GDPR breakfast roundtable: legal grounds for use & data mapping. Jurriaan Jansen Nikolai de Koning Norton Rose Fulbright LLP 23 May 2017

Transcription

1 GDPR breakfast roundtable: legal grounds for use & data mapping Jurriaan Jansen Nikolai de Koning Norton Rose Fulbright LLP 23 May 2017

2 Agenda Legal grounds for processing personal data Necessary for the performance of a contract Compliance with a legal obligation Legitimate interests Consent Other grounds Sensitive personal data Export of personal data Data mapping Why should you map the personal data flows in your organisation? Practical recommendations 2

3 EU data protection reform Replace current EU Directive (and Member State implementing legislation) with a directly effective EU Regulation Top fine higher of 20m or 4% of worldwide turnover Stricter & more onerous requirements Stricter consent rules; more extensive privacy notices New data subject rights: to be forgotten & data portability Strict rapid data breach reporting (already applicable in the Netherlands as of 1 January 2016) Accountability: must document processing, controls and audit same Processor liability Export some streamlining & some further restriction One stop shop 3

4 GDPR timeline GDPR published in the Official Journal of the EU 4 May 2016 Q Q Q Proposal for e-privacy Regulation by EU Commission Expected: Passing of MS data protection laws GDPR delegated acts Guidance by SAs Q Q Q Q Application of GDPR (Intended application of e-privacy Regulation) 25 May 2018 Repeal of EU Directive 4

5 Legal grounds for processing personal data

6 Processing grounds Processing of personal data is only lawful if and to the extent at least one legal ground is available The GDPR does not change the legal grounds for processing Most commonly used legal grounds: You have consent to do so It is necessary to do so under contract There is a legal obligation to do so There is a compelling, legitimate interest to do so 6

7 Necessary for the performance of a contract Data subject must be a party to the agreement and be aware of its participation Also covers the pre-contractual phase (at the request of the data subject) Involvement of third party personal data in performing a contract Example: instructing your bank to make a payment to a third party Examples Providing credit card and address details for ordering a book online? Credit reference checks prior to the grant of a loan? Marketing? 7

8 Legitimate interests processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child Requires a balancing of the legitimate interests of the controller, or any third parties to whom the data are disclosed, against the interests or fundamental rights and freedoms of the data subject Not just weighing of two easily quantifiable / comparable weights ; fully consider number of factors, including whether data subject reasonably expects processing The outcome of this balancing test determines whether this ground may be relied upon Burden of proof lies with controller Some scenarios Special offer by a sushi chain Using food orders to adapt health insurance premiums 8

9 Necessary for compliance with a legal obligation Controller must be subject to legal obligation with a basis in Union or Member State law i.e. no third country legislation (although legitimate interest grounds may be available in that case) No specific law required for each individual processing No explicit obligation required, but legal obligation itself must be sufficiently clear as to what processing of personal data it requires Necessity Examples Salary data reporting to tax and social security authorities Reporting suspicious transactions under AML legislation 9

10 Consent Specific and informed No imbalance freely given Unambiguous Not bundled Statement or affirmative action Consent Unnecessary data required as condition of service provision Intelligible Highlight right to withdraw Distinguishable 10

11 Consent (1) 11

12 When is consent appropriate? Consent is one lawful basis for processing, but there are alternatives. Always consider whether an alternative ground is available Should provide real choice and control over how you use their data, and want to build their trust and engagement Consent generally not be a precondition of a service Public authorities, employers and other organisations in a position of power over individuals to avoid relying on consent Existing consents? Recital 171 of the GDPR 12

13 Other grounds Other grounds that could make processing lawful: necessary in order to protect the vital interests of the data subject or of another natural person necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller Vital interests Some examples Performance of a task carried out in the public interest / exercise of official authority Some examples 13

14 Sensitive personal data Stricter regime (i.e. prohibition) applies to the processing of sensitive categories of personal data What data is considered sensitive personal data? GDPR provides for limited set of exceptions to prohibition to process sensitive personal data Explicit consent (except where Union or Member State law provides that prohibition may not be lifted) Employment and social security and social protection law purposes Vital interests Political, philosophical, religious or trade union purposes (under strict conditions) Data manifestly made public by the data subject Establishment, exercise or defence of legal claims Etc. 14

