Worldwide: GDPR: Practical Considerations For Investment Advisers And Their Private Funds

Last Updated: July 31 2018
Article by Iliana Kirova and Lei Shen

What is the GDPR?

Even if an investment adviser or its private funds have no presence in the European Union (EU), it may still need to be concerned about EU data protection laws, in particular the new European General Data Protection Regulation (EU) 2016/679 (the "GDPR").  The GDPR came into force on May 25, 2018, and replaced the prior data protection law, the EU Directive 95/46/EC.  The GDPR introduces significant changes from the prior EU Directive, including new jurisdictional scope that makes the GDPR apply not only to businesses established in the EU but also to any non-EU businesses that offer goods or services to individuals within the EU or that monitor individuals in the EU.  This means that investment advisers and funds with investors in the EU may potentially be subject to the GDPR, which is significant because of the other changes brought about by the GDPR, including a maximum fine for non-compliance of the higher of 4 percent of an enterprise's worldwide turnover or €20 million per infringement, a 72-hour data breach notification requirement and new data subject rights (including the "right to be forgotten"). (For more information about these changes, please see our website page on the GDPR.)

Does the GDPR apply to you?

Due to its extraterritorial scope, the GDPR can affect non-EU-based investment advisers and their private funds in a number of ways.  If such adviser or fund has an establishment in the EU (e.g., has subsidiaries in the EU or other offices or employees in the EU), then that establishment, and the personal data that it collects, is subject to the GDPR.  As a result, any personal data that such establishment transfers to the non-EU-based entity will be subject to the GDPR, and the non-EU-based entity will need to treat such personal data in accordance with the GDPR.

Even if a non-EU-based investment adviser or private fund has no establishment in the EU, it can still be subject to the GDPR if it offers goods or services to individuals in the EU or monitors the behavior of individuals in the EU.  An investment adviser or fund may be considered to be offering goods or services to individuals in the EU if its offering of fund interests or investment advisory services somehow targets EU investors or clients.  There are a number of factors that are taken into consideration to determine if a company is targeting the EU.  Among the factors most relevant for an investment adviser or fund are whether its marketing materials are intended for EU-located investors or clients (e.g., with specific materials or offering legends geared towards Dutch investors, German investors, investors generally located in the European Economic Area (EEA), etc.) and if it conducts a road show in Europe specifically to attract EU-located investors or clients.  More nuanced factors can also play a part, though, including whether the adviser or fund provides information to investors or clients in languages used in EU jurisdictions (e.g., French, German, etc.), uses websites that have domain names that are registered in EU jurisdictions (e.g., "") and enables investors to see the performance of their investments denominated in European currencies.

A non-EU-based investment adviser or private fund can also be subject to the GDPR if it monitors the behavior of individuals in the EU.  This scenario is less likely to apply, but it still might trigger the GDPR's application in the context of the private investment fund industry.  For example, an investment adviser or fund may be considered to be monitoring EU individuals if it invests in consumer debt and sets up a profile to predict an underlying individual borrower's behavior, uses tracking technologies on its website or uses personal data in connection with its algorithmic trading strategies.

It is also possible for a non-EU-based investment adviser or private fund to fall within a gray area with respect to the applicability of the GDPR.  Generally, under the GDPR, a non-EU-based investment adviser or fund will only be considered to be offering goods or services to the EU if it offers goods or services to investors that are individuals in the EU.  However, what is considered to be an "individual" for GDPR purposes may be broader than simply a natural person.  For example, some investors that are partnerships and some entities that represent individual interests may also fall within scope here.  Another example of a gray area of applicability is if a non-EU-based investment adviser or fund targets only non-EU-based investors but receives indications of interest from individual investors that it knows are located in the EU and sends them marketing or subscription materials to actively induce them to purchase fund interests or advisory services.  In that case, too, it is possible that the adviser or fund may be seen as offering goods or services to individuals in the EU.  If an investment adviser or fund falls within a gray area as to the applicability of the GDPR, it is safer for the adviser or fund to err on assuming that it is subject to the GDPR with respect to the collected EU personal data, rather than being at risk of incurring the GDPR's large fines.  However, if the entity does not fit the prongs identified above, then simply having EU personal data in its possession does not subject the entity to the GDPR.

How does an investment adviser or private fund obtain EU personal data?

