GDPR, What s in it for you?

Transcription

1 GDPR, What s in it for you? Amsterdam Brussels Dubai Hong Kong London Luxembourg New York

2 Topic GDPR: Challenge and opportunity Applicability of the new regime and respective responsibilities Accountability is the new paradigm Embedding privacy is not an empty word Security will be everywhere (even at your local store) Working with health data can cause headaches The marketeer in the privacy minefield The DPO. A mole inside your company? Cross-border transfers: don t be on the wrong track! The Data Protection Supervisor(s): Who are you? Where are you? Oops! Caught red-handed? What are the sanctions for violating data protection rules? 27 Notice: This publication contains general information only. It does not constitute legal advice and should not be relied upon for any business decision. GDPR, What s in it for you? 3

3 GDPR: Challenge and opportunity The GDPR is the single most important change in the data protection landscape since the 1995 Privacy Directive. It will have a profound impact on the way processing of personal date will be organized and how companies will prioritize the item of data processing on their corporate agenda. Companies involved in the processing of personal data having a connection with the EU will have no choice but to comply and respect the requirements. Our Stibbe data protection team has been involved with privacy related matters for more than 20 years. In this contribution, and drawing upon our wide experience, we have sought to acquaint you with the key changes brought about by the new Regulation. Rather than seeking to paint an exhaustive picture of the new rules, we have taken a topical approach and have touched upon a series of carefully selected items which in our view are most representative for the changes brought about by the GDPR. In addition, it should be underlined that the landscape of data protection is a very dynamic one and will always extend beyond a set of rules on a legal document, however impressive that document would be. For example, the specific content and boundaries of the obligations and requirements will be further shaped by the guidance to be provided by the Article 29 Data Protection Working Party ( WP 29 ). This platform, consisting of representatives of the various DPA s has set forth a plan for the implementation of the GDPR, as part of which it will issue opinions on several priority subjects. Three sets of guidance have already been published, i.e. on data protection officers, on data portability and on the role of the lead supervisory authorities. Other topics that should be addressed in the near future relate to the notion of high risk, data protection impact assessment and certification. Going forward, the role of the WP 29 will be taken over by the EDPB, who will continue to provide guidance and updates. In addition, there is a broad call for standardization and for development of best practices across different industries. Various provisions of the GDPR reflect such a call and also the guidance provided by the WP 29 calls for standardization and industry best practices. This is for example the case for the new data portability right, the WP 29 advises data controllers to technically implement a standardized approach in relation to application programming interfaces. Likewise, the DPA s will issue guidance and ensure compliance in a way that aligns the harmonized rules with other national laws, local customs, cultural expectations and sensitivities. 4 GDPR, What s in it for you?

4 GDPR: Challenge and opportunity Finally, there is the role of the courts. While it is clear that national courts will have their role to play, it is hard to predict what their impact will be. It is fair to note that up and until now, the role of national courts in sharing data protection law has been limited. The same can obviously not be said about the ECJ, which appears to be on a mission to further shape and progress the data protection landscape, especially at times where other European institutions appeared to have difficulty to deliver on the subject. For example, in a series of unprecedented decisions, the ECJ has tackled very complex issues such as the right to be forgotten, the data retention issue, and the EU-US data transfers. At this very moment, applications for the rescission of the Privacy Shield have been introduced before the General Court. All of the above mentioned factors will turn the data protection landscape into a very dynamic one. This means that companies, in seeking to comply with the GDPR, should ensure not only that they stay informed about the further developments and evolutions, but also that the processes, systems and tools they would select to secure compliance are sufficiently flexible so that they can be easily adjusted and refitted to embrace the new developments and evolutions. Our team, for one, will be on the look-out and we will report regularly on any important changes in the field. And what is more, it is not just about complying with the GDPR as of 25 May 2018 and in a forward looking mode. The challenge posed is wider as companies today still suffer significant gaps in complying with the Data Protection Directive 95/46/EC and the implementing legislations. These gaps will first need to be filled in before thinking about the next steps to be undertaken for compliance with the GDPR. For example, companies will need to consider if the personal date which they have on record today has been collected and is being processed and retained in accordance with the currently applicable rules. If that is not the case, they may have a considerable historical compliance gap which will continue to undermine their state of compliance going further. It is very difficult to build in a sustainable way if the foundations are not sound. Companies are well advised to duly consider the relevance of data protection and understand that compliance has become a must have. Compliance is in fact not just a matter of law, it is also a matter of ethics. They should be ready to commit to their new obligations, and free up budget and resources. To this end, it is important that they adopt a very structured approach, in view of the limited timing available, and of the fact that this is a broader challenge that crosses all business lines and segments of companies. In view of the foregoing, only a company-wide approach makes sense. Rather than seeing all of this as a nuisance, companies should also see the opportunity in all of this, namely that compliance with data protection rules can be a quality label and a competitive advantage. For a deeper insight into what can be done in practice, and how Stibbe could guide you along this compliance road, please visit our GDPR pages under the practice area Data protection on Stibbe.com. GDPR, What s in it for you? 5

