
The European Commission has created a new Q&A website to ensure that all actors – EU governments, national data protection authorities, companies and citizens – are ready for the GDPR regilation entry into force.
4 May 2016
PUBLICATION IN OJEU - Regulation (EU) n° 2016/679 on the protection of natural persons iwith regard to the processing of personal data and on the free movement of such dataRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
25 May 2018
ENTRY INTO FORCE - The Regulation comes into force on May 25th, 2018