General Data Protection Regulation (GDPR)

1187 Text/ Section/ No. 146 dated 31-12/2018

Central Bank Circular No. 146 Addressed also to financial institutions and all other institutions subject to the supervision of the Central Bank of Lebanon

We enclose a copy of Basic Decision No. 12872 dated 13/9/2018 concerning the procedures for dealing with the "General Data Protection Regulation" (GDPR) issued by the European Parliament and the Council of the European Union on 27/4/2016.

Beirut, 13 September 2018 Governor of the Central Bank of Lebanon Riad T. Salamé

1188

Basic Decision No. 12872 Procedures for Dealing with the "General Data Protection Regulation" (GDPR)

The Governor of the Central Bank of Lebanon, pursuant to Articles 174, 182, and 184 of the Monetary and Loan Law, and based on Basic Decision No. 10965 dated 5/4/2012 concerning the relationship between banks and financial institutions with correspondents, and based on Basic Decision No. 11323 dated 12/1/2013 concerning the establishment of the Compliance Department, and based on Basic Decision No. 11947 dated 12/2/2015 and its amendments concerning the procedures for conducting banking and financial operations with clients, and since the "General Data Protection Regulation" (GDPR) issued by the European Parliament and the Council of the European Union on 27/4/2016 has become effective on 25/05/2018, comprising a set of rules established by the European Union to protect the privacy of personal data belonging to natural persons residing within the EU, and based on Article 3 of the aforementioned "General Data Protection Regulation" which defines its scope of application for institutions within and outside the EU, and since it is in the interest of banks, financial institutions, and all other institutions subject to the supervision of the Central Bank of Lebanon, each in its respective capacity, to take necessary measures against any financial risks they may face in case of non-compliance with the provisions of said law, and based on the decision of the Central Council of the Central Bank of Lebanon taken in its meeting held on 5/9/2018,

Decides as follows:

Article 1: While maintaining the provisions of mandatory laws and regulations in force in Lebanon, banks and financial institutions operating in Lebanon and all other institutions subject to the supervision of the Central Bank of Lebanon, each in its respective capacity: -1. Take appropriate measures in accordance with the provisions of the "General Data Protection Regulation" (GDPR) issued by the European Parliament and the Council of the European Union on 27/4/2016. -2. Notify the Compliance Unit at the Central Bank of Lebanon and the Banking Supervision Committee, within a maximum deadline of 31/12/2018, of the measures and steps they may take in accordance with the content of the aforementioned law, particularly regarding:

• Appointment of a Data Protection Officer (DPO) from within the Compliance Unit and representing at the European Union. (Representative to the Union)
• Amendment of the Compliance Program (Compliance Program) stipulated in paragraph 5 of Article 10 of Basic Decision No. 11323 dated 12/1/2013 concerning the establishment of the Compliance Department, in line with the measures to be taken regarding this matter.

Article 2: Supervisory commissioners shall verify the compliance of banks, financial institutions, and all other aforementioned institutions with the provisions of this decision, and include in their annual reports detailed information regarding the verification of implemented measures, audit results, and their observations on this matter.

Article 3: This decision shall take effect upon its issuance.

Article 4: This decision shall be published in the Official Gazette.

Beirut, 13 September 2018 Governor of the Central Bank of Lebanon Riad T. Salamé