5 1. Applicability of the new regime and respective responsibilities The General Data Protection Regulation (GDPR) will inevitably impact a lot more companies than before. The GDPR will indeed apply to any business that acts as data controller or data processor and that offers goods or services to individuals in the EU, regardless of whether it is physically located in the EU (see I). Moreover, the GDPR imposes many new obligations on both data controllers and data processors, triggering a real shift in their respective responsibilities. This will entail major consequences for a large number of European as well as non-european companies (see II) and create new challenges that many businesses will need to address in the near future (see III). (I) Businesses without establishment in the EU may fall under the scope of the GDPR The GDPR will apply to EU and non-eu companies that (i) process personal data in relation to the offering of goods or services to EU data subjects or (ii) monitor individuals behaviours that are conducted within the EU. The concepts of personal data and processing remain very broad. Personal data include any kind of information (i.e., location data, online identifier ) that allows a person to be identified even indirectly. In addition, the mere hosting, storage, or even the erasure or destruction of data amount to processing of such data. Companies are considered to be targeting EU citizens if one or more of these elements are present: the use of a language or a currency generally used in one or more Member States in conjunction with the offering of goods and services, and/or the mentioning of customers or users who are based in the EU. On the contrary, the mere fact that a website of a non- EU-based business is accessible from the EU is not a determining factor. This approach will significantly broaden the scope of application of the GDPR as it will now clearly encompass all websites and apps that track EU citizens online behaviour/ digital activities, i.e., by making use of tracking cookies. 6 GDPR, What s in it for you?

6 1. Applicability of the new regime and respective responsibilities (II) New, heavier obligations imposed on both data controllers and data processors The GDPR did not change the definitions of the terms data controller and data processor. The former remains defined as the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data, while the latter is the entity that processes personal data on behalf of the controller, and this definition covers, for instance, a cloud-computing service provider. A significant development is that the GDPR explicitly addresses the processing of personal data by both data controllers and data processors (under the conditions described above in these terms definitions). In addition, the data processor that would have determined by itself the purposes and means of the data processing should be considered to be a controller with regard to that specific processing. Besides the fact that this blurs the boundaries between data controller and processor, it also lowers the threshold for triggering the application of the provision on joint-controllership, thereby subjecting the processor-turned-controller to heavier responsibilities. Furthermore, the GDPR imposes more stringent obligations on data controllers. As a matter of principle, data controllers are responsible for ensuring that the data processing complies with the key principles of the GDPR. In this respect, data controllers will have to keep records of all processing activities carried out under their responsibility, including all information that can demonstrate their data processing compliance with the GDPR. With regard to data processors, there will be a greater shift in liabilities. Indeed, for the first time data processors will have direct obligations towards the data subjects, whereas before they were merely responsible towards the data controller. Like the data controller, the data processor can also be sanctioned by fines if it fails to fulfil those obligations. For instance, data processors (again, just like data controllers) must implement technical and organizational measures to ensure that their processing is secure. In addition, they must immediately inform the data controller about any security breach that would have occurred in relation to the processing. By the same token, the data processors must keep records of all data processing activities that it carried out on behalf of the data controller. Finally, the data controller and the data processor must cooperate with the supervisory authority throughout their performance of data processing tasks. Hence, the data processor might also be required by the supervisory authority to meet the data subjects requests whenever the latter exercise their rights.. GDPR, What s in it for you? 7

7 1. Applicability of the new regime and respective responsibilities Lastly, the GDPR sets forth more extensive requirements that must be reflected in a contract between the data controller and the data processor. While there is already an obligation under the Data Protection Directive to have a written agreement between the data controller and data processor, the requirements for this agreement under the GDPR are more significant, i.e., the data processor must satisfy its regulatory obligations as regards confidentiality, security, and sub-processing; the data processor must, to the data controller s choosing, delete or return all the personal data; it must assist the data controller in (i) ensuring fulfilment of the controller s obligations on security and prior notification and (ii) taking technical and organizational measures to fulfil the controller s obligation to respond to data subjects requests. However, no transitional provision has been adopted in this respect, so all the existing data processing agreements between these parties are at risk and the parties are therefore compelled to renegotiate their contracts. Moreover, data processors will have the relative comfort of limiting their liability towards data controller under the GDPR because the supervisory authority can now fine data controllers directly. Furthermore, data processors acting on behalf of several data controllers, for instance, when offering outsourcing services to several companies, will have to manage very carefully the fulfilment of their numerous contractual obligations under those distinct data processing agreements. Finally, data controllers will need to select their suppliers more carefully to ensure that the latter process personal data cautiously and diligently. A data controller will also eventually need to perform audits to ensure that the data processing complies with the principles of the GDPR. The data controller must indeed be able to demonstrate that it has chosen a data processor that provides sufficient guarantees to implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of the GDPR. (III) Coming challenges The practical implementation of all those new legal requirements appears to be challenging. For example, the new processor-controller joint-responsibility for security breaches will imply that data processors should conduct risk assessments for each intended data processing. 8 GDPR, What s in it for you?

8 2. Accountability is the new paradigm From now on, data controllers must notify the competent data protection authority ( DPA ) about their data processing activities. However, an exemption to this obligation (also known as alternative obligation ) is allowed by certain EU Member States, such as Germany, if these conditions are met: (i) a data protection officer ( DPO ) is appointed in the company and (ii) records of the processing activities are kept and updated. Under the new GDPR, this approach is preferred over the traditional notification obligation. The EU legislature tries to heighten data controllers accountability by replacing the notification obligation with alternative obligations. Here, we will focus on the two main alternative obligations that shape this heightened accountability principle: (i) the obligation to keep records and (ii) the obligation to conduct data protection impact assessments ( DPIAs ). The specific role of the DPO will be discussed in another publication later on. Records of processing operations and cooperation with the DPAs Every data controller must keep records pertaining to all aspects of the data processing operations under its responsibility. This broadly includes the information that must already be notified to the Belgian DPA under the current legal framework, i.e., contact details of the data controller, categories of personal data processed, recipients of the data, international transfers, retention periods. The GDPR now also imposes such record-keeping obligation on data processors and compels both data controllers and data processors to cooperate with their DPA and make these records available upon request. Furthermore, if certain appropriate data protection policies are proportional to the specific processing activities, the data controller must implement them. Such policies are supposed to create awareness and to inform and train the data controller s staff on data protection issues. DPIAs The GDPR also introduces the requirement that DPIAs must be conducted for certain high-risk data processing operations such as processing activities that can create a risk of discrimination, identify theft, fraud, or financial loss. A DPIA is especially required for (i) a systematic and extensive evaluation of natural persons through automated processing activities (e.g., profiling) that produces legal effects or significantly affect the individual (this could potentially include website analytics GDPR, What s in it for you? 9

