VP reaches out concerning GDPR

Personal data is an integrated element of investor relations, and this data should be protected like any other personal data. Companies are currently focused on making their entire operations ready for 25 May 2018, when the new EU regulation will automatically take effect. VP INVESTOR SERVICES runs several services which involve the personal data of well over 200 issuers and their investors, and VP will reach out to its issuers to ensure compliance with GDPR.

VP is proactive

“Running a register of owners for a customer makes us a data processor, while the company itself is still the party responsible for the data, as the data controller. Nevertheless, we will be proactive by proposing a new agreement for this cooperation, to ensure our customers’ compliance with GDPR,” says Flemming Merring, Head of Issuer Services at VP INVESTOR SERVICES.

VP handles personal data for a company when it runs the shareholder register, provides insider management via vp.INSIDER, or handles voting, invitations to attend and other processes for a company’s AGM. GDPR e.g. includes the “right to be forgotten”, and this will be a key topic in the new agreements between VP and its customers in Investor Services.

Early 2018

“Legal counsel, communication managers and management staff of most companies are probably working hard to ensure compliance with GDPR in terms of HR and customer relations. We wish to assure our customers that, on the investor side, we will reach out to them in time with a proposal for a GDPR-compliant data handling agreement,” says Flemming Merring.

VP plans for this dialogue to take place during the spring of 2018, and the end-result should be individualised agreements giving VP, as the data-handling agent, a GDPR-compliant instruction for the personal data concerning the company’s investors.

Not straightforward

“This is not a simple and straightforward process because some elements of the personal data protection under GDPR are not completely aligned with other legislation. One example is the two-year limit, under the Danish Companies Act, to contest a resolution adopted by an AGM. But how can we do that if we have erased data concerning investors by that time?” asks Flemming Merring.

A company’s legitimate need for historical learning and business intelligence concerning investors may also be in conflict with GDPR. Pseudonymisation is referred to in GDPR as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. This may be a way to meet the need for statistics and analytics while also protecting individual investors’ personal data.