A global investment bank had not revisited its current agreements in a long time with a view to identifying transfers of personal data for processing. These may have involved transfers from an EU entity to a counterparty or even another entity within the same banking group inside or outside the EEA. Such transfers potentially raised data protection-related issues given the new regulatory regime brought by the application of GDPR.
WHAT WE DID
We helped the bank identify agreements that involved the transfer of personal data by conducting interviews and reviewing agreements across all business areas in multiple locations, focusing mainly in business relationship within the EEA and the US. In addition, our exercise identified specific data flows and assessed the purpose and use of the personal data by the counterparties/other entities to determine the scope of application of GDPR in these activities.
In this context, we also helped the global investment bank respond to contractual requests submitted by counterparties in GDPR-specific letters that committed the bank to specific representations or included by counterparties as data protection clauses in currently negotiated agreements across all business areas.