9 2. Accountability is the new paradigm tools, the creation of motion profiles by mobile applications, or the creation of personal profiles by social media networks); (ii) largescale processing of sensitive data such as biometric data or criminal conviction records, and (iii) systematic large-scale monitoring of a publicly accessible area such as monitoring through the use of optic-electronic devices such as CCTV video surveillance. A DPIA should consist at least of (i) a description of the envisaged processing operation and the purpose of the processing (What does the processing encompass and what purpose does it serve?); (ii) an assessment of the proportionality and the necessity of the processing operation in relation to the purposes (Is the processing reasonable in light of the purposes?); (iii) an assessment of the risks that can affect the rights and freedoms of the individuals whose data are being processed (the data subjects ); and (iv) the measures envisaged to be taken (a) to address these risks, including safeguards and security measures and (b) to demonstrate compliance. Apart from these four pointers, the GDPR does not contain any concrete guidance on how to conduct a DPIA. We expect that this will be picked up by the DPAs, as this has already been done by the CNIL in France. Upcoming Challenges Going forward, companies should verify whether they have adequate records of all data processing operations and make sure such records are being kept up to date. This will in practice require companies to assign specific resources to ensure regular updates and follow-up of those records. In addition, companies will need to verify whether any of the processing operations it wishes to undertake requires a DPIA and consult the DPAs as appropriate. Last but not least, companies will need to check whether they have suitable technical and organizational measures in place to ensure and demonstrate compliance with the GDPR. To this end, companies can find guidance in the indications given by a DPO or in the guidelines that can be issued by the European Data Protection Board. The global approach in terms of accountability adopted in the GDPR does not leave much room for tailoring the regulatory requirements to the specific type of organization concerned. This can have financial consequences on the smaller organizations and will also trigger a heavy administrative burden for all of them. In addition, if the results of the DPIA show that the processing operations would result in a high risk that cannot be mitigated by appropriate measures in terms of available technology and costs of implementation, the data controller must consult the DPA prior to the start of the processing operations. Again, the outcome of such consultations is likely to vary depending on the DPA concerned. 10 GDPR, What s in it for you?

10 3. Embedding privacy is not an empty word The GDPR requires personal data processing entities to implement appropriate technical and organisational measures at the time when the means for processing are determined and at the time of the actual processing. Privacy becomes a core part of every business from the very beginning and throughout the data processing cycle. In this regard, the GDPR expressly requires compliance with two types of principles: data protection by design and data protection by default. The former type means incorporating privacy into the architecture of the products (manufacturing/production) and service processes (offering, aftersales, maintenance, etc.) by, for example, minimizing the processing of personal data from the beginning to the end of a process. For instance, if the purpose for application developers can be achieved using aggregated data, accessing raw data should be avoided. It also means that organizations should ensure that the relevant expertise is available at the earliest possible stage, and not only later on to resolve any privacy issues that have arisen. The latter type of principle means that organizations must implement mechanisms to ensure that, by default, only the minimum and necessary personal data for each specific purpose is processed, and the data are not disclosed more than necessary. For instance, default settings of social media applications should ask users to review, edit, and decide on information generated by their device before they are published on social media platforms, while information that has been published should, by default, not become public or be indexed by search engines. How these principles will be enforced is not clear yet. However, it is clear that the DPAs will require from the organizations concerned that they provide records and documentation demonstrating their compliance therewith, subject to penalty. Organizations are indeed encouraged to certify their data processing with a supervisory authority or an approved certification body. A certificate of a data processing, once granted, is valid for up to 3 years (renewable) and is recorded in a public register so that data subjects can quickly assess the level of data protection provided by these organizations. More details on this will follow before the GDPR enters into force. GDPR, What s in it for you? 11

11 4. Security will be everywhere (even at your local store) Compared to the current legal framework, the GDPR contains stricter obligations with regard to data security, data breach notifications, and data subject notifications. Therefore, many companies have already started preparing compliance, given that many of these obligations will require time to implement. Data Security The GDPR requires both data processors and data controllers to implement appropriate security measures on every level of data processing. In this regard, the GDPR provides specific suggestions such as, but not limited to: The pseudonymization and encryption of personal data. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing, for example, approved and tested codes of conduct, certifications, and guidelines. In assessing the appropriate level of security, data controllers and data processors are required to take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. In particular, the risk would be higher for large-scale processing operations involving considerable amounts of personal data because a data breach could affect a large number of data subjects. For example, a hospital s storing of patient files in the cloud has a higher risk than a local, independent hairdresser s customer loyalty program because of the large scale processing of the operation and the sensitive nature of the patient data of a hospital. Data Breach Notification A data breach is a security incident in which sensitive, protected, or confidential personal data is intentionally or unintentionally released to an untrusted environment or copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. Such incidents range from concerted attacks with the backing of organized crime or national governments to careless disposal of used computer equipment or data storage media. 12 GDPR, What s in it for you?

