General Data Protection Regulation What is GDPR? Is GDPR applicable for you? Which actions are required from you (and us)? Which rights do your clients have and which services can KBC Securities s provide linked with these rights? Questions, remarks, your contacts? What is GDPR? The new General Data Protection Regulation (GDPR) adopted on 27 April 2016 will change the way that business organizations process data from their clients. In summary the GDPR will: replace the data protection directive (officially Directive 95/46/EC) from 1995 strengthen and unify data protection for individuals within the European Union enter into application on 25 May 2018 (two-year transition period) not require any enabling legislation to be passed by national governments a single set of rules will apply to all EU member states apply if the data controller or processor (organization) or the data subject (person) is based in the EU addresses also export of personal data outside the EU This GDPR significantly impacts the financial sector and presents another key driver for outsourcing as this regulation requires major investments in processes, organization and IT. KBC SECURITIES, as part of KBC group, has made an in-depth analysis of the impact on organization and infrastructure. Is GDPR applicable for you?
General The rules are applicable for companies processing and controlling personal data Data Personal data is all information related to natural persons, a customer, a prospect, a KBC employee This data can include the name of a person, an email address, medical information, simulation info, IP address, anonymized data, public data and data of companies are NOT part of GDPR. Protection The controling and processing of data is linked with the entire life cycle of data (from data capturing, data storage, data consultation, processing, use, until the deletion of data.) Which actions are required from you (and us)? These rules apply to the internal organisation within your company. These rules also apply to KBC Securities s. Prepare for data security breaches Put in place clear policies and well-practised procedures to ensure that you can react quickly to any data breach to prevent, minimize or control potential risks/damages and notify in time where required. Establish a framework for accountability Appoint a data protection officer, if required. Ensure that you have clear policies in place to prove that you meet the required standards. Establish a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimise data processing and retention of data, and building in safeguards. Analyse the legal basis on which you use personal data Consider what data processing you undertake. Embrace privacy by design Ensure that privacy is embedded into any new processing or product that is deployed. Check your privacy notices and policies
The GDPR requires that information provided should be in clear and plain language. Your policies should be transparent and easily accessible. Bear in mind the rights of data subjects Be prepared for data subjects to exercise their rights under the GDPR such as the right to data portability and the right to erasure. Which rights do you and your clients have and which services can KBC Securities s provide linked with GDPR? In this overview, we limit ourselves to the rights and services which are linked with the offering of KBC Securities s. Right to access The client has the right to have access to all the personal information that is stored within the organization. A report (pdf, xls-file) can be generated with all personal static data and a description of other types of information that is held at KBC SECURITIES such as log files, reports, statements, registered phone calls, etc. Data portability The customer has the right to receive personal data concerning him/her. Contrary to the right of access, the right of data portability only enfolds the data which is processed on the basis of consent or contract execution. The data given to the customer must be in machine readable and interoperable form. Interoperable means that the data can be easily accessed and used by another data controller, even when their systems are not technically compatible with the systems of KBCS. There is no obligation to have processing systems technically compatible with other data controllers. KBCS will provide the personal data to another controller in two commonly used formats: Static client data: BO report in pdf format: all static client data are included (name, address, phone number, ) Transactional client data in XLSX format: all transactional data can be extracted in XLSX form
Right to object to processing The end-client has the right to object to processing of his personal data based on legitimate interest. The consequence is that organizations are permitted to store the personal data, but not further process it for that specific purpose. For testing software changes a technical platform change is foreseen. When a data subject objects to the use of personal data for testing software changes we will complete the following steps. The personal data of the data object will be overwritten in the test environments (Accept and Release). The same fields that are mentioned in the data retention chapter will be overwritten. The data retention is reused for this on the test environments. The cash and/or securities of that account are removed on the test environments The outstanding orders are cancelled on the test environments The account is closed. By doing this, the account and person become obsolete and useless to perform tests. Right of information The right to be informed encompasses the obligation to provide fair processing information, typically through a privacy notice to provide transparency over how personal data is used. When exercising this right, we have to inform the data subject on a general basis which processes are performed with which data and for which purpose (see PDR s) KBC SECURITIES will provide its privacy statement to the Client that can be used. Right to erasure
The end customer has the right to erase his/her personal data when they are no longer necessary for the processing activity, or when the processing activity has stopped/fulfilled its purpose. KBCS has retention and archiving periods in place. Cfr data storage. The client data can be masked or permanently overwritten Data storage Personal data must not be retained longer than is necessary for the purpose for which they are processed. Afterwards, the personal data must be destroyed In the KBCS retention policy, KBCS makes a distinction between the retention period and the archiving period: The retention period is the period of time during which personal data will be stored and is accessible. The archiving period is the period after the retention period during which data will be stored but no longer accessible for processing activities other than serving as evidence. Retention period: The first year after the day the account is closed or the customer is inactive. In this period the data is stored and accessible. Archiving period: after the retention period, the system automatically masks the client static data. Only the compliance and legal department will have authorization (profile) to view the customer static data Overwrite with fictive data: after the archiving period of 30 years, all customer static data is irrevocable overwritten with fictive data (ZZZZZZZZZZ). Since the data is overwritten in the database it will be impossible to retrieve the original data, and thus being equal to be erased completely. Exception: it is possible to postpone the 30 years further by making use of a document in CSD. This could be used and registered in case of legal disputes Right to rectification Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If the personal data in question has been disclosed to third parties, these must be informed of the rectification where possible.
This is already in place, through CSD webservices and CSD templates. Privacy by design The data privacy rules have to be embedded in the design of all processes using clients personal data. The GDPR rules will be integrated via a DPIA (Data Protection Impact Analysis) in the NAPP (New and Active Product Process) procedure which governs the implementation of new products and processes, and major changes to existing products and processes. Data minimization Only the data which is necessary for the execution of a certain task may be processed. Data will only be processed for the purpose(s) they are obtained for Covered via the NAPP (See previous point). Questions, remarks? Don t hesitate to contact your Relationship Manager or Customer Support us if you require further information on this topic. Best regards Customer support customersupport@kbcsecurities.be