The GDPR raises a number of issues for trustees and personal representatives but STEP has begun to provide much needed clarity in this area by publishing new guidance on the subject:
The guidance was prepared by STEP’s Data Protection Working Group, chaired by our own Edward Hayes, and the key points are:
Practical points
- The GDPR applies on a trust-by-trust and estate-by-estate basis
- Generally, trustees and personal representatives will be data controllers unless the purely personal or household activity exemption applies to them (explained below)
- All of the trustees or personal representatives (as appropriate) of a given trust or estate are treated as a single data controller (rather than each being a separate data controller)
- References to the “number of staff” that a data controller has should be read as references to the number of trustees or personal representatives whilst references to a data controller’s “turnover” should be read as references to the relevant trust’s or estate’s gross annual income and gains
The circumstances in which trustees or personal representatives will be exempt from the GDPR
- A trustee or personal representative is likely to be within the scope of the “purely personal or household activity” exemption set out in Article 2(2)(c) of the GDPR if:
- they are acting in their personal capacity (rather than as a professional); and
- they are unpaid (expenses would be allowed).
- If there are multiple trustees or personal representatives and some benefit from the exemption whilst the others do not, the non-exempt trustees/personal representatives are caught by the GDPR whilst the exempt trustees/personal representatives are not.
- Entities (such as trust companies) can never benefit from the exemption.
Processing special category data
- Trustees and personal representatives can process special category data to the extent that doing so is necessary for them to perform their fiduciary duties (relying on Article 9(2)(f) of the GDPR).
Disclosure obligations in relation to beneficiaries
- Trustees and personal representatives will be obliged to provide privacy notices to any beneficiaries who provide personal data about themselves (Article 13, GDPR).
- However, trustees and personal representatives will not be obliged to provide privacy notices to beneficiaries if the personal data is obtained from another source (such as from the settlor or testator) (Article 14, GDPR).
- When responding to data access requests (also known as “subject access requests”), trustees and personal representatives are not obliged to provide copies of any documents or information which they would be entitled to withhold under established trust law or estate law principles (Article 15, GDPR).
The future
STEP’s Data Protection Working Group is aware of a number of other ambiguities and uncertainties in relation to the application of the GDPR in a private client context and is continuing to analyse the position. It expects to publish expanded guidance in due course.
Disclaimer
This article gives general information only and is not intended to be an exhaustive statement of the law. Although we have taken care over the information, you should not rely on it as legal advice. We do not accept any liability to anyone who does rely on its content. © Burges Salmon 2020
Written by Edward Hayes