12 4. Security will be everywhere (even at your local shopkeeper) Under the GDPR, the data controller must notify any data breach to the supervisory authority without undue delay and, where feasible, within 72 hours as from the time the controller became aware of the breach. If this timeframe is not met, the untimely notification must be substantiated by reasons justifying the delay. The data breach notification must contain information including, among others: the nature of the personal data breach, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; a description of the likely consequences of the data breach; a description of the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. There is one key exception to the notification obligation. Notification is not required if the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The preamble of the GDPR states that a risk to the rights and freedoms of individuals can consist of physical, material, or non-material damage such as identity theft or fraud, financial loss, discrimination, or reputational damage. Lastly, the data controller must also maintain an internal data breach register, allowing the supervisory authority to verify compliance with the GDPR if needed. If the data processor becomes aware of a data breach, it must notify the data controller about it. The data processor itself has no other notification or reporting obligations. Data Subject Notification In certain instances, the GDPR also requires that data breaches caused to data subjects be notified. If the data controller has determined that the data breach is likely to result in a high risk to the rights and freedoms of individuals, it must also communicate without undue delay the information regarding the data breach to the data subjects affected by it. The GDPR does not further specify the distinction between high risk with regard to data subject notification and risk with regard to data breach notification. Therefore, this phrase will surely become the subject of many discussions regarding the necessity of a data subject notification obligation. The GDPR sets forth three exceptions whereby the data controller must not be required to notify data subjects: the data controller has implemented appropriate technical and organizational protection measures that render the data unintelligible to any person who is not authorized to access it, such as encryption; GDPR, What s in it for you? 13

13 4. Security will be everywhere (even at your local shopkeeper) the data controller takes actions subsequent to the personal data breach to ensure that the high risk for the rights and freedoms of data subjects is unlikely to materialize, such as the full recovery or destruction of the leaked data, so that the data is not in the hands of a third party; when notification to each data subject would involve disproportionate effort, in which case alternative communication measures may be used, such as a public information campaign. To Do List Also, companies might want to prepare themselves to meet these additional requirements by: developing clear policies and procedures to ensure a timely reaction to data breaches, including notification procedures, incident identification systems, and incident response plans; practicing and testing such procedures on a regular basis; investing in the implementation of appropriate technical and organizational measures to ensure data security. The practical implementation of the requirements under this section is challenging. This is not in the least because of the ambiguity of certain terms such as undue delay, likelihood of/(high) risk to rights and freedoms, and disproportionate effort, which remain to be further clarified and defined in practice. 14 GDPR, What s in it for you?

14 5. Working with health data can cause headaches One of the key points of this new legislative framework concerns the processing of health data. Because health-related information is very sensitive in nature, and the use of them can have an adverse effect on a person s private life and reputation, the GDPR imposes a higher standard of protection for the processing of health data. This higher standard, aimed at protecting the fundamental rights and privacy of patients, results in a higher burden on the professionals in the health sector who will have comply with it. Sensitive data As a general rule, healthcare professionals (doctors, pharmacists, nurses, healthcare insurers, and other healthcare serviceproviders) are prohibited from processing health data about their patients unless they have obtained the explicit and informed consent of the patient to do so or unless it is done under specific circumstances set out in the law. Therefore, healthcare professionals are in principle not allowed to collect, record, store, alter, use, or disclose any information which relates to the physical or mental health of an individual, or to the provision of health services to the individual without the patient s consent. This can include anything from medical records, examination results, medical history, a disease, or a person s psychological state. One of the circumstances under which health data can be processed even without the explicit consent of the patient, however, is when a healthcare professional who is subject to a legal obligation of professional secrecy or a similar obligation of confidentiality, such as a doctor, nurse or pharmacist, needs to collect, store or use health data, or needs to communicate with another healthcare professional, for health-related purposes (e.g., medical diagnosis, provision of care, or treatment) of the patient in question. The GDPR also allows the processing of health data for reasons of public interest in the area of public health, such as protecting against serious cross-border health threats. There can indeed be situations in which sensitive health data need to be communicated to certain authorities so that the right measures can be taken to protect the citizens. This could be the case when tracing the contacts of an infected person in order to prevent the (further) spreading of a contagious disease, such as ebola or tuberculosis, etc. Considering the sensitive nature of health information, it is imperative that professionals in the health sector who work with such data ( data controllers ) are aware of their obligations under the GDPR, and the patients GDPR, What s in it for you? 15

15 5. Working with health data can cause headache or people whose data are being processed ( data subjects ) are aware of their rights. Data controllers have, for instance, the obligation to secure health data that are under their control and to notify the authorities of any data breaches. This means that every independent healthcare professional or health service provider must take the appropriate security measures to make sure his/her patients health data are kept secure. This is done by, for example, securing personal computers with private logins and passwords and by installing firewall updates and antivirus software. If the personal computer or hard drive onto which patients records are saved is stolen or is unrightfully accessed through the internet, the GDPR obliges the healthcare professional or service provider, as the case may be, to notify this data breach to the competent DPA within 72 hours from when it became aware of it. Furthermore, when processing health data, the data controller (for example, a physician or hospital) has a number of obligations to fulfill. The data subject must be informed about the specific purpose for which information about his/her health is collected or used, and the data subject must be allowed to exercise his/ her rights to access or change/update this information free of charge. For instance, a patient is entitled to a free copy of his/her medical records containing information such as diagnosis and test results. Additionally, a patient has the right to obtain from his/ her doctor the correction of any inaccurate information about his/her health, and, in certain cases, he/she also has the right to object to the processing or use of his/her health data and even the right to have some data about his/her health situation removed from the file. The cloud doctor Healthcare professionals are increasingly tempted to keep medical records of their patients on servers connected to the internet or in the cloud, and not merely on paper. Hence, the risk of data being unrightfully accessed becomes bigger. By the same token, data breaches are more likely to happen, and health data are more likely to be stolen. The cloud is indeed not always the safest place to store such data, as evidenced by the numerous data leaks making news headlines these days. Also, if the cloud infrastructure used is located outside the EU, the data are effectively exported outside the EU thereby triggering additional concerns, conditions, and even obligations. Therefore, if cloud-service providers seek to convince the health industry of the benefits that the cloud could offer, they should offer state of the art security or at least inform medical practitioners about the existing security levels that are in place and about the precise location where the data will be stored physically. 16 GDPR, What s in it for you?

