enter into application on 25 May 2018

Similar documents
This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Rights of Individuals under the General Data Protection Regulation

Element Finance Solutions Ltd Data Protection Policy

Creative Funding Solutions Limited Data Protection Policy

Toucan Telemarketing Ltd.

Arkadin Data protection & privacy white paper. Version May 2018

1. Right of access. Last Approval Date: May 2018

General Data Protection Regulation (GDPR) NEW RULES

How the GDPR will impact your software delivery processes

SCALA FUND ADVISORY PRIVACY POLICY

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Data Protection Policy

INFORMATIVE NOTICE ON PERSONAL DATA PROCESSING

Islam21c.com Data Protection and Privacy Policy

PS Mailing Services Ltd Data Protection Policy May 2018

General Data Protection Regulation (GDPR) Key Facts & FAQ s

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Data Warehouse Risk Assessment (GDPR)

Rights of data subjects

GENERAL DATA PROTECTION REGULATION (GDPR)

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

Tampere University of Technology Privacy Policy 1 (5) 18/06/2018

Contract Services Europe

Privacy Policy Hafliger Films SpA

GLOBAL DATA PROTECTION POLICY

Privacy Notice and Consent Form

GDPR: A QUICK OVERVIEW

PRIVACY POLICY OF THE WEB SITE

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

GDPR data subject rights

Data Protection Policy

Data Subject Access Request Form

GDPR effects on Gift Aid. Presented by Keren Caird Business Development Gift Aid Manager Sue Ryder

Data Subject Requests Procedure

PRIVACY POLICY FOR WEB AND ONLINE TRADING PLATFORM

A Homeopath Registered Homeopath

This article will explain how your club can lawfully process personal data and show steps you can take to ensure that your club is GDPR compliant.

CEM Benchmarking Privacy Policy

GLOBAL DATA PROTECTION POLICY

A practical guide to using ScheduleOnce in a GDPR compliant manner

GDPR - Are you ready?

Wesley House data protection statement and privacy notice (short-course delegates)

Requirements for a Managed System

Jefferies EMEA Privacy Notice

POLICY. Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

The isalon GDPR Guide Helping you understand and prepare for the legislation

DATA PROTECTION POLICY THE HOLST GROUP

Website Privacy Policy

Privacy Notice - Stora Enso s Customer and Sales Register. 1 Controller

Identity of the controller: CHARVAT CTS a.s., ID No.: , with the registered office at Okrinek 53, Podebrady, Czech Republic, Postcode

Data Protection Privacy Notice

PRIVACY POLICY PRIVACY POLICY

Privacy by Design, Security by Design

Data Subject Access Request Procedure. Page 1 KubeNet Data Subject Access Request Procedure KN-SOP

Privacy Notice For Ghana International Bank Plc customers

Technical Requirements of the GDPR

POLICY. Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

- GDPR (General Data Protection Regulation) is the new Data Protection Regulation of the European Union;

Privacy and Data Protection Policy

Information leaflet about processing of personal data (

the processing of personal data relating to him or her.

Wonde may collect personal information directly from You when You:

Little Blue Studio. Data Protection and Security Policy. Updated May 2018

Our agenda. The basics

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

Data Subject Access Request Form (GDPR)

EU General Data Protection Regulation (GDPR) Achieving compliance

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

DISCLOSURE PURSUANT TO ART. 13 EU REGULATION No. 2016/679 (GDPR) Customers and prospects

Privacy Statement for Use of the Trust Service of Swisscom IT Services Finance S.E., Austria

GDPR Data Protection Policy

INFORMATION NOTE ON DATA PROCESSING

PRIVACY STATEMENT FOR DATA COLLECTED FOR DATA COLLECTED VIA ON-LINE SURVEYS

Part B of this Policy sets out the rights that all individuals have in relation to the collection and use of your personal information

CD STRENGTH LLC. A MASSACHUSETTS, USA BASED COMPANY

Data subject ( Customer or Data subject ): individual to whom personal data relates.

DATA PROTECTION POLICY

I. Name and Address of the Controller

Haaga-Helia University of Applied Sciences Privacy Notice for Urkund Plagiarism Detection Software

SCHOOL SUPPLIERS. What schools should be asking!

Website Privacy Notice

Privacy Notice - Stora Enso s Supplier and Stakeholder Register. 1 Purpose

I. Name and Address of the Controller

Data Protection Statement. Trinity Development & Alumni

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

PRIVACY POLICY FOR THE LIDC 2018 INTERNATIONAL CONGRESS

Data Subject Access Request Form (GDPR)

Privacy Statement for Use of the Certification Service of Swisscom (sales name: "All-in Signing Service")

EIT Health UK-Ireland Privacy Policy

PERSONAL DATA PROTECTION POLICY

PRIVACY NOTICE Olenex Sarl

World Wide Jobs Ltd t/a Findmyexpert.com Privacy Policy 12 th April 2018

INFORMATION MEMORANDUM ON DATA PROCESSING

GDPR AND WHAT IT MEANS FOR CRM AND CUSTOMER ENGAGEMENT MAY. A 7-step practical guide to achieving and maintaining GDPR compliance by 25 May 2018

Privacy Policy CARGOWAYS Logistik & Transport GmbH

GDPR: A technical perspective from Arkivum

Transcription:

General Data Protection Regulation What is GDPR? Is GDPR applicable for you? Which actions are required from you (and us)? Which rights do your clients have and which services can KBC Securities s provide linked with these rights? Questions, remarks, your contacts? What is GDPR? The new General Data Protection Regulation (GDPR) adopted on 27 April 2016 will change the way that business organizations process data from their clients. In summary the GDPR will: replace the data protection directive (officially Directive 95/46/EC) from 1995 strengthen and unify data protection for individuals within the European Union enter into application on 25 May 2018 (two-year transition period) not require any enabling legislation to be passed by national governments a single set of rules will apply to all EU member states apply if the data controller or processor (organization) or the data subject (person) is based in the EU addresses also export of personal data outside the EU This GDPR significantly impacts the financial sector and presents another key driver for outsourcing as this regulation requires major investments in processes, organization and IT. KBC SECURITIES, as part of KBC group, has made an in-depth analysis of the impact on organization and infrastructure. Is GDPR applicable for you?