15 Transferring personal data outside the EEA EEA White List Iceland Andorra Faroe Islands Isle of Man Switzerland Lichtenstein Argentina Guernsey Israel Uruguay Norway Canada Jersey New Zealand USA The EU-U.S. (and Swiss- U.S.) Privacy Shield Otherwise: Certain narrow exemptions EU Model Clauses with importer Controller Binding Corporate Rules Processor Binding Corporate Rules 15

16 Data mapping

17 Map data uses & flows why? (1) Specific obligation to maintain records of processing activities (Article 30 GDPR) name & contact details of any controller (or rep) and the DPO purpose of the processing categories of data subjects and personal data categories of recipients, including in third countries details of transfers to third countries (including documentation of suitable safeguards) where possible, envisaged time limits for erasure of the different categories of data where possible, a general description of the TOMs applied You won t be able to comply with the new privacy notice / privacy by design requirements without doing so (Articles 13/14/25 GDPR) legal basis for processing legitimate interests pursued if relying on legitimate interests ground export solution if exporting to third country (with means to obtain a copy) taking into account data protection when developing products or services source of data and whether it came from publicly available sources 17

18 Map data uses & flows why? Accountability! Abolition of the prior formal notification regime but counterpart: new accountability principle Accountability entails both (i) being compliant and (ii) being able to demonstrate compliance at any given moment Article 5(2) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ( accountability ) Article 24 [ ] the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. 18

19 Map data uses & flows why? (2) You will need this information to respond to data subject rights (Article 15 GDPR) recipients or categories of recipients to whom they are disclosed existence of automated decision making exceeding the thresholds 19

20 Specimen GDPR data uses register Title of Purpose Title of purpose - division of purposes should be such that differences in processing can be captured Processing Purpose Brief description of processing activ ities in purpose Department & Person Responsibl e for the Processing Person responsible must be consulted if any breaches or changes to processing Source of Data Data Subjects High lev el categories of data subjects (eg employ ees, contractors, customers) Categories of Personal Data High lev el categories of nonsensitiv e data Sensitive Personal Data or other data subject to specific rules Specif y if any health, sex lif e, criminal, ethnic, trade union, political, religious data Disclosures to processors Specif y any subcontract ors Disclosures to controllers (service recipients) Specif y if disclosed to any 3rd parties Storage location Specif y primary and secondary storage locations Any transfer to/access from outside EEA and export solution to legitimise Access is treated as transf er Specif y the location of the third country and/or the name of the international organisation to whom data is disclosed Add consent, EU MC, BCRs, other derogation (specif y ) Data Retention Period Specif y data retention period Security Where f easible, please prov ide f or a general description of the security measures in place (or insert a ref erence to the relev ant documentati on usually done on a legend basis) Processing Ground & FPI Specif y ground justif y ing processing and how f air processing inf ormation giv en Recruitment Application process up to successf ul hire HR, Applicants Vetting agencies Internet 3rd party ref erees Potential and existing employ ee and contractors HireRight employ ee screening Oracle HRIS hosting Law enf orcement Parent co f or senior hires Dutch primary Oracle HRIS US back up Oracle HRIS EU MC with Oracle f or US back up 6 months if unsuccessf ul Otherwise whilst employ ed + 6 y ears Employ ment obligations Consent FPI giv en in application f orms 20

21 Content of the Register Mandatory Article 30 (1) and 30 (2) GDPR requirements the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer the purposes of the processing a description of the categories of data subjects and of the categories of personal data the categories of recipients including recipients in third countries where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards the envisaged time limits for erasure of the different categories of data a general description of the technical and organisational security measures Additional recommendation We recommend supplementing Article 30 (1) requirements with information required to be included in privacy notices in Articles 13 and 14: The legal basis of the processing, and when the processing is based on the legitimate interests of the controller, identification of the legitimate interests invoked 21

22 Where to start within your organisation? Decide on the methodology that you will use Internal only or involving external advisers? Use of third party tools? Consider business as a whole and divide it up into areas of activity HR (including recruitment, pensions data, salary data, whistleblowing) Customer data (services and products, anti-fraud) Marketing Procurement IT Subdivide areas of activity into business processes with commonality of data use 22