16 5. Working with health data can cause headache Even if the security of health data might be more at risk if they are stored in the cloud, various national governments are taking steps towards a more connected health system. For example, the Belgian government recently put forth its e-health initiative ( fgov.be), which is a cloud platform focused on the exchange of patients health information by healthcare professionals. The data on this platform can be accessed by doctors, hospitals, and other healthcare providers throughout the country, and not only by the treating doctor. Finally, it is not only the medical practitioner but also the cloud-service provider who will have direct legal obligations and responsibilities under the GDPR, including the security and breach-notification obligations. This seems more than logical as the cloudservice provider is the one actually conducting the processing of the health data whereas the doctor, on his/her part, has no control over the actual technical security measures that are implemented on the external data-storage servers of this cloud-storage service provider. It will therefore be not only the professionals in the sector but also the cloud-service providers that need to step up in order to offer more secure storage of health data. GDPR, What s in it for you? 17

17 6. GDPR The marketeer in the privacy minefield Businesses are increasingly relying on data, which are progressively at the very core of their marketing activities. Some brands gather and retain perpetually thousands of clients data to improve their services or for implementing direct advertising. In addition, these data are very often transferred by businesses to commercial partners without clearly informing the data subjects about it. The GDPR imposes additional obligations on marketeers and aims at increasing the amount of control a data subject has over what is done with the personal data relating to them. Firstly, the processing of personal data for marketing purposes will require the data subjects unambiguous consent, i.e., a clear, specific, informed, and freely given positive affirmation that they agree with such use of their data. This implies the need for companies to implement proper opt-in mechanisms, for instance, through the data subject s ticking a box actively. Indeed pre-ticked boxes, inactivity, and silence will no longer be considered valid consent. In addition, data subjects must be given the right to object to the processing of personal data relating to them, including profiling, to the extent it is related to direct marketing. In such case, the data may no longer be processed for such purposes. The GDPR also provides for the empowerment of data subjects through the creation of new rights, among which the right to be forgotten and the right to data portability. As to the former right, the GDPR codifies it for the first time following the European Court of Justice s recognition of it in the so-called Google Spain case, which was rendered in This right to erasure now obliges all data controllers to delete any personal data, at the request of the data subject, without undue delay, if the data is no longer needed, if the data subject objects to the processing, or the processing was unlawful. According to the lawmakers, this right is relevant especially where underage data subjects have given their consent, for instance, on the internet and they later wish to have their personal data relating to them removed. However, such right is not absolute, and the data controller could refuse this erasure if, inter alia, the retention of the data concerned is necessary for the exercise of the right of freedom of expression and information, for compliance with a legal obligation, or for public interest in terms of public health. Secondly, the GDPR strengthens the existing right to access one s personal data by creating a right to data portability, allowing the data subject to receive the personal data concerning him or her and to transmit those data to another data controller directly. 18 GDPR, What s in it for you?

18 6. GDPR The marketeer in the privacy minefield This right applies if the initial processing is based on the data subject s consent and is carried out by automated means (e.g., songs listened to via a music streaming service or books purchased from an online bookstore). This only concerns personal data relating to the requesting party, and which he or she has provided to a data controller. This latest condition is broadly construed by the Article 29 Data Protection Working Party ( WP 29 ), which considers that it covers all data actively and knowingly provided by the data subject and also data that are provided by the data subject by virtue of the use of a service or a device. This includes, for instance, a person s search history, traffic data, and location data. Data controllers must answer this query in a structured, commonly used, and machinereadable format. According to the WP29, data controllers should offer a direct download opportunity for the data subjects, and should also allow data subjects to directly transmit the data to another data controller, for instance, by making an application programming interface available. Finally, data subjects must be clearly informed about all aspects of the processing, about the origin of every single piece of data gathered about them, and about each purpose for which this data is being processed. Moreover, the right to object to the use of data for marketing purposes must be explicitly brought to the attention of the data subject and presented clearly and separately from any other information. The GDPR embodies the emerging trend to give back to data subjects the control over data gathered and processed about them by marketeers. Moving forward, businesses will have to ensure transparency of their data practice and should, before the GDPR enters into force, keep track of their clients database and trace the way they have been constituted in order to make sure that such data can legally be retained on the basis of a valid consent given by the persons concerned. Also, as regards the new right to data portability, they will need to retrace on what grounds the data were obtained and start implementing tools that are able to answer data portability requests. Companies must also remember that the proportionality principle obliges them not to keep data for longer than reasonably necessary for the purpose they pursue. Finally, companies should refrain from using such data for making automated decision, i.e., a measure solely based on automated processing, and which produces legal effects concerning a data subject or significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. The GDPR will inevitably change the way business handle data and certainly also open the way to new services in the digital single market through easing data switches between different service providers by the intermediary of the data subject himself or herself. GDPR, What s in it for you? 19

