CSSF position on transfer of investors' data

On 30 October 2020, the CSSF updated the FAQs listed below to clarify the applicable requirements in the event of transfer of data by central administrations (or investment funds or investment fund managers (“IFMs”) acting as central administration) or depositary banks to a service provider (i.e. in the context of an outsourcing relationship). These requirements are independent from additional requirements stemming from the General Data Protection Regulation (EU) 2016/679.

In accordance with Article 41 (2a) of the Law of 5 April 1993 on the Financial Sector, any such transfer is possible if the central administration or the depositary bank has obtained the consent of its client (i.e. the investment fund) on (i) the outsourcing of the relevant outsourced services, (ii) the type of information transmitted in the context of the outsourcing and (iii) the country of establishment of the entities that provide the outsourced services.

The CSSF has requested over the past years that when such transfers relate also to investors' data, investors also consent to the transfer of data.

The updated FAQs reflect a more flexible position in that investors need now only to be informed in the event of transfer of their information.

  • Any transfer of information related to investors should be disclosed to investors prior to the transfer, by the investment funds (or their IFM in case of common funds), through appropriate means, namely the prospectus and the application form combined, if appropriate, with a reference to a website.
  • Existing investors should be informed by the investment funds (or their IFM if common funds) about any update of the fund documents aiming at the aforesaid disclosure, prior to the transfer of their information, by means of a letter, email or any other means of communication provided for by the prospectus.

The CSSF's position has therefore changed, as regards investors' data, from a consent regime to a disclosure regime.