aller au menu aller au contenu




The European Regulation 2016/679 of 27th April 2016 known as GDPR (General Data Protection Regulation) aims to harmonise and strengthen European legislation on the storage, processing and flow of personal data.

More precisely, it ensures:

Main provisions

GDPR regulation (General Data Protection Regulation) refers to Regulation (EU) 2016/679 of the European parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).

The Regulation comes into force on 25th May 2018.


The Regulation applies to any company established within the European Union that collects, processes and stores data whose use can directly or indirectly identify a physical person or data subject, and extends to its partners and software providers. It also concerns companies located outside the EU that offer goods and services or collect data on European citizens.

The GDPR regulation concerns natural persons, it deals with the data of employees, customers, prospects and all other personal data used by the institution (subcontractors, service providers, visitors, etc.). This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. It also does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law.



  • Governance requirements

Main provisionsClarification
DPO (Data Protection Officer) appointment
  • A DPO should be appointed
Ensure continuous compliance
  • Compliance with GDPR requirements should be demonstrated through regular monitoring, for instance data protection impact assessment should be carried out
Personal data breach notification
  • Personal data breach should be notified to the supervisory authority competent within the time allowed
Adequacy of personal data
  • The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed
Clear affirmative consent
  • Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her

  • Increase transparency

Main provisionsClarification
Right to data portability
  • In exercising his or her right to data portability pursuant, the data subject shall have the right to have the personal data transmitted directly from one controller to another
Right to erase personal data 
  •  A data subject should have the right to have his or her data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or processed, where a data subject has withdrawn his or her consent, or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation
Integrity and confidentialityPersonal data shall be:
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Data traceability
  • Data traceability should be ensured
  • Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, with regard to the purposes for which they are processed, are erased or rectified without delay


  • Scope of data

Two kinds of data fall within the scope of this Regulation: 

  • Personal data relating to identified or identifiable natural person: Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  •  Sensitive personal data: Sensitive personal data means personal data which is, by its nature, particularly sensitive in relation to fundamental rights and freedoms and merits specific protection as the context of its processing could create significant risks to the fundamental rights and freedoms. Such personal data should include personal data revealing:
    • Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership;
    • Genetic or biometric data;
    • Health condition;
    • Sexual orientation or sex life;
    • Criminal offences and convictions;
    • National identification numbers allowing the unique identification or authentication of a natural person.

Such personal data should not be processed, unless processing is allowed in specific cases. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.


CACEIS Group is committed to complying with the GDPR and guarantees the protection of personal data processed in its systems, whether such data concerns its clients or its employees.

How is CACEIS getting prepared?

CACEIS has published its Group Data Protection and Security Policy. In reponse to the main challenges ahead, CACEIS is delivering its three-year Information Security Plan to identify innovative solutions to address the protection of corporate assets, including personal data and cyber-security.

This 2016-2018 Strategic Plan notably summarises:

  • Four strategic objectives and ten accompanying actions among which mesures taken in accordance with GDPR (point 1.4),
  • How to deliver the policy, through effective resource management, clear communication and evaluation of our performance. 

Your usual sales contact remains at your disposal for further information.


> Décryptage and Scanning, our regulatory watch newsletters, publish the latest MiFID II and MiFIR developments in French and English. 

> Other links of interest:

The European Commission has published a guidance on the direct application of the GDPR.

  • Questions-answers - European Commission

The European Commission has created a new Q&A website to ensure that all actors – EU governments, national data protection authorities, companies and citizens – are ready for the GDPR regilation entry into force.


   Contact us


Key dates