19 7. The DPO. A mole inside your company? The GDPR introduces a new role in data protection governance: Data Protection Officer ( DPO ). The DPO will become indispensable for a lot of companies and will play an essential role in ensuring compliance with data protection law. Appointing a DPO is mandatory for entities acting as a data controller or data processor if (i) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (ii) the core activities consist of processing operations that require regular and systematic large-scale monitoring of data subjects, e.g., businesses engaging in profiling or tracking online behaviour; or (iii) the core activities consist of largescale processing of sensitive categories of data, e.g., the activities of hospitals or biomedical companies that process health data, or activities of institutions that process information relating to criminal convictions. Furthermore, appointing a DPO can also be an obligation imposed by national Member State law, as Germany has already done. The DPO will become a key figure in protecting personal data, and he or she will assume extensive duties and responsibilities. These include monitoring compliance with data protection regulations and the companies policies, assigning related responsibilities to others within the company, raising data protection awareness, training staff, carrying out compliance audits, and providing information and advice to the data controller, data processor, or employees who are involved in the data processing of their respective obligations under data protection law. The DPO also advises the company on the risks of certain data processing activities. Finally, the DPO is also responsible for cooperating with the supervisory authorities, and it acts as the main point of contact for data subjects and those authorities. Data controllers and processors have certain obligations towards the DPO as well. They must designate a DPO who possesses the right professional qualities and expert knowledge of data protection law (i.e., the GDPR or other applicable EU or Member State data protection law) and practices. It is allowed to appoint only one DPO for a group of undertakings, provided that he or she is easily accessible from every establishment of the group. The DPO can be an internal staff member or an external person who performs the tasks under a service contract. Either way, the data controller or processor must ensure that the DPO is able to carry out his or her duties independently, that the DPO is not instructed by anyone, and that he or she reports directly to the highest level of management within the company. Moreover, the DPO may not be dismissed or sanctioned solely on grounds of his or her performance. This does not, however, prevent him or her from being appointed for a fixed term or with 20 GDPR, What s in it for you?

20 7. The DPO. A mole inside your company? the possibility of dismissal with termination notice, and it does not affect the application of local employment law. In addition, the data controller and processor must involve the DPO in all data protection issues properly and timely and provide him or her with the necessary resources so that he or she can fulfil his or her tasks and keep his or her expert knowledge up to date. If the appointment of a DPO is mandatory, this obligation should be taken seriously, already just for the fact that non- compliance can cause the company to be fined up to EUR10 million or 2% of its total worldwide annual turnover, whichever is higher. Even if appointing a DPO is not mandatory, businesses should still consider appointing one voluntarily because having a DPO can be an effective and efficient way to meet certain burdensome obligations, such as the obligation to keep records of all processing activities and the obligation of carrying out DPIAs and/or the obligation to seek prior consultation of the supervisory authority in certain circumstances. Even though the role of the DPO and the extent to which he or she will gain access to business information might seem quite invasive to the company, having a DPO is an important step in achieving compliance with data protection law and ensuring the company s accountability required under the GDPR. In any event, the DPO will be bound by the obligation of confidentiality concerning the performance of his or her tasks. For the sake of completeness, the GDPR does not oblige the DPO to report any failure to comply with data protection obligations to the supervisory authorities. Hence, the DPO should not be considered a mole inside your company or a necessary evil, but rather a valuable, helpful, and promising asset for the company. GDPR, What s in it for you? 21

21 8. Cross-border transfers: don t be on the wrong track! The virtual world has no borders, and we often do not realize the massive amount of data flows generated within companies operating across the globe. In practice, all companies collect personal data of, for example, their customers, suppliers, or contractors (i.e., data subjects). However, they are not always aware of their legal obligations when using and especially when transferring their data. For example, companies must take special precautions when personal data are transferred to non-european countries that do not provide an EU-like data protection framework. Moreover, the concept of transfer of personal data is very broad. For instance, it also covers hosting of personal data on servers in the cloud. Several mechanisms are available to ensure an adequate level of protection for EU data subjects personal data that are transferred to third countries outside of the European Economic Area ( EEA ). However, some of these mechanisms are being challenged, sometimes successfully. An example thereof is the decision of the Court of Justice of the European Union (CJEU) to strike down the EU safe harbor principles that governed data transfers to the United States of America ( USA ) until recently. Adequate level of protection Transfers of personal data within the European Union are authorized under Member States national legislations. In addition, personal data can also be transferred to countries outside the EEA, ensuring an adequate level of protection of personal data. The same rules generally apply under the GDPR. The European Commission is empowered to decide which third countries are deemed to ensure an adequate level of protection. The European Commission has, so far, only recognized the following countries that do offer this level of protection: Andorra, Argentina, Canada (only for certain kinds of processing), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. Data subject s consent If a company intends to transfer personal data to a third country outside of the EEA that has not been recognized by the European Commission as offering an adequate level of protection, it can rely on the data subject s consent for allowing such transfer. However, such consent must be free, clear, and unequivocal. This could prove to be quite tricky when it comes to employees personal data, as many countries believe an employee 22 GDPR, What s in it for you?

