Search
Industry Updates

Data Protection Update for Irish Funds

In early 2023, the Irish Data Protection Commission (“DPC”) published three decisions following inquiries into the data processing operations of Meta Platforms Ireland Limited in respect of its Facebookand Instagram Serviceand the processing carried out by WhatsApp Ireland (“WhatsApp”)(together the “DPC Decisions”).

Related Services

The DPC Decisions call for a higher level of transparency on how individuals’ personal data is used. Although they concern social media businesses, the transparency requirements apply to all businesses controlling personal data including investment funds. In this update, we examine the key findings arising from the DPC Decisions relating to the provision of information to individuals.

Providing Information to Data Subjects

Articles 13 and 14 of the General Data Protection Regulation (“GDPR”) require controllers to provide specified mandatory information to individuals on how and why their personal data is processed. Transparency is a core data protection principle because if individuals do not know how and why their personal data is processed, they cannot exercise their data protection rights.

WhatsApp, Facebook and Instagram’s approaches to providing the specified mandatory information were each found to have infringed their respective transparency obligations under Articles 5(1)(a), 12(a) and 13(1)(c) of GDPR.

DPC Corrective Action

The DPC Decisions ordered each of WhatsApp, Facebook and Instagram to bring its terms of service and data policy into compliance with Articles 12(1) and 13(1)(c).

Facebook, Instagram and WhatsApp were fined €210 million, €180 million and €5.5 million, respectively, for their transparency failures. The WhatsApp fine was relatively low when compared to the Facebook and Instagram fines because WhatsApp had already received a fine of €225 million for transparency breaches in 2021 and the DPC was satisfied that WhatsApp had taken corrective measures to address these past failures.

Although the DPC Decisions are the subject of a number of appeals and challenges, a number of corrective actions have been taken to address the DPC’s core findings in relation to the provision of transparency information.

Updating your Data Protection Notice

One of the core findings of the DPC Decisions is that the purpose, processing operation and legal basis in respect of the intended processing must be specifically provided for each category of personal data.  Often investment funds’ data protection notices list all, or most, of the potential GDPR Article 6 legal bases. The DPC Decisions confirm that this approach is not sufficient.  Retail investors, their connected persons and connected persons of institutional investors need to be given more granular information linking each category of personal data with a specific processing purpose, processing operation and legal basis.

How the Maples Group Can Help

We can assist with updates to your privacy notices to provide sufficient transparency information and advise on GDPR compliance issues.

For further information, please reach out to your usual Maples Group contact or the person listed below.

Data Protection Update for Irish Funds
Primary Contacts
Primary Contacts
Menu