KYC & Data Protection: Friends or Foes?

Transcription

1 KYC & Data Protection: Friends or Foes? How To Comply with KYC Requirements CREOBis March 28 th,

2 Overview 1. Relationship between DP & KYC Regulations 2. Using Data Beyond KYC Purposes? 3. Supervisory Authorities 1

3 Relationship DP >< KYC/AML Combined application of both legislations Processing has a valid legal basis "necessary for complying with a legal obligation to which the data controller is subject" "shall be considered a matter of public interest" Other data protection principles remain applicable (proportionality, purpose limitation, data minimization, etc.) Limitation of right of access 2

4 Illustration 4th directive 2015/849 (Rec ; Articles 41, 43 & 61): Defines the requirements of identification and data collection Defines the categories of information to be used for verification purposes Processing must remain limited to: customer due diligence, ongoing monitoring, investigation and reporting of unusual and suspicious transactions, identification of the beneficial owner, identification of a PEP, sharing of information No further processing for commercial purposes Storage period of 5 years + 5 years max. Right of access only through supervisory authorities 3

5 Relationship DP >< KYC/AML Under the current Privacy Act of 8 Dec. 1992: Some provisions are not applicable: Art. 9: mandatory information to be provided to the individual The AML directive only provides for an exemption in relation to the right of access Under the directive 95/46, Member States may provide for specific exceptions and have a margin of appreciation Art and 12: right of access and right of rectification No explicit alternative is provided to exercize the right of access through the Privacy Commission The fundamental data quality principles apply 4

6 Relationship DP >< KYC/AML Poins of attention under the new GDPR: Legal basis Access & Portability Rights? (art. 15 & 20) Automated decision & profiling? (art. 22) 5

7 GDPR Adoption Process January st draft EU-Commission December 2015 Compromise Wording by EU Parliament, Council and Commission (Trilogue Version) 27 April 2016 Formal Adoption 4. May 2016 Publication in Official Journal 24 May 2016 Entry into Force 25 May 2018 End of Transition Period 6

8 GDPR What is new? 1. Territorial Scope of the GDPR Expansion of extraterritorial scope 2. Lawfulness of the data processing Modifications of the requirements permitting the processing of personal data 3. Use of data processors Requirements only slightly amended; increased duties of data processors 4. International transfers of data Only minor changes; in the mid-term new options for international data transfers 7

9 5. Data Governance / Accountability a) Privacy Impact Assessments b) Data Breach Notification c) Data Protection Officer d) Privacy by Design / Default Increased accountability requirements; new overarching burden of proof Introduction of PIAs Broader notification duties DPO requirement across the EU (with national law specifications remaining possible) Partially new, partially stricter requirements with high relevance in practice 6. Regulators / One Stop-Shop Introduction of the One-Stop-Shop principle 7. Fines Drastic increase (up to EUR 20m or 4% worldwide group revenues) 8. Data Security Measures Minor changes, but higher relevance in practice 8

10 Legal basis for processing Necessity for performing a legal obligation is still a legal basis for processing data The legal obligation must be defined by EU or MS law (non-eu laws will not be a valid legal basis for processing) The legal basis must define the purposes and may bring some adaptations to the provisions of the GDPR 9

11 Using Data Beyond KYC? Other potential legal bases include : Consent Legitimate interests? Need to take into account the legitimate expectations of the data subject Need to assess the compatibility on the basis of (i) link between the purposes, (ii) context of collection, (iii) nature of personal data, (iv) potential consequences, (v) existence of appropriate safeguards including encryption and pseudonymisation 10

12 When do you need consent? When do you need "consent" under the GDPR? Consent is one of the grounds for processing personal data When do you need "explicit consent" under the GDPR? Processing special categories of personal data (if you can't rely on any of the other lawful grounds); Automated decision making, including profiling (if you can't rely on any of the other lawful grounds); and Transfers of personal data to third countries (if there is no other transfer mechanism in place). 11

13 What does "consent" mean under the GDPR? "'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" [emphasis added] Requests for consent must be: clearly distinguishable from other matters (i.e. no "bundled" consent) in an intelligible and easily accessible form use clear and plain language Consent can be withdrawn at any time: must be as easy to withdraw as to give data subject must be told upfront that this is possible Other drawbacks: contract performance must not be conditional on consent clear evidence consent for separate processing operations 12

14 What does "explicit consent" mean under the GDPR? The same as under the EU's Data Protection Directive? The Article 29 Working Party defined "explicit consent" as: " all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing" Opt-in tick box or declaratory statement Practically, how does this compare with "consent"? Is the clue in the Recitals? 13

15 Private & Confidential Key actions Identify data capture points (e.g. online forms, registrations, contact centres) Check whether opt-in/consent is really required What are people told about how their data will be used? (check policies, statements and notices) Revisit and amend any optin/consent forms Update policies, statements and notices 14

16 Supervisory Authorities under the GDPR Overlap with sectoral (KYC) regulator? Lead supervisory authority on an EU wide basis Cooperation and consistency mechanisms Investigations, injunctions, sanctions 15

17 Osborne Clarke is the business name for an international legal practice and its associated businesses. Full details here: osborneclarke.com/definitions Thank you Paste end slide graphics over this grey box in slide deck