22 8. Cross-border transfers: don t be on the wrong track! is not in a position that allows him or her to freely give his or her consent to a request from the employer. Consent is thus not always the magic solution for businesses. If not, other mechanisms? 1. Transfers to the United States of America Safe Harbor Because of the significant amount of data flows that occur between the EU and the USA, a flexible regime was adopted fifteen years ago for the exchange of personal data between these territories. This regime was known as safe harbor. It allowed companies to certify itself as safe harbor compliant by underwriting a set of EU-like privacy principles set forth by the Department of Commerce of the United States. This qualification was seen as sufficient to authorize any transfer of personal data from companies established in the EU to US-based companies. However, following a complaint that the US legal framework did not offer sufficient protection against surveillance by the US public authorities, the CJEU recently invalidated the Safe Harbor regime. Meanwhile, a new legal framework for transatlantic transfers of personal data has been adopted by the European Commission, known as the Privacy Shield. The focus of the Privacy Shield is on trust and effective enforcement of the EU citizen s right to privacy, and it imposes clear safeguards and transparency obligations on U.S. public authorities. This Privacy Shield was criticized by various national DPAs and is currently under scrutiny of the CJEU. 2. EU Standard Contractual Clauses EU-based companies transferring personal data to a third country outside of the EEA can also rely on the so-called EU Model Clauses. These are templates of contract provisions that have been drafted by the Commission and are considered to provide adequate safeguards with respect to data protection. Companies have been using these provisions on a large scale to underpin data transfers to the USA. However, the EU Model Clauses have recently been challenged by an Irish data protection officer. He has requested the Irish Court to refer a case to the CJEU in order to determine whether the reliance on the EU Model Clauses is legal under the EU law, particularly in view of the allegations of mass surveillance by U.S. intelligence authorities. 3. Binding corporate rules Multinational companies wishing to avoid having to sign contractual clauses for every single data transfer within the group can adopt internal good practice rules. These are known as Binding Corporate Rules. They define within the group of companies the policy as well as the internal obligations for the protection of personal data, specifically regarding transfers to third countries outside of the EEA that do not provide an adequate level of data protection. GDPR, What s in it for you? 23

23 8. Cross-border transfers: don t be on the wrong track! Besides the relative possibility to rely on the data subject s consent, or on the use of Binding Corporate Rules with international groups, the legal basis for data transfers to the USA remains uncertain. Indeed, the future of the EU Model Clauses has also become uncertain. We expect the GDPR to provide businesses operating around the globe with more flexible solutions. For instance, it will be possible to justify international transfers of personal data if appropriate safeguards are in place, such as a code of conduct approved by the national regulatory authority or a certification mechanism validated by the competent certification body. It remains to be seen if and to what extent the GDPR and the decisions of the CJEU and national bodies will actually be able to resolve the remaining uncertainties in this area 24 GDPR, What s in it for you?

24 9. The Data Protection Supervisor(s): Who are you? Where are you? The GDPR empowers supervisory authorities established in each EU country to perform tasks and to exercise their powers with complete independence. These supervisory authorities play an important role in protecting data subject rights with regard to the processing of their personal data. So what are their tasks and powers exactly, and which national authority is competent? In principle, each supervisory authority has jurisdiction in its own territory to monitor any local data processing or that is carried out by a non-eu data controller or processor when their processing targets data subjects residing on its territory. Their scope of tasks and powers includes conducting investigations and promoting public awareness of the risks, rules, security, and rights in relation to the processing of personal data, as well as gaining access to any premises of the data controller and the processor, including any data processing equipment and means. Also, each supervisory authority must facilitate the submission of data subjects complaints by making a complaint form available, which can also be completed electronically. In addition, the authority must keep the complainant informed about the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary. But what happens if the personal data processing by one simple entity substantially affects the data subjects in more than one EU country? Or, if the data controller or processor has multiple establishments across Europe? In these two scenarios, and unless the data processing is carried out by public authorities or private bodies acting in the public interest, one supervisory authority must act as the lead authority. This will then be the authority that is competent to supervise the single entity in the first scenario or the one competent to supervise the main establishment in the second scenario. What does that mean in practice? It means that there must be close cooperation with the other authorities concerned so that this lead authority can adopt binding decisions that have been jointly discussed and agreed upon beforehand between the relevant authorities. This is the so-called one-stopshop mechanism, which could imply, in some circumstances, that a cooperating authority has the possibility to submit a draft decision to the lead authority, and the latter should consider this draft to the farthest extent possible when preparing its decision. GDPR, What s in it for you? 25

25 9. The Data Protection Supervisor(s): Who are you? Where are you? According to the European legislature, supervisory authorities should assist each other in performing their tasks so that the consistent application and enforcement of the GDPR can be ensured. How? For instance, by participating in joint operations where appropriate or by responding to another supervisory authority s request within a specified deadline, for example, when that supervisory authority intends to adopt a measure relating to processing operations that substantially affect a significant number of data subjects in several EU countries. Surely, this all looks appealing, but what if these different supervisory authorities disagree with each other? If this happens, then the European Data Protection Board ( Board ) should intervene by issuing an opinion or by adopting legally binding decisions (by a two-thirds majority of its members), or both. But what is this Board? Another supervisory authority? Not exactly; the Board is an independent body that mainly consists of representatives from the supervisory authority in each EU country and the European Data Protection Supervisor. Are the Board s decisions final? Not necessarily because any natural or legal person (including the supervisory authority concerned) has the right to bring an action for annulment before the Court of Justice of the European Union within a certain period of time. Similarly, any natural or legal person should have an effective judicial remedy such as the dismissal of complaints) before the competent national court against a supervisory authority s decision that has adverse legal effects concerning that person.. Moreover, if the court seized has a reason to believe that there is a similar proceeding pending in another EU country concerning the same subject matter, then, to avoid conflicting decisions,, the court first seized should be the only one to rule on the matter. Hence, under the GDPR,, there are still national supervisory authorities, but their tasks and powers have been redefined in a more comprehensive way. Also, because of the increasing amount of cross- border data processing, consistency and a smooth cooperation between them and the Board are essential. It replaces the Article 29 Data Protection Working Party advisory committee, which was established by Directive 95/46/EC. Obviously, it might take some time before all required processes will be up and running smoothly. 26 GDPR, What s in it for you?

