The General Data Protection Regulation (GDPR) will replace and supersede EU member-state privacy rules. GDPR has a compliance date of May 25, 2018 for organizations to bring their policies and procedures into conformity. GDPR fines can be up to EURO 20mm or 4% of revenue, whichever is higher.
FRM has worked with its EU-based and US-based privacy counsel to examine our business practices and processes to confirm conformity with EU/EEA data and privacy laws. As a result, FRM is a participant in certain legal frameworks that have been determined to meet the stringent GDPR requirements governing the transfer of information on EU-based Data Subjects outside of the EU. Accordingly, Users should be aware that the EU Commission has deemed the “EU-US Privacy Shield Framework” to be an adequate mechanism under EU law to enable data transfer to the United States. On January 12, 2017, the Swiss Government announced the approval of the “Swiss-EU Privacy Shield Framework” as a valid mechanism to meet Swiss data protection requirements when transferring data from Switzerland to the United States.
FRM is a participant in the Privacy Shield programs, and has certified participation with the US Department of Commerce, verifiable here: https://www.privacyshield.gov/participant?id=a2zt00000004TmVAAU&status=Active.
FRM’s EU-US Privacy Shield Policy has been reviewed by Department of Commerce. FRM is required to make the Policy publicly-available. The Privacy Shield Policy is found here: https://www.frm-inc.com/privacy-shield/. In short, the Policy is an attestation that FRM will process data in conformity with EU/EEA data processing requirements and provides model contract clauses for onward-transfer of data to countries which are not recognized as having adequate data and privacy protection laws, such as the United States.
Accordingly, FRM has also made some changes with respect to our standard Terms of Service publicly-posted here: https://www.frm-inc.com/frmclientportaltermsofservice/. Sections1(h); 1(l); 1(q); 1(s); and Section 4 are changed as a result of GDPR implementation.
A summary of the requirements for FRM Subscribers include:
• FRM is relying on our Subscribers to obtain a GDPR-compliant Notice and Consent from the Data Subject, and the Subscriber will make use of the information in conformity with GDPR rules.
•As a part of the Notice and Consent, or under separate notice, the Subscriber must point the Data Subject to FRM’s Privacy Shield Policy.
• In the event a Subscriber is not obtaining the required Notice and Consent, an affirmative burden is placed on the Subscriber to provide the legal exception to processing the personal data of the Data Subject.
There are a number of exceptional circumstances where a Subscriber can assert it has a legitimate interest to process personal information of a Data Subject in the EU/EEA without the legally required Consent. Unfortunately, exceptional bases are not uniform throughout the EU/EEA. For example using Anti-Money Laundering laws as the basis for an exception, would be entirely appropriate for some Subscribers in the UK or Germany, but not for Subscribers in other EU/EEA countries.
Since FRM is not in a position to exactly state what our Clients’ use of the data is, we are not in a position to craft for the Subscriber the exact Notice required by GDPR.
As a practical measure for Subscribers that are struggling with GDPR, FRM has drafted a Notice and Consent form that should work for most Subscribers’ needs, but the Subscriber must evaluate the form against the Subscriber’s own policies and use of data. FRM is not a law firm, and therefore is not in a position to provide legal advice to a Subscriber as to whether the release form reflects the actual practices of any organization relying on the form.
FRM does not redistribute the report created for the Subscriber, and FRM does not re-use the data of EU/EEA-based Data Subjects for a purpose for which the data was not originally obtained. FRM relies on the general instruction of the Subscriber to allow FRM to use sub-processors and to undertake steps to make sure that sufficient protections exist with respect to technical and organizational measures pertaining to data protection.
FRM has endeavored to develop a business process that is practical, prudent, and balanced, and that is also strictly compliant with GDPR. FRM is not in a position to advise Subscribers regarding whether a specific Subscriber’s notice may be sufficient because of the myriad uses, laws, rules, and regulations which may form the basis for processing the information; however, FRM may reject forms which in FRM’s opinion do not meet GDPR processing requirements.