If an investment adviser or fund determines that it is subject to the GDPR based on the above, then it will need to treat all EU personal data that it processes in accordance with the GDPR. It is worth noting that even if an investment adviser or fund deals only with corporate entities, it may still collect personal data from the EU.  The GDPR defines personal data much more broadly than US laws do.  Rather than limiting personal data to sensitive personal data, such as social security numbers, the GDPR defines personal data as "any information relating to an indentified or identifiable natural person" and defines an identifiable natural person as "one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person."  This means that even business contact information and other non-sensitive personal data, such as individuals' names, mailing addresses and background information, are considered to be personal data under the GDPR.

As a result, EU personal data may be collected in connection with the establishment and day-to-day operation of private investment funds and accounts (for example, if the investment adviser or fund sends a subscription booklet or other questionnaire to potential investors or clients in the EU to complete or if it otherwise communicates with actual or potential investors or clients located in the EU).  That is the case even where the adviser or fund only deals with institutional investors or clients because such entities may provide personal data regarding their officers, directors, employees or beneficial owners.  In fact, such personal data will likely be provided for anti-money-laundering, "know-your-customer" and/or investor communication purposes.

In addition, an investment adviser or fund may be collecting EU personal data in connection with its due diligence, acquisition or monitoring of portfolio investments.  For example, a buy-out fund may collect personal data regarding its portfolio companies' officers, directors or employees, and a debt fund may collect personal data regarding its investments' underlying borrowers.

Finally, if an investment adviser or fund has an establishment in the EU, it may also be collecting personal data from its EU-based employees.

What do you need to do to comply with the GDPR?

If you are subject to the GDPR, consider taking steps such as these to comply with the GDPR:

  • Map the flows of personal data.  It is crucial to conduct a detailed investigation into the flows of personal data, particularly from the EU.  For that purpose, you should review all relevant processes and systems that deal with the collection, processing and use of EU personal data.  The outcome of this exercise should ideally be a comprehensive overview of all processing activities that you perform or that you have third parties perform on your behalf.
  • Draft and maintain records of processing activities.  Based on the information in the data flow map, you should draft detailed records of processing activities that specify, among other things, a description of the processing activity, the categories of data subjects and personal data concerned, the purposes of the processing activity and the parties with whom the personal data is being shared.  These records must be kept in writing, and electronic form is sufficient.  It is equally important to establish a process for ensuring that these records are kept up to date, as processes change over time.
  • Review the grounds under which personal data is being processed.  You should determine the legal basis under which EU personal data is being lawfully collected, processed and used and whether any changes need to be made to ensure compliance with the GDPR.
  • Update data governance.  Your policies, procedures and other governance controls should be updated to detail how you will practically comply with the new requirements under the GDPR.  For example, you will want to update your website privacy notice to comply with the GDPR's transparency requirements, as well as your fund offering and subscription documentation to include the GDPR's required disclosures.
  • Implement new compliance systems.  You will need to put in place plans and mechanisms to ensure that you can respond to a data breach within the GDPR's notification timeframes.  You will also want to make sure that your systems meet the GDPR's security requirements and are capable of responding to and fulfilling data subject access requests, including the rights to be forgotten, to data portability and to object to automated data profiling and other rights that individuals can exercise in relation to their personal data.
  • Appoint a data protection officer.  You will need to decide whether you are required under the GDPR or supplementary local legislation to appoint a data protection officer.  The data protection officer will be responsible for monitoring compliance with the GDPR.  This person should act as the head of the data protection governance structure, report directly to leadership and be tasked with putting controls in place to implement and monitor compliance and educating the wider workforce on the GDPR rules and their operational impact.
  • Address the risks.  You should conduct data protection impact assessments to identify and minimize the risks associated with your processing of EU personal data, particularly where there are high risks to the rights and freedoms of the individuals concerned by the activities that are being carried out.
  • Review supply chain contracts.  The contracts with your service providers and other parties with which you share EU personal data should be reviewed and, where necessary, renegotiated to ensure that you are appropriately supervising the manner in which they process personal data and that those contracts meet the new GDPR contractual requirements for processors.
  • Assess international data transfers.  You should assess the manner in which you currently carry out any international transfers of EU personal data, in particular to third countries outside the EU/EEA, and whether any mechanisms for carrying out these transfers within your organization or to third parties need to be updated to comply with the GDPR requirements.

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Practice Guides
by Mondaq Advice Centers
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions