Offshore Financial Institutions are in the scope of the EU GDPR!

How to Implement, Execute, Monitor, and Audit the GDPR assessment based on a security-driven, and data-focused and sustainable approach
August 18, 2019
Spell out the Character and Behaviour of a Cyber- and IT Security Officer
August 18, 2019
As part of the 3-day GDPR Practitioner certification Masterclass, we will address some of the general global requirements on Data Privacy and Data Protection and GDPR for Seychelles.

During the seminar, we will review the issues and how can banks and other institutions in Seychelles Banks ensure compliance with GDPR, IT security and other global privacy mandates. Also, we will assess the Financial Institutions role and responsibilities of the Board of Directors as accountability is a vital component of the GDPR legislation. In addition, we will go through the requirements of contractual arrangements, supervising third-party service providers and the need to appoint a Data Protection Officer.

Data processing activities done by different parties in various jurisdictions.

These and other items will ensure that adequate measures are in place to protect Investor Personal Data, updating Privacy Notices and documents by the Financial Institutions to ensure that investors are fully aware of where their Personal Data is being processed, by whom and for what purpose. 

Generally, the Administrator, Transfer Agent, Distributor, and the Investment Manager of a Financial Institution may fall within the definition of a GDPR Data Controller or Data Processor. These requirements include issues related to the Investor Personal Data, which are processed and stored by or on behalf of the investment fund and/or by one or more of the service providers. 

Will GDPR affect domiciled funds in Offshore Financial Institutions?

After we have outlined the data processing activities carried out by the Financial Institution, we can determine if the GDPR also applies to firms domiciled and established outside of the EU, where the processing involves offering goods or services to ‘data subjects’ in the EU:

  • Financial Institution has European investors or is actively marketing to EU investors.
  • Appoint a ‘representative’ in the EU to assist the company to meet its GDPR obligations as anEU representative for any queries on the data subjects or data protection supervisory authorities have about the Financial Institutions activities.

What does it mean for Offshore Financial Institutions funds in the scope of the GDPR?

Financial Institutions and Investment funds in Offshore Financial Institutions, captured by the regulations, will be considered Data Controllers. Service providers will be regarded as data processors and perhaps also be considered Data Controllers. Participate in the Masterclass to find out the differences and similarities for compliance.

We will review the primary duties, role and responsibilities of Offshore Financial Institutions based Data Controllers and the Data Processors:

  • What are the consequences for Offshore Financial Institutions companies fail to comply?
  • Failure to comply with GDPR may result in fines of €20m or up to 4% of the annual global turnover.
  • The GDPR’s organisational penalties are designed to reflect the severity of the breach and in each case, be active, proportionate and to hinder future occurrences.

All Offshore Financial Institutions based Financial Institutions, and Investment Funds must carry out the following activities to comply:

  • Draft and maintain several Data Protection Policies;
  • Does the company need a representative?
  • Maintain a data breach register;
  • Due diligence of data processors, the Administrator or Third parties;
  • How to handle data breaches including reporting and disclosures to the supervisory authority;
  • Implementation of a data inventory to identify personal data and the lawful basis for processing;
  • Training and awareness to all stakeholders of their respective obligations under the GDPR;