The application of the EU General Data Protection Regulation (GDPR) as from May 25, 2018, has led to the need to re-examine practices and structures in today’s corporate and commercial landscape insofar as the processing and protection of personal data is concerned.
Issuers and service providers alike are required to rethink processes and procedures which, with the onset of the GDPR, were found wanting. An issuer of securities admitted to listing and trading on the Maltese capital markets is considered to be a controller of personal data and required to adhere to data processing obligations.
For example, an issuer is required to make its privacy notice available to all its data subjects. This document sets out how the issuer will be collecting personal data, the legal basis behind the processing of the data and the rights of the data subject, among others, in the context of the investor’s investment in the securities being issued.
Generally, the sponsor, manager or registrar engaged by the issuer, or the authorised financial intermediaries participating in the issuer or offer, would be considered to be data processors. As a result, parties should ensure that any processing of personal data is adequately catered for from a contractual point of view, such as considering whether a data processing agreement ought to be implemented.
Parties would do well to consider the implications of the GDPR on the transaction in question as a means of reducing exposure to risk in the face of potentially significant fines for breaches of the GDPR.
These and other developments shaping the capital markets will be discussed at Camilleri Preziosi’s Capital Markets Conference at the Corinthia Palace Hotel, Attard, on Friday from 2 to 6pm. For details e-mail capitalmarkets@camilleripreziosi.com, call 2123 8989 or visit the website below.