Does GDPR Apply to Your CSP?
The first question many CSPs operating in offshore jurisdictions ask is whether GDPR applies to them at all. The answer, in most cases, is yes — and often more broadly than the firm realises. The GDPR's territorial scope is determined not by where the CSP is established but by where the data subjects are located and whether the CSP is processing data in the context of offering services to EU residents or monitoring EU residents' behaviour.
For a typical CSP operating in Jersey, Cayman, or the BVI: if you have clients, directors, or beneficial owners who are EU residents — which is nearly universal for any meaningful CSP portfolio — you are processing their personal data and the GDPR applies to that processing. The relevant EU Member State's data protection authority has jurisdiction over your handling of those individuals' data, regardless of where your servers are located or where your company is registered.
CSPs incorporated in the Channel Islands have an additional layer: both Jersey and Guernsey have data protection laws modelled on and essentially equivalent to the GDPR. Even if the EU GDPR did not apply, Jersey's Data Protection (Jersey) Law 2018 and Guernsey's Data Protection (Bailiwick of Guernsey) Law 2017 impose equivalent obligations.
Categories of Personal Data CSPs Typically Process
Understanding the scope of your data processing starts with mapping what you actually hold. A typical CSP processes the following categories of personal data:
- Identity data: Full legal names, dates of birth, nationalities, passport or national ID details of directors, officers, and beneficial owners.
- Contact and address data: Residential addresses, email addresses, telephone numbers — often for multiple individuals per entity.
- Financial data: Source of wealth documentation, bank account details used for fee payments, financial statements used in KYC review.
- Special category data: Some KYC processes include politically exposed person (PEP) status — which may touch on political opinions — and adverse media screening results that could reveal information about criminal allegations. These are special categories under the GDPR and require additional justification.
- Professional data: Employment history, directorships, professional qualifications — often collected as part of director appointment due diligence.
Lawful Basis for Processing
For each category of data you process, you need a documented lawful basis under Article 6 of the GDPR (or Article 9 for special categories). The most commonly applicable bases for CSPs are:
Legal Obligation (Article 6(1)(c))
Much of what CSPs collect — KYC information, UBO details, source of funds evidence — is collected to comply with AML legal obligations imposed by the CSP's home jurisdiction. This is a legitimate and robust lawful basis, but it only applies to the minimum data required for compliance. Collecting additional data beyond what AML law requires cannot rely on this basis.
Legitimate Interests (Article 6(1)(f))
For data processing that goes beyond AML compliance — such as marketing communications, business development data, or retaining documents beyond the AML retention period — legitimate interests may be available but requires a documented legitimate interests assessment (LIA) that demonstrates the CSP's interests outweigh the data subjects' rights.
Contract (Article 6(1)(b))
For data processing necessary to perform the service agreement with the client — including the processing of director and officer details required to administer the entity — the contractual necessity basis is appropriate.
"The most common GDPR gap we see in CSP audits is the absence of documented lawful basis assessments. Firms process data with good intentions but without the formal analysis that regulators expect to see."
Data Subject Rights: What CSPs Must Be Prepared For
Data subjects — which include your clients' directors, beneficial owners, and any individual whose personal data you hold — have a suite of rights under the GDPR that your firm must be operationally prepared to exercise. The most relevant for CSPs are:
- Right of access (Article 15): A data subject can request a copy of all personal data you hold about them. You have one month to respond. Given that CSPs hold data about hundreds or thousands of individuals, having a system to search and compile this quickly is essential.
- Right to erasure (Article 17): Also known as the "right to be forgotten." This is subject to important exceptions — particularly where retention is required by legal obligation (such as AML record-keeping requirements). CSPs must understand where retention obligations override erasure requests and document their reasoning.
- Right to rectification (Article 16): Data subjects can require you to correct inaccurate data. This is operationally straightforward but requires a process to update records across all systems where the data is held.
- Right to object (Article 21): Data subjects can object to processing based on legitimate interests. If you rely on legitimate interests for any processing, you need a process to handle objections and assess whether they override your interests.
AML regulations in most CSP jurisdictions require retention of KYC and transaction records for five years after the relationship ends. GDPR's erasure right does not override this legal obligation. When a client closes their entity and requests erasure of personal data, your response should explain the AML retention obligation clearly and retain only what is required for that purpose, purging non-essential data upon request.
Cross-Border Data Transfers
CSPs routinely transfer personal data across borders: sending client information to correspondent offices, sharing documents with foreign registries, using cloud platforms hosted outside the EU/EEA. Under the GDPR, transfers to countries without an adequacy decision (countries the European Commission has determined offer equivalent data protection) require additional safeguards.
For transfers to CSP service providers (including technology platforms, screening providers, and cloud storage), the standard mechanism is Standard Contractual Clauses (SCCs) — template contracts approved by the European Commission that impose GDPR-equivalent obligations on the data recipient. Every CSP should audit its technology vendor relationships to ensure SCCs or equivalent transfer mechanisms are in place for any transfer of EU personal data to a non-adequate country.
The Privacy Notice: Getting This Right
Your privacy notice — the document that tells data subjects what you do with their data — needs to be specific, plain-language, and complete. A generic privacy notice copied from a precedent is not compliant. Your notice must identify the specific categories of data you collect, your lawful basis for each category, retention periods, the identities of any third parties you share data with, and data subjects' rights. For CSPs, the privacy notice is typically provided at client onboarding and referenced in engagement letters.
Record of Processing Activities (ROPA)
Article 30 of the GDPR requires organisations with more than 250 employees — or any organisation that processes data regularly or processes special category data — to maintain a written record of processing activities. Most CSPs fall into the second category due to regular processing of personal data. The ROPA must document: categories of data subjects and personal data, purposes of processing, lawful basis, retention periods, and details of any data transfers. This document is the first thing a data protection authority will request in an investigation.