GDPR applies to (i) personal data (PD) processing by a processor or controller in relation to activities conducted in the context of their EU presence or (ii) absent an EU presence, the processing of PD of EU based individuals in relation to the offering of services. GDPR can thus apply to non-EU based parties. A controller and a processor are respectively the parties who determine the purpose of collecting the PD and process PD on behalf of a controller. The concept of processing covers all actions relating to handling of PD.

A USFM and a non-EU fund are in scope of GDPR to the extent they process PD of EU based individuals. If the USFM has a Luxembourg presence (e.g. through a Luxembourg fund) the USFM and the Luxembourg fund are in scope of GDPR for PD processing of individuals, irrespective of where these individuals are based.

PD is being processed when a fund is raised, for example, in the context of the investor identification process. The data usually relates to the investor or, for legal entities, their ultimate beneficial owners and/or representatives.

The USFM and their (EU) funds (the Parties) must comply with a range of general PD processing principles such as transparency and confidentiality, including information obligations towards the data subjects, e.g. regarding the reasons for collecting the PD and their rights. In a fundraising context, this is ensured through disclosures in the fund documentation and as per a so-called data protection notice shared with investors.

If an investor is a legal entity, the Parties must ensure that the individual(s) whose PD is provided are informed, by the investor, about the PD processing by these Parties. This is usually arranged for through the subscription agreement, in which the investor represents having informed the relevant individual(s).

The Parties will usually pass on PD to fund service providers. The Parties must contractually ensure that the service provider is GDPR compliant. Moreover, the Parties must monitor PD breaches.

The Parties, but also their service providers, may only transfer PD outside the EU (e.g. a transfer between an EU service provider and the USFM) provided appropriate GDPR safeguards are adopted. Therefore, the Parties and service providers typically sign a data transfer agreement providing for a set of standardized clauses as approved by the European Commission.

USFM should be aware that an EU fundraising triggers GDPR. The (ongoing) regulatory burden that falls upon them is light, but it is key that GDPR does not come as a surprise and that the USFM has grip on its GDPR and contractual obligations.

Want to know more about this topic? Reach out to one of our colleagues mentioned below.