26 10. Oops! Caught red-handed? What are the sanctions for violating data protection rules? The supervisory authority of each Member State under the GDPR will now be entitled to impose more stringent administrative sanctions. And that s not all: sanctions can also be imposed by courts. So, what could happen when one violates data protection rules? be imposed if one fails to carry out a DPIA whenever required to do so. The administrative sanctions imposed by the supervisory authority are two-fold: it can (i) take one or more of the measures listed in the GDPR, such as issue a warning or impose a temporary or definitive ban on processing personal data, or (ii) impose a fine, depending on the circumstances of each individual case, or do both. The second maximum fine is EUR 20,000, or 4% of the defaulting entity s global turnover. This maximum would apply to more serious violations, such as transferring personal data to a third country without taking appropriate measures to safeguard the data or without observing the data subject s objection to the processing of his or her personal data. For the latter, the GDPR stipulates two possible maximum fines, depending on the nature of the violation. The first maximum administrative fine is EUR 10,000, or 2% of the defaulting entity s total worldwide turnover of the preceding financial year, whichever is higher. The GDPR identifies various grounds on which this fine could be imposed. For example, in case of a failure to notify a data breach or a failure to implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. An administrative fine can also In any event, when considering a sanction, the supervisory authority must take into account various factors, such as the duration of the violation, its intentional or negligent nature, the categories of data, and the number of data subjects concerned, as well as the attitude of the defaulting entity, including any relevant, previous violation(s). Also, the GDPR states that all measures must be effective, proportionate and dissuasive. This means that a supervisory authority is not entitled to simply impose any sanction it sees fit whenever there is a violation of data protection rules. Rather, it should ensure and justify that the specific sanction being imposed meets these objectives. GDPR, What s in it for you? 27

27 10. Oops! Caught red-handed? What are the sanctions for violating data protection rules? And if one disagrees with the sanction imposed? Then the party sanctioned may lodge an appeal before the courts of the Member State where the supervisory authority concerned is established. In addition to these administrative sanctions, data controllers and/or processors can be sued before a court in the Member State where they are established or a court of a Member State where the data subject has his or her habitual residence. These proceedings can be brought by the data subjects themselves and/ or by the relevant supervisory authority, and even, under certain conditions, by any body, organization or association that advocates the protection of personal data. The more specific remedies are those laid down in the national laws. All of the foregoing reminds us that privacy compliance is becoming an even more significant issue. As we know, the GDPR will only become effective as from 25 May It is to be expected, however, that supervisory authorities will already start interpreting current data protection legislation in the light of the new provisions of the GDPR. 28 GDPR, What s in it for you?

28 Our Stibbe GDPR team Barbra Bulsing Junior Associate T barbra.bulsing@stibbe.com Laurens Dauwe Senior Associate T laurens.dauwe@stibbe.com Carol Evrard Junior associate T carol.evrard@stibbe.com Frédéric François Senior Associate T frederic.francois@stibbe.com Elisa Hendriksen Associate T elisa.hendriksen@stibbe.com Judica Krikke Partner Amsterdam T judica.krikke@stibbe.com Johanne Mersch Associate T johanne.mersch@stibbe.com Carolien Michielsen Junior associate T carolien.michielsen@stibbe.com Nicolas Roland Counsel T nicolas.roland@stibbe.com Mark Spuijbroek Staff Associate T mark.spuijbroek@stibbe.com Joost van Eymeren Junior Associate T joost.vaneymeren@stibbe.com Michiel Van Roey Junior associate T michiel.vanroey@stibbe.com Erik Valgaeren Partner T erik.valgaeren@stibbe.com Valerie Vanryckeghem Associate T valerie.vanryckeghem@stibbe.com GDPR, What s in it for you? 29

29 Key contacts Judica Krikke Partner Amsterdam T judica.krikke@stibbe.com Erik Valgaeren Partner Brussels T erik.valgaeren@stibbe.com Nicolas Roland Counsel Luxembourg T nicolas.roland@stibbe.com Locations Amsterdam Beethovenplein WM Amsterdam The Netherlands T F amsterdam@stibbe.com Brussels Central Plaza Loksumstraat 25 Rue de Loxum 1000 Brussels Belgium T F brussels@stibbe.com Luxembourg 6, rue Jean Monnet 2180 Luxembourg Luxembourg T F luxembourg@stibbe.com Dubai Dubai International Financial Centre Gate Village 10 Level 3 Unit 12 P.O. Box , Dubai United Arab Emirates T F dubai@stibbe.com Hong Kong Suite 1505, 15/F ICBC Tower 3 Garden Road Central, Hong Kong T F hongkong@stibbe.com London 53 New Broad Street London EC2M 1JJ United Kingdom T F london@stibbe.com New York 489 Fifth Avenue, 32nd Floor New York, NY United States of America T F newyork@stibbe.com All rights reserved. Care has been taken to ensure that the content of this newsletter is as accurate as possible. However the accuracy and completeness of the information in this newsletter, largely based upon third party sources, cannot be guaranteed. The materials contained in this newsletter have been prepared and provided by Stibbe for information pruposes only. They do not constitute legal or other professional advice and readers should not act upon the information contained in this newsletter without consulting legal counsel. Consultation of this newsletter will not create an attorney-client relationship between Stibbe and the reader. The newsletter may be used only for personal use and all other uses are prohibited. Stibbe 2017 Publisher: Erik Valgaeren, Stibbe, Central Plaza, Loksumstraat 25 rue de Loxum - BE-1000 Brussels 30 GDPR, What s in it for you?