23 Where to start within your organisation? (1) Who within your organisation will be responsible for data protection compliance? Appoint a business process owner? Ask stakeholders with knowledge in relevant areas of the business Ensuring business process owners are sufficiently knowledgeable regarding personal data use Relevant business process owners to complete questionnaires and participate in interviews 23

24 Questionnaires/interviews 24

25 Questionnaires/interviews (1) 25

26 Questionnaires/interviews (2) 26

27 What steps next? Follow-up meeting to discuss input questionnaires and outcome of interviews Verify with IT department? Time to populate the GDPR data uses register 27

28 Populating the GDPR data uses register GDPR Register Table Separate table to be completed in relation to each type of use of Personal Data in this area (e.g. a table for Personal Data processed to record employee absences, a table for Personal Data processed for disaster response purposes, etc.) (To be completed by stakeholders after completion of questionnaire and, w here applicable, after meeting w ith NRF LLP) Data Controller Processing Purpose Title [Free form] Source of data Source of Personal Data how is this Personal Data obtained by the organisation? Categories of non-sensitive personal data List types of non-sensitive Personal Data collected Categories of sensitive personal data List any Sensitive Personal Data (including card data, national ID numbers, social security numbers) collected [Free form] Category Tick if applicable Contact details [ ] IP address/device identifier [ ] Date of birth [ ] Work related information (eg. Performance [Free form] metrics) Non-w ork related information (eg. Personal [Free form] s) Others [Free form] Category Tick if applicable Racial or ethnic origin [ ] Political opinion [ ] Religious or philosophical beliefs [ ] Trade union membership [ ] Genetic data [ ] Biometric data [ ] Health data [ ] Sex life [ ] Sexual orientation [ ] Social security numbers [ ] Criminal offences [ ] 28

29 Populating the GDPR data uses register (1) GDPR Register Table Separate table to be completed in relation to each type of use of Personal Data in this area (e.g. a table for Personal Data processed to record employee absences, a table for Personal Data processed for disaster response purposes, etc.) Categories of data subjects (To be completed by stakeholders after completion of questionnaire and, w here applicable, after meeting w ith NRF LLP) Who does the Personal Data relate to? Purpose for w hich it is used Category Tick if applicable Customers [ ] Suppliers [ ] Employees [ ] Other [Free form] [Free form] What is it used for include brief description? Grounds for processing What grounds are being relied on to process the personal data for this purpose? Data storage Where is the data stored (state application/ service provider/ country if know n)? Recipients inside organisation Ground Tick if applicable Legitimate interest [ ] Consent [ ] Others [Free form] Application(s): Country: Role, department, country: Who inside organisation can access the data/ has the data transferred to them (specify if they access data / are transferred data, include role, department, country in w hich they are located (and if outside EEA the basis for transferring to that country))? Access/ transfer to: Please complete separately for each category of recipients Recipients outside organisation Organisation: Who outside organisation can access the data/ has data transferred to them (specify if they access data / are transferred data, if they use it to provide service to organisation or use for their ow n purposes, country in w hich they are located (and if outside EEA the basis for transferring to that country))? Please complete separately for each category of recipients To provide service/ use for ow n purpose (specify purpose): Access/ transfer to: 29

30 Populating the GDPR data uses register (2) GDPR Register Table Separate table to be completed in relation to each type of use of Personal Data in this area (e.g. a table for Personal Data processed to record employee absences, a table for Personal Data processed for disaster response purposes, etc.) Data retention (To be completed by stakeholders after completion of questionnaire and, w here applicable, after meeting w ith NRF LLP) [Free form] How long w ill the data be stored? Is the data destroyed at the end of the retention period or kept on a separate archive support w ith limited access? Security / confidentiality [Free form] 30

31 Questions 31

32

33 Disclaimer Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP an d Norton Rose Fulbright South Africa Inc are separate legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients. References to Norton Rose Fulbright, the law firm and legal practice are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together Norton Rose Fulbright entity/entities ). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a partner ) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If yo u require any advice or further information, please speak to your usual contact at Norton Rose Fulbright. 33