New Data Protection & Privacy Regulations in the EU. March 7, 2018

Transcription

1 New Data Protection & Privacy Regulations in the EU March 7, 2018

2 Moderator Gergana Antonova Bulgaria

3

4 If you need another copy of the PowerPoint slides: Open a new window Go to the ELA homepage Click the webinar title

5 Audio Webinar Documents Questions and Tech Support

6 Speakers: Jan Lelley Buse Heberer Fromm Milada Kurtosiova Kocián Šolc Balaštík Danny Vesters Boontje Advocaten Arbeidsrecht Stanislav Rumyantsev Castrén & Snellman

7 Jan Lelley Germany

8 Europe s New Data Protection & Privacy Regulation Important facts for all EU countries: GDPR sets uniform data privacy legal framework for all 28 (27) members. GDPR sets nine guiding principles as comprehensive data protection standard. Rigid enforcement regime with fines up to 20 Mio. or 4 % of worldwide turnover of a business. GDPR will be enforceable on May 25, 2017 no transition period!

9 GDPR in Germany Not that New Consistent Principles GDPR à BDSG-new (BDSG: German Federal Data Protection Act) Comprehensive burden of proof Documentation obligations Extensive notification obligations BDSG à BDSG-new Sec. 32 I 2 BDSG à sec. 26 I 2 BDSG-new Sec. 32 III BDSG à sec. 26 VI BDSG-new etc.

10 GDPR in Germany Video surveillance BDSG-new High risks in case of misconduct Compliance control Works council and works agreements

11 GDPR in Germany What information do Works Councils get? Sec. 32 BDSG BDSG-old BDSG à BDSG-new GDPR & BDSG-new Works council s information and inspection rights not restricted by BDSG. Employees data protection rights have to be considered. Example: Works council could claim information on pregnant employees or on employees salary by name

12 GDPR in Germany What information do Works Councils get? Sec. 32 BDSG Article 26 BDSG-new Necessary according to Works Constitution Act (BetrVG): Information required to fulfill works council s legal duty (very broad)? Necessary according to GDPR s data protection principles: Balance works council s right to information against employee s and employer s fundamental privacy rights Still reference to work council s legal duties

13 GDPR in Germany What to do with Shop Agreements Transparency Purpose Proportionality Special Data Categories Article 5 GDPR Extent of collection and storage clearly identifiable and easily accessible Article 5 GDPR Purpose must be specified Suitable and special measures Safeguarding of human dignity, legitimate interests and fundamental rights Processing only exceptionally permitted, otherwise strictly prohibited

14 GDPR in Germany Data Protection Officer Article 37 GDPR Sec. 38 BDSG-new à Stricter rules 10 persons employed with data processing Data protection impact assessment Commercial or anonymous transfer or for the purposes of market or opinion research

15 GDPR in Germany What to do to be compliant Liability Points to review Compensation for suffered personal damage High risks in case of non-compliance (fines!) Training of staff Appointment of data protection officer Data mapping Streams of personal data Preparation of privacy notifications and consent forms

16 Milada Kurtosiova Czech Republic

17 Regulation (CZ) Sources of regulation to keep in mind: Data Protection Regulations General Data Protection Regulation (GDPR) Act on Personal Data Protection (CZ) Employment Regulation Labour Code, Labour Inspection Act Special Fields Regulation

18 Main Principles Key elements to consider: Title (grounds) and Purpose for Processing Personal Data Consent (really necessary or not)? Types of Employees Personal Data Processed Health, biometrics, camera monitoring Special Attention: data sharing / transfer of personal data to abroad (especialy outside EU)

19 Current Stage - Business State Authorities: Data Protection Office guidelines Business: GDPR analyses and implementing measures Client and Public Awareness: KSB Institute, legal advice, media

20 Notification v. Records Notification (current law) v. Records on Processing Activities (GDPR) Inspections/checks by the Regulator (Personal Data Protection Office) Recommendation: to keep records of processing activities

21 Technical Factors IT infrastructure, IT safety Key technical element Factual, not legal Review, Alterations Reasons, limits technical, time, investment Recommendation: IT system readiness

22 Human Factor Transparency Self-Protection of Employer How to be transparent? Policies Incidents breach of employees obligations Liability for non-compliance (employer, employee) Disciplinary Measures, Termination Liability and Damages

23 Data Protection Officer ( DPO ) Completely New Position Obligatory only for certain employers Where to look for DPO? Internal or external Intragroup

24 Final Recommendation What to remember? Do Not Forget Employees Data Processing Get Ready & Be Transparent IT infrastructure, policies, training, review all personal processing performed Count with Control

25 Danny Vesters The Netherlands

26 GDPR in the Netherlands Dutch Data Protection Act (2000) Based on Directive 95/46/EC (Data Protection Directive) GDPR Enforcement date: 25 May 2018 GDPR implementation Bill The GDPR is implemented in a policy-neutral manner. The bill continues all current law, insofar as is allowed under the GDPR.

27 Data subject Employee GDPR in the Netherlands Processing personal data Principles and lawfulness (articles 5 and 6 GDPR) Principles Lawfulness, fairness and transparency Purpose limitation Data minimization Accuracy Storage limitation Integrity and confidentiality Accountability

28 GDPR in the Netherlands Lawfulness Consent Performance of a contract Legal obligation Vital interest Performance of a task carried out in the public interest Legitimate interest Personal data in the employment context Before employment (application) During employment After employment Do not forget the Works Council

29 GDPR in the Netherlands Article 88 GDRP Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer s or customer s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship Missed opportunity?

30 GDPR in the Netherlands Be prepared Be aware of your role in the privacy process (controller, processor, data subject) Create privacy awareness Have clear policies and well practised procedures Establish a framework for accountability Embrace privacy by design Be aware of the legal basis on which you use personal data (principles and lawfulness) Be aware of the rights of the data subject BE IN CONTROL (!)

31 Stanislav Rumyantsev Russia

32 Why Compliance in Russia?

33 Castrén & Snellman 33 Global Privacy Docs

34 Castrén & Snellman 34 Global Privacy Docs Russia: affiliation of companies does not matter Russian Privacy Docs

35 Three Most Common Approaches 1) Identical data privacy documents for all jurisdictions The EU and Russian requirements are not identical 2) Case-by-case compliance Fulfilment of one requirement is impossible without meeting all other applicable requirements 3) Local HR and financial departments take the initiative They do not usually see the whole picture. The prepared documents will correspond to the needs of these units, but not the whole office

36 Preferable Option Preferable option: 1) 2) 3) Global Privacy Docs Internal Audit of Russian Operations Russian Privacy Docs

37 Scope of Compliance Work

38 Castrén & Snellman Most of operations were conducted in the EU Before 1 September 2015 They were not visible from the opposite side of the border Data Protection Authority Non-Russian Office Corporate ICT System Full compliance with EU regulations Russian Office Only basic operations took place here Data Subject

39 Castrén & Snellman Beginning from 1 September 2015, Russian nationals personal data must be processed through databases located in Russia

40 Castrén & Snellman Most of operations were conducted in the EU After 1 September 2015 They were not visible from the opposite side of the border Data Protection Authority Non-Russian Office Corporate ICT System Full compliance with EU regulations Russian Office Only basic operations take place here Data Subject

41 Castrén & Snellman After 1 September 2015 Database is subject to Russian law DP operations are now visible Data Protection Authority Local Data Store r Non-Russian Office Corporate ICT System Russian Office Data Subject Full compliance with EU regulations Full compliance with Russian law

42 Castrén & Snellman Data Processing on the Russian Side DPA HR Data HR Finance CRM Data Personal Data Russian Office DPO Papers Databases Marketing Other Units Contractors Data Third Parties Head Office

43 What to Do?

44 Castrén & Snellman It s Mostly About Documents Each data processing or data security action should be documented. In most cases, a Russia-based company or representative office should have: Around40 documents and templates Legal Administrative IT Security

45 Castrén & Snellman Example A newbie joins the Russian office of your company General data subject s consent Non-disclosure undertaking Notice on personal data processing Data Privacy Policy and other internal policies Training register Access rights register Policy on storage of personal files

46 Castrén & Snellman Main Technical Security Documents Security Level Russian Office must choose one of four security levels depending on the processed volumes of data and its categories Each ICT system (database) physically located in Russia IT Security Requirements The requirements for each security level are adopted by the Decree of the Russian Government No dated IT Security Measures A set of measures is prescribed for each requirement by the enactments of the Federal Security Service and the Federal Service for Technical and Export Control

47 Castrén & Snellman Main Technical Security Documents For example: Security level Requirement To ensure security of premises accommodating the ICT equipment in a way preventing any uncontrolled intrusion or stay in these premises Measures Door lockers and alarm Officially adopted rules of access Officially adopted list of employees who have access rights

48 Castrén & Snellman Summary Compliance cannot be created overnight Global ICT projects involving Russia cannot go forward without compliance with the Russian Personal Data Law Russian Office must have its own set of local privacy documents. In general, they can be in line with the global corporate policies Parent company acts as a third party to its Russian subsidiary. The intercompany data processing agreement and data subjects consent are required There is a trend towards strengthening state supervision and liability

49 Conclusions & Wrap Up

50 For More Information Please Contact: Jan Lelley Buse Heberer Fromm Milada Kurtosiova Kocián Šolc Balaštík Danny Vesters Boontje Advocaten Arbeidsrecht Stanislav Rumyantsev Castrén & Snellman

51 European Client Conference Vienna Austria June 5, 2018 Please visit our event website for more details! Direct link:

52 Recording, SHRM PDCs, & Certificate of Attendance To listen to this webinar again or to any past ELA webinars, please visit our website at: This program is valid for 1.25 PDCs Course Number: 18-I3U58 Please visit to submit PDCs A Certificate of Attendance and supporting materials are posted on the ELA website (click this webinar s title; the link to the Certificate is on the landing page). Attendees seeking continuing education credit should submit these materials directly to the appropriate organization.

53 Tell Us How We Did!

54 For More Information If you have any questions, or need further information please contact: Brittany McKinski Webinars Coordinator