GDPR - untangling the dataflow web

Introduction to GDPR consideration

Recent deal experience has shown the growing need for data expertise in a variety of speciality finance transactions and projects. Whether corporate structures need to be put in place to adequately deal with information flows and precise delineation of controller/processor relationships, and/or servicing agreements need to be reviewed in the light of the European General Data Protection Regulation 2016/679 (“GDPR”), it is highly likely that there will be data protection angle which should be properly considered. Such considerations will almost always impact the documentation.

In this short note, we look at some of the most common transaction interactions with GDPR, the touch points and the implications, and suggest some areas that specialist lending companies and funders may look to keep in mind, both at the outset of a project and during the negotiation phase. For the purposes of this note we are going to use the simplified transaction structure set out below:

Whilst the above will not fit all specialist lending structures, we are using it to help bring out some of the most common data protection talking points. Here we are envisaging a split lender and servicing corporate structure, but we have removed the added complication of selling loans into certain SPVs for the purposes of this note. We have also anticipated senior only funding, rather than a senior/mezz structure. Whilst all of these variables can be tweaked to fit the commercial agreement between parties, this structure allows us to speak to the focus of this note, compliance with data protection European laws, and the flow of data.

Regulatory Background

The GDPR introduces the potential for high fines (up to 4% of worldwide annual turnover) and regulatory sanctions which brings into sharp focus the need for compliance. However, less understood is what GDPR means for specialist financing structures. Many structures will include the need to process personal data, for example through access of data for credit analysis, data supplied by the customer and/or data around the repayment and timings of those repayments.

Under the GDPR, the concept of personal data is extremely wide and encompasses any information relating to an identified or identifiable natural person. The drafting of the GDPR means that personal data is not limited only to the identifiers themselves, but also includes almost anything linked to those identifiers.

Most interaction with personal data will amount to processing, including collecting, organising, storing, altering, retrieving, using, and erasing. Given the wide scope of personal data and processing activities, data protection compliance should be considered at the outset of a structuring to ensure that the parties understand their roles and how to comply with the GDPR.

1. Servicing contracts

The data protection roles of the relevant parties to a structure will need to be carefully assessed to ensure (i) servicing contracts include appropriate data protection terms; and (ii) responsibility for compliance with respective data protection obligations are appropriately allocated.

A controller is the entity which, alone or jointly, determines the purposes and means of processing. The SpecFin Lender will usually be a controller, and it is also possible the Funder will also be considered a controller, albeit for different processing activities and at different times of the relationship.

A processor is the entity which processes personal data on behalf of the controller. This is typically the SpecFin Servicer, but will be dependent on the element of control that entity has in determining the means and purposes for processing. This is a question of fact and will need to be assessed on a case by case basis.

Whilst both controllers and processors have legal responsibilities under the GDPR, contracts between controllers and processors (here, the servicing agreement) will also need to include certain mandatory provisions; these are set out in Article 28 of the GDPR. The Article 28 provisions are designed to ensure that the processing carried out by a processor meets all the requirements of the GDPR, not just those related to keeping personal data safe. However, the GDPR is silent as to the specific mechanics of how such terms should be implemented in practice (for example, right to object to the use of sub-processors) and any associated commercials (for example, the cost of audit or assistance with data subject requests). This leaves various terms open to negotiations between the parties. In short, contracts must include provisions around:

1. the subject matter and duration of the processing;
2. the nature and purpose of the processing;
3. the type of personal data and categories of data subject; and
4. the controller’s obligations and rights. 

Contracts must also include specific terms or clauses regarding (amongst others):

1. processing only on the controller’s documented instructions;
2. any individuals with access to the personal data should be bound by a duty of confidence;
3. assisting the controller with obligations to notify the regulator, data subjects and carry out privacy impact assessments; and
4. access for audits and inspections.

2. Data Minimisation

The SpecFin Lender should also consider whether the personal data being disclosed is necessary for the purpose. This is the principle of data minimisation. Typically, where data is not necessary for the purpose, it should be removed or redacted. Redaction exercises can be costly, difficult and time consuming. It is important to note that redaction may not be required in every instance, and the SpecFin Lender should agree to a set scope of documents required for the due diligence exercise and may wish to consider a phased approach to the exercise.

Further concerns would be brought about in the event of disclosure of information in a dataroom, for the purposes of, for example, making information available to a potential funder or running a sale process.

3. International Transfers

Whilst not common that speciality finance transactions and projects would include the transfer of personal data outside the European Economic Area, it is worth noting in the context of the impending Brexit, that such transfers are restricted, unless the jurisdiction is subject to an adequacy decision from the European Commission or an appropriate safeguard is put in place. The most common safeguard relied on in the absence of an adequacy decision is the European Model Clauses. These are standard EU Commission issued contractual clauses which are to be entered into between the exporting and importing entities.

4. Fairness and Transparency

A controller is required to notify individuals of the basis of its processing activities. SpecFin Lenders may already include “the sale of a business, assets or portfolio” or “corporate restructuring” in its standard privacy notice, which should have been provided to the underlying product customers at the time of entering into the product, but depending on the jurisdiction of the SpecFin Lender, this may not always be the case.

Conclusion and Next Steps

This brief overview brings out just some of the things stakeholders in a specialist lending transaction or structure may need to think about. It is often not a core focus at the outset, but it is an important element that requires expertise and proper interrogation. GDPR coming into force in May of 2018 has brought the flow of information into sharp focus, partly because many businesses needed to tweak their business practices, but also because of the increased and material penalties for infringement. Full advice on dataflows and data management should be considered early on, and throughout the documentation process.