A case for Professionals of the Financial Sector
The General Data Protection Regulation is a European regulation that will apply from 25 May 2018 directly across all 28 EU Member States. By applying to all personal data processing activities, the regulation aims to strengthen and unify data protection for all individuals in the European Union.
Under this new regulation, Data Protection Authorities (DPAs) of Member States such as the CNPD in Luxembourg have investigative, corrective, advisory and authorization powers. They are entitled to impose administrative fines ranging from 2 percent to 4 percent of the group's worldwide annual turnover of the preceding financial year or €10 to €20 million, whichever is higher. Institutions from the public and private sectors, including investment funds, will receive those fines in case of infringements of data subject rights, non-compliance with an order of the DPA or even breach of their obligations as a controller1 or a processor2, as defined in the regulation, not necessarily linked to a data breach.
Professionals of the financial sector in Luxembourg, hereinafter referred to as PSF, come in all shapes and sizes. They generally operate under the control of their respective customers, but are also supervised by the local financial regulator CSSF. As such, they carry out processing activities due to their own legal obligations (AML, KYC, etc.) or purposes as well as processing activities for the purpose of serving their customers. In data protection terminology, PSF can end up being considered both as data controllers and data processors, depending on the processing activities they perform and the purposes they want to achieve.
1 ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law [Art. 4(7)]
2 ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller [Art. 4(8)], http://ec.europa.eu