The GDPR raises a number of issues for trustees and personal representatives but STEP has begun to provide much needed clarity in this area by publishing new guidance on the subject:
The guidance was prepared by STEP’s Data Protection Working Group, chaired by our own Edward Hayes, and the key points are:
- The GDPR applies on a trust-by-trust and estate-by-estate basis
- Generally, trustees and personal representatives will be data controllers unless the purely personal or household activity exemption applies to them (explained below)
- All of the trustees or personal representatives (as appropriate) of a given trust or estate are treated as a single data controller (rather than each being a separate data controller)
- References to the “number of staff” that a data controller has should be read as references to the number of trustees or personal representatives whilst references to a data controller’s “turnover” should be read as references to the relevant trust’s or estate’s gross annual income and gains
The circumstances in which trustees or personal representatives will be exempt from the GDPR
- A trustee or personal representative is likely to be within the scope of the “purely personal or household activity” exemption set out in Article 2(2)(c) of the GDPR if:
- they are acting in their personal capacity (rather than as a professional); and
- they are unpaid (expenses would be allowed).
- If there are multiple trustees or personal representatives and some benefit from the exemption whilst the others do not, the non-exempt trustees/personal representatives are caught by the GDPR whilst the exempt trustees/personal representatives are not.
- Entities (such as trust companies) can never benefit from the exemption.
Processing special category data
- Trustees and personal representatives can process special category data to the extent that doing so is necessary for them to perform their fiduciary duties (relying on Article 9(2)(f) of the GDPR).
Disclosure obligations in relation to beneficiaries
- Trustees and personal representatives will be obliged to provide privacy notices to any beneficiaries who provide personal data about themselves (Article 13, GDPR).
- However, trustees and personal representatives will not be obliged to provide privacy notices to beneficiaries if the personal data is obtained from another source (such as from the settlor or testator) (Article 14, GDPR).
- When responding to data access requests (also known as “subject access requests”), trustees and personal representatives are not obliged to provide copies of any documents or information which they would be entitled to withhold under established trust law or estate law principles (Article 15, GDPR).
STEP’s Data Protection Working Group is aware of a number of other ambiguities and uncertainties in relation to the application of the GDPR in a private client context and is continuing to analyse the position. It expects to publish expanded guidance in due course.