General Data Protection Regulation: Global Scope, More Duties, Big Fines October 5, 2017 Presented By: Etienne Drouard, Partner, K&L Gates (Paris) Ignasi Guardans, Partner, K&L Gates (Brussels) Ewelina Madej, Senior Associate, K&L Gates (Warsaw) Dr. Thomas Nietsch, Associate, K&L Gates (Berlin)
General Data Protection Regulation * Adopted on April 27, 2016 In force as of May 25, 2018 * http://eur-lex.europa.eu/eli/reg/2016/679/oj 1
Regulation vs. National Law • Directly effective in EU Member States without need for implementing law • BUT, EU Member States still can implement laws on certain data protection matters 2
Personal Data 3
CATEGORIES OF PERSONAL DATA • PROFILING New • PSEUDONYMOUS DATA • GENETIC DATA definitions • BIOMETRIC DATA (Article 4) • DATA CONCERNING HEALTH 4
EXTRA-TERRITORIAL SCOPE (Article 3) GDPR applies if controller or processor is: • established in the EU; • not established in the EU but offering goods or services to data subjects in the EU; or • not established in the EU but monitoring behavior of data subjects in the EU. 5
“ONE STOP SHOP” Cross – border Lead supervisory data processing authority 6
PRINCIPLES OF PERSONAL DATA PROCESSING o Lawfulness, fairness and transparency o Purpose Limitation - specified, explicit and legitimate purpose o Data Minimization – adequate, relevant and limited to purpose o Accuracy – accurate and up-to-date o Storage Limitation – no longer than is necessary for the purpose o Integrity and confidentiality – appropriate security 7
DATA SUBJECTS RIGHTS consent is explicit, informed and freely given enhanced rights to (i) access personal data and (ii) object to processing personal data “right to be forgotten” (right to erasure) right to data portability new principles regarding profiling 8
CONDITIONS FOR CONSENT Freely given, specific, informed and unambiguous Right to withdraw consent at any time Unbundled 9
CONDITIONS FOR CONSENT clear, simple and easily understandable Controller bears burden of proof that consent was granted Clear affirmative action or statement 10
CONSENT OF CHILDREN o Older than age 16: processing is lawful o Younger than age 16: processing is lawful only if and to the extent that the consent is given or authorized by the child’s parent or custodian Compare U.S. COPPA which requires verifiable parental o consent before personal information is collected from children under age 13 . 11
CONSENT OF CHILDREN BUT: • EU Member States can implement younger age but not younger than age 13. •Controller must make “reasonable efforts” to verify that child’s parent or custodian provided or authorized consent. 12
BASICS OF DATA PROCESSING Consent Execution of contract with data subject Controller’s obligations Protection of vital interests of data subject or other person 13
BASICS OF DATA PROCESSING Processing carried out in the public interest or in the exercise of official authority vested in the controller Legally justified reasons carried out by the controller or by the third party 14
CONTROLLER AND PROCESSOR Controller Processor Natural or legal person Natural or legal person Establishes purposes and means of Processes data on behalf of the data processing controller Contract to ensure processing is Joint controllers lawful 15
CONTROLLER – DUTIES Provide technical and organizational safeguards for data protection, conduct PIA, appoint Data Protection Officer Guarantee rights of data subjects – documentation (including notification), deletion, portability Duties regarding DPA or other regulators – reporting security breaches, consultations prior to processing 16
CONTROLLER Compliance with GDPR by adherence to codes of conduct and certifications approved by regulatory body Applying codes or certifications does not eliminate responsibility Documentation of data processing - registers 17
PROCESSOR Technical and Documentation of data organizational means processing Reporting breaches to Appointment of Data controller Protection Officer Share personal data with More detailed contract for third parties only with provision of data controller’s prior approval 18
PERSONAL DATA BREACH Reporting unless no Broad definition of Processor must risk to rights and personal data breach inform controller freedom of individuals Controller – if high 72 hours to inform risk to rights and local regulatory body freedom of where the controller is individuals, then established inform data subjects 19
DATA PROTECTION OFFICER Rights Duties Independence Informing and training Involved in all material data Adequate resources protection matters Expertise Cooperating with regulatory body 20
WHEN DATA PROTECTION OFFICER APPOINTMENT IS MANDATORY Public authorities (apart from courts in the scope of judicial power) Regular and systematic monitoring of subjects on large scale Processing data on large scale is core business activity One Data Protection Officer for group of companies 21
PRIVACY BY DESIGN Consider privacy when designing product Consider security of personal data: • prior to data processing • throughout entire product life cycle Compliance with data processing principles, e.g., data minimization Pseudonymization 22
PRIVACY BY DEFAULT Default settings protect users’ privacy Only necessary personal data is automatically processed Protect privacy even if user does not take any affirmative action 23
PRIVACY IMPACT ASSESSMENT (PIA) Identify and minimize data protection risk PIA is mandatory when “high risk” processing, e.g., when data is processed by new technologies Mandatory consultations with local regulatory body whenever PIA indicates high risk of data protection if no minimizing means will be applied Recommended – conducting PIA before making choice of processor 24
WHAT SHOULD PIA CONTAIN? Description of processing and its purpose Assessment of necessity and proportionality of processing Assessment of risk of infringing rights and freedoms of data subjects Assessment of safeguards for personal data and ensuring compliance with GDPR 25
RESPONSIBILITY: Controller vs. Processor controller is not processor is responsible for responsible for unlawful processing unlawful processing if: if: it did not fulfill can prove absence duties directly of guilt imposed on it by GDPR it acted outside of scope of or against controller’s instructions 26
RATE OF PENALTIES duties of collector and processor e.g., children, consent, default data protection Fines may amount to maximum of € 10m or up to 2% of world annual duties of certifying entity turnover, whichever higher, for each breach duties of monitoring entity 27
RATE OF PENALTIES basic principles of processing, including consent Financial penalty may amount to maximum of € 20m or up to 4% of world rights of data subjects annual turnover, whichever higher for one breach cross-border data transfers 28
THE EU-US PRIVACY SHIELD European Commission and the United States agreed on new rules for EU personal data transfers - 2.02.2016 ( EU-US Privacy Shield ) Compatible with rules set out CJEU Schrems ruling (October 10, 2015) Enhanced duties for protection of EU citizens’ personal data Supervised by U.S. Department of Commerce and US Federal Trade Commission in cooperation with European data protection authorities. Access to personal data will be limited and supervised Questions and complaints connected with data transfers can be presented to new regulatory body Implemented July 2016 29
RECOMMENDATIONS: Investigate current technical and organizational safeguards Determine whether to appoint Data Protection Officer Check contracts regarding data processing Conduct PIAs Update policies / create record of processing Introduce system for managing new/enhanced data subject rights 30
Q&A SESSION 31
Recommend
More recommend