The General Data Protection Regulation (GDPR) will come into force on 25 May 2018. This new EU data protection regime will introduce new obligations on trustees as data controllers when processing the personal data of data subjects (such as settlors and beneficiaries). Furthermore, in the context of Switzerland, the GDPR will have extra-territorial applicability to the extent that if a non-EU (Swiss) business wishes to process the data of a data subject, they will have to play by the EU rules. Trust businesses in Switzerland falling within this category should therefore consider and review their procedures in order to comply with the GDPR.
Swiss trust companies and businesses will also need to comply with the revised Swiss Data Protection Act (DPA), which is being introduced at the end of 2018 or in early 2019. Broadly speaking, the DPA has been introduced to complement the GDPR and a draft of the DPA was published on 15 September 2017. It is likely that the DPA will take time to implement and as such, lawyers and practitioners will be closely watching the interplay between the two regimes. It is assumed at present that the same obligations for trustees that arise under the GDPR will similarly apply in respect of the DPA.
What is personal data and why is a trustee a data controller?
The GDPR defines personal data as any information relating to an identified or identifiable natural person (the “data subject”). A data controller is a person who, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of “processing” this includes, collecting, recording, organising, storing, retrieving, consulting, using, erasing or destroying the personal data. As such, trustees will be in almost all instances data controllers in relation to the information they gather, store and use about all persons linked to a trust (the data subjects) which includes not only the beneficiaries, but also the settlor, protector, appointer and any other connected persons of whom data is processed.
It is important to be aware that the GDPR is wide-reaching and its principles will apply in all cases where personal data is processed within a company or its group. Swiss trust companies that pass on personal data of data subjects to other departments or companies within their group need to be conscious of this and have appropriate measures in place.
The GDPR establishes a two-tiered system of penalties. Some infringements (for example for violations relating to internal record keeping) are subject to fines of up to EUR 10 million or 2% of global revenue. Others (such as breaches of the data protection principles) are subject to higher fines of up to EUR 20 million or 4% of global revenue. Under the DPA the maximum financial penalty is substantially lower than the GDPR at CHF 250,000.
Obligations of data controllers
Trustees must demonstrate compliance with the data protection regime as part of the overall principle of accountability. Some of the main obligations of the GDPR and DPA that trustees will need to comply with when processing clients’ data include:
- providing beneficiaries with information (privacy notices) about their personal data being processed, the reasons for such processing and the details of any recipients of that data (any requests from beneficiaries should be reasonable and trustees need only provide the personal data information that they possess concerning the beneficiary in question, nothing more);
- keeping an up-to-date record of all processing activities for which they are responsible;
- ensure data is processed securely and have appropriate systems in place that meet the standards imposed by the GDPR;
- ensure that any data processing which is delegated to a processor (for example, a law firm) is subject to a contract that satisfies GDPR requirements;
- notify personal data breaches to the Federal Data Protection and Information Commissioner (FDPIC) (the relevant Swiss supervisory authority) without undue delay;
- where a beneficiary has asked for data to be rectified or erased, notify those persons with whom personal data has previously been shared;
- implement policies to ensure data processing is performed in accordance with the GDPR;
- tell beneficiaries about personal data breaches if it is likely to result in a high risk to their rights and freedoms; and
- where personal data is transferred to a country outside the EEA or to an international organisation, ensure that the European Commission has confirmed that the recipient country has adequate level of protection or, if there is no confirmation, provide appropriate safeguards (such as the encryption of data).
Preparing for the GDPR
There are many steps that trustees should have already taken to prepare for the GDPR and unless they are prepared, it is unlikely that their current arrangements are GDPR-compliant. The full requirements of the GDPR (and its implications) will become clearer when the regulatory guidance and the DPA is finalised. Over the last year, trustees will have been reviewing their current arrangements and the data they hold, and establishing new processes.
GDPR compliance should not be considered a one-off exercise to ensure compliance from its enactment. Rather, the FDPIC will want to ensure that GDPR compliance is internalised and reflected in the way trustees carry out their activities on a pragmatic basis over time.
Some of the main action points trustees should be considering to ensure compliance include:
- decide which person in a trust company will deal with GDPR compliance; for example, nominate one of the trustees as the main point of contact for requests for information;
- conduct an audit and review all personal data currently held, including:
- where and how long it has been held for;
- reasons for the decision to keep the data for a specific time (for example, the length of the trust period);
- who it relates to;
- why it is being processed; and
- how it is kept secure.
- consider who the data is shared with (for example, with law firms when seeking advice);
- regularly assess progress (for example, by including GDPR compliance as a fixed item on the agenda at company meetings);
- consider how long the data should be kept for. The GDPR requires trustees to keep data for "no longer than is necessary for the purposes for which the personal data are processed …";
- update existing data protection policies to make them GDPR compliant. If no data protection policy exists, trustees should create one to satisfy their accountability obligations. The data protection policy should refer to:
- the timescale for complying with beneficiary information requests;
- how personal data is processed and stored; and
- the procedures and policies they have in place to comply with the GDPR.
- establish procedures to identify, record, and (if required) report, a data breach;
- carry out training for trustees. In particular, all individuals involved in processing should be able to identify when there has been a personal data breach and be aware how this should be dealt with;
- review insurance policies to see if they can be extended to cover liability for fines and compensation under the GDPR; and
- review policies on trustee indemnities on retirement to ensure that liabilities in relation to the GDPR are taken into account.
Examples: Trustees as data controllers
- The Swiss Trust Company XYZ has been appointed as the trustee of an endowment fund. Every year they receive grant applications from students who give their name, address and brief details of their studies as well as a personal statement in support of their application. The GDPR applies to the Swiss Trust Company XYZ as data controller in relation to the personal data they hold about the student applicants (past and present) who are data subjects. This is regardless of whether the data is contained in a computer system, on emails, or in a paper filing system.
- The Swiss Trust Company XYZ is trustee of the Pan Family Discretionary Trust. The settlor is Peter Pan who defined the discretionary class as the lineal descendants of his father and mother and their spouses. Peter has written a letter of wishes indicating that he would like his four children and their children to be the principal beneficiaries and that the other members of the discretionary class should only benefit if his children and grandchildren have all died. He does not envisage that any other beneficiaries will ever benefit. Rather than employing a genealogical researcher to track down all Peter's second cousins (who he believes are settled in Neverland), the trustees decide to limit their record keeping to Peter's immediate family. This complies with the purpose limitation and data minimisation principles of the GDPR. However, all of Peter’s children and grandchildren will be data subjects and the Swiss Trust Company XYZ will need to comply with the GDPR principles in respect to the holding and processing their data.