General The rules are applicable for companies processing and controlling personal data Data Personal data is all information related to natural persons, a customer, a prospect, a KBC employee This data can include the name of a person, an email address, medical information, simulation info, IP address, anonymized data, public data and data of companies are NOT part of GDPR. Protection The controling and processing of data is linked with the entire life cycle of data (from data capturing, data storage, data consultation, processing, use, until the deletion of data.) Which actions are required from you (and us)? These rules apply to the internal organisation within your company. These rules also apply to KBC Securities s. Prepare for data security breaches Put in place clear policies and well-practised procedures to ensure that you can react quickly to any data breach to prevent, minimize or control potential risks/damages and notify in time where required. Establish a framework for accountability Appoint a data protection officer, if required. Ensure that you have clear policies in place to prove that you meet the required standards. Establish a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimise data processing and retention of data, and building in safeguards. Analyse the legal basis on which you use personal data Consider what data processing you undertake. Embrace privacy by design Ensure that privacy is embedded into any new processing or product that is deployed. Check your privacy notices and policies

The GDPR requires that information provided should be in clear and plain language. Your policies should be transparent and easily accessible. Bear in mind the rights of data subjects Be prepared for data subjects to exercise their rights under the GDPR such as the right to data portability and the right to erasure. Which rights do you and your clients have and which services can KBC Securities s provide linked with GDPR? In this overview, we limit ourselves to the rights and services which are linked with the offering of KBC Securities s. Right to access The client has the right to have access to all the personal information that is stored within the organization. A report (pdf, xls-file) can be generated with all personal static data and a description of other types of information that is held at KBC SECURITIES such as log files, reports, statements, registered phone calls, etc. Data portability The customer has the right to receive personal data concerning him/her. Contrary to the right of access, the right of data portability only enfolds the data which is processed on the basis of consent or contract execution. The data given to the customer must be in machine readable and interoperable form. Interoperable means that the data can be easily accessed and used by another data controller, even when their systems are not technically compatible with the systems of KBCS. There is no obligation to have processing systems technically compatible with other data controllers. KBCS will provide the personal data to another controller in two commonly used formats: Static client data: BO report in pdf format: all static client data are included (name, address, phone number, ) Transactional client data in XLSX format: all transactional data can be extracted in XLSX form

Right to object to processing The end-client has the right to object to processing of his personal data based on legitimate interest. The consequence is that organizations are permitted to store the personal data, but not further process it for that specific purpose. For testing software changes a technical platform change is foreseen. When a data subject objects to the use of personal data for testing software changes we will complete the following steps. The personal data of the data object will be overwritten in the test environments (Accept and Release). The same fields that are mentioned in the data retention chapter will be overwritten. The data retention is reused for this on the test environments. The cash and/or securities of that account are removed on the test environments The outstanding orders are cancelled on the test environments The account is closed. By doing this, the account and person become obsolete and useless to perform tests. Right of information The right to be informed encompasses the obligation to provide fair processing information, typically through a privacy notice to provide transparency over how personal data is used. When exercising this right, we have to inform the data subject on a general basis which processes are performed with which data and for which purpose (see PDR s) KBC SECURITIES will provide its privacy statement to the Client that can be used. Right to erasure

The end customer has the right to erase his/her personal data when they are no longer necessary for the processing activity, or when the processing activity has stopped/fulfilled its purpose. KBCS has retention and archiving periods in place. Cfr data storage. The client data can be masked or permanently overwritten Data storage Personal data must not be retained longer than is necessary for the purpose for which they are processed. Afterwards, the personal data must be destroyed In the KBCS retention policy, KBCS makes a distinction between the retention period and the archiving period: The retention period is the period of time during which personal data will be stored and is accessible. The archiving period is the period after the retention period during which data will be stored but no longer accessible for processing activities other than serving as evidence. Retention period: The first year after the day the account is closed or the customer is inactive. In this period the data is stored and accessible. Archiving period: after the retention period, the system automatically masks the client static data. Only the compliance and legal department will have authorization (profile) to view the customer static data Overwrite with fictive data: after the archiving period of 30 years, all customer static data is irrevocable overwritten with fictive data (ZZZZZZZZZZ). Since the data is overwritten in the database it will be impossible to retrieve the original data, and thus being equal to be erased completely. Exception: it is possible to postpone the 30 years further by making use of a document in CSD. This could be used and registered in case of legal disputes Right to rectification Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If the personal data in question has been disclosed to third parties, these must be informed of the rectification where possible.

This is already in place, through CSD webservices and CSD templates. Privacy by design The data privacy rules have to be embedded in the design of all processes using clients personal data. The GDPR rules will be integrated via a DPIA (Data Protection Impact Analysis) in the NAPP (New and Active Product Process) procedure which governs the implementation of new products and processes, and major changes to existing products and processes. Data minimization Only the data which is necessary for the execution of a certain task may be processed. Data will only be processed for the purpose(s) they are obtained for Covered via the NAPP (See previous point). Questions, remarks? Don t hesitate to contact your Relationship Manager or Customer Support us if you require further information on this topic. Best regards Customer support customersupport@kbcsecurities.be

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback