Proposed EU Data Protection Regulation: Impact on Handling of Data Breach, DPOs and Staff Surveillance by non-EEA Financial Services Firms Cross Border Group 28 February 2013 39 Offices in 19 Countries
Agenda 1) Proposed EU Data Protection Regulation 2) Data Breaches 3) Data Protection Officers 4) Employee Surveillance 2
Your speakers today Caroline Egan Ann La France Birmingham, UK London, UK Stephanie Faber Andreas Fillmann Paris, France Frankfurt, Germany 3
1) Proposed EU Data Protection Regulation 39 Offices in 19 Countries
Proposed EU Data Protection Regulation • Direct applicability of Regulation across EU Member States NB: possible conflict with existing national laws (e.g. money laundering, fraud) • Proposed Regulation provides three tiers of sanctions Up to a maximum fine of € 1,000,000 or, in the case of an "enterprise“, up to 2% of its annual worldwide turnover • Projected timetable Significance of 10/14 2 year phase-in • Accompanying Directive - implications 5
2) Data Breaches 39 Offices in 19 Countries
EU, France & UK: Existing Rules • e-Privacy Directive (2002/58/EC, amended in 2009) Article 4(3): Data breach notification limited to providers of “publicly available electronic communications services” Proposed data breach notification Regulation (to be made public March 2013) – Applies to telecoms providers only, expected 24-hour notification obligation – Expected 24-hour notification obligation – Possibly a “trial run” for proposed Data Protection Regulation • Data Protection Directive (95/46/EC) Currently no obligations to notify a data breach to enforcement authorities • France : no legal obligations to notify, other than under the e-Privacy Directive (implemented in August 2011) • UK : No obligations to notify under the Data Protection Act No other legal obligations to notify, other than under the e-Privacy Directive (implemented through amendment of the Privacy and Electronic Communications (EC Directive) Regulations 2003) However, ICO has issued guidance – "Serious" breach should be notified - failure to do so cited as factor in determining whether penalties imposed and severity 7
Germany: Existing Rules • Federal Data Protection Act (BDSG) Section 42a • Data controller must implement appropriate technical and organizational measures to prevent data breaches • Personal data breach notifications are required: If one of the following data categories is concerned: – sensitive data – personal data subject to professional or official secrecy – personal data referring to actual or suspected criminal or administrative offences; or – personal data concerning bank or credit card accounts Personal data have been transferred unlawfully Personal data has been otherwise accessed by third parties • If unlawfully disclosed to third parties and threatens serious harm to the rights or legitimate interests of data subjects, the data controller must notify the competent authority and the data subjects without delay 8
Germany: Existing Rules cont’d • Individuals must be informed as soon as appropriate measures to safeguard the data have been taken: Description of unlawful disclosure Recommendations to limit negative consequences NB: Information provided must not endanger criminal proceedings • Where notifying data subjects would require a disproportionate effort, public advertisements will suffice (e.g. in two newspapers) • Notification to the DPA must include: Description of type of unlawful disclosure Recommendations for measures to limit possible consequences Information about the measures undertaken • Failure to notify the authorities and/or the data subjects in the case of data loss is an administrative offence in Germany 9
Proposed EU Data Protection Regulation • Personal data breach means a: breach of security, leading to accidental or unlawful destruction, loss, alteration, or un-authorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; • All data controllers, with full support of their processors, will be required to notify EU data protection authorities within 24 hours of a personal data breach (Article 31) • Controllers may also have to notify individuals if the breach is likely to have adversely affected them unless the controller is able to demonstrate to the data protection authority that it has implemented appropriate security 10
Proposed EU Data Protection Regulation cont’d • The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken • Regulation sets out information that has to be provided as a minimum • Obligation of processor: Article 26(2)(f): alert and inform the controller immediately after the establishment of a personal data breach • Fine up to € 1,000,000 or, in the case of an “enterprise”, up to 2 % of its annual worldwide turnover 11
Take aways • High level of sanctions • Short time periods for notification • Therefore, need to: have data breach team appointed, trained and ready to act immediately using agreed process and communications plan include requirement to notify breach, and assist in addressing breaches, in agreements with processors (sub-contractors) ensure all relevant staff understand breach notification requirement and timetable • EU companies have to prepare themselves (as do companies outside EEA doing business in EEA) • EU data controllers and processors will have to increase their attention to the level of security applied to the processing (including storage) of personal data, regardless of where this occurs E.g. ICO on encryption in transit and on portable devices 12
3) Data Protection Officers (“DPOs”) 39 Offices in 19 Countries
DPOs: Existing Rules France and UK – Data Protection Officer not currently compulsory Germany – Data Protection Officer is compulsory • General duty to register a company with the data protection authority • Notification not necessary if company appointed own DPO, if: more than 9 people are engaged with automated data processing more than 20 people employed with non-automated processing • Engagement must be notified to the DPA • Only persons with knowledge and reliability should be appointed • DPO may only be dismissed for cause Dismissal protection until one year after termination Entitlement to participate in employer-sponsored training • DPO is autonomous and is responsible for: Proper use of data processing programs Familiarize management and employees with data protection rules and regulations Investigation the data controller practices • DPO shall handle day-to-day administration measures, privacy complaints, checking international transfers etc. 14
DPOs: Proposed EU Data Protection Regulation Under Articles 35, 36 and 37: • Obligation to appoint a DPO for private companies, based on thresholds DPO must have expert knowledge and no conflict of interest Limitations on the grounds for dismissing the DPO Can be an employee or a service provider Contact details of DPO communicated to supervisory authority and public Data subjects right to contact DPO on all issues related to the processing of his/her data and to request exercising the rights under the Regulation • DPO not decision maker - data controller or processor responsible • Controller/processor ensure DPO involved in all data protection issues • DPO must have adequate resources, benefit from a level of independence and report directly to management • DPO shall have the following tasks (among others) Monitoring the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32 Monitoring the response to requests from the supervisory authorit Acting as the contact point for the supervisory authority 15
4) Employee Surveillance 39 Offices in 19 Countries
Employee Surveillance: Existing Rules These rules remain unchanged under the proposed EU Data Protection Regulation • Legitimate purpose • Proportionality and data minimization • International transfers require implementing specific safeguards • Notifications with local DPA (if required, as in France) • Financial service regulation Outsourcing in financial service industry • Relations with employee representatives Governed by each local labor law and depends on whether or not data can be used to sanction employees (consultation, special agreement etc.) • Privacy of correspondence issue: local law 17
Recommend
More recommend