There have been pan-European data protection laws for almost 20 years, but GDPR has a number of features that are likely to have a greater affect upon trusts, including its territorial scope and expanded rights to information.
Extra-territorial effect
GDPR’s extra-territorial effect means that large numbers of trusts, foundations and underlying company structures, wherever they are based in the world, may be impacted.
Some jurisdictions have legislated to create special exemptions from some aspects of the GDPR to seek to protect their rules relating to trust information disclosure, but trustees should nevertheless consider how they hold and generate data, which may be more widely circulated in future as the trust fund and beneficial class evolves.
Most at risk are those with EU resident settlors, beneficiaries or assets within the EU and those providing services to anyone in the EU.
But, again, given the international mobility of individuals, trustees would be wise to also review specific trusts where there is a particular emphasis on confidentiality or litigation risk, in addition to their general operating procedures.
Subject Access Request
The GDPR puts an obligation on data controllers to abide by detailed rules on how they process individuals' personal data.
Of particular note is that GDPR also provides rights to any individual to request personal data that a data controller holds about them, known as a Subject Access Request (SAR), together with additional information such as to whom the personal data might be disclosed; how long it will be held for; its source; and the right to request its correction or erasure.
The SAR requestor can be anyone, and is not restricted to trust beneficiaries, or potential beneficiaries.
If data identifying that individual (not only by name but by any identifiable reference) is held, it is potentially within scope of disclosure under GDPR, including:
- Minutes of trustee meetings where the trustee has considered anything regarding the individual;
- Documents provided to banks and other entities which list the individual as a beneficiary or ultimate beneficial owner;
- Copies of correspondence, internal notes, or records of calls with settlors/beneficiaries/the family office, where the individual has been discussed;
- Copies of trust deeds/private trust company articles/foundation regulations or related documents that identify the individual in the class of beneficiaries, excluded persons, or as capable of being able to exercise powers in respect of the trust (either now or in the future);
- Family governance charters; and
- Family investment company documents.
This is a major potential issue for trusts as it gives individuals rights that go far beyond the normal trust law rules on beneficiaries' (and others') rights to information.
There are exclusions to SAR disclosure, such as information protected by legal professional privilege, protected for the purpose of crime prevention, protected during the course of negotiations and to protect the rights of others.
However, there is nothing to prevent Subject Access Requests for the sole purpose of gathering material to commence litigation, and so they are becoming widely used by trust litigators to gain information, disclosure of which may otherwise be prevented under trust law.
Unfortunately, trustees cannot rely on the argument that they are protecting the rights of the settlor, or particular beneficiary(ies) in order to issue a blanket refusal of disclosure pursuant to a SAR.
For example, where data can be redacted to sufficiently protect the rights of other(s), disclosure will be required on that basis under the SAR.
