Category: GDPR

The European Data Protection Board – A new authority under the EU General Data Protection Regulation (GDPR)

27. February 2018

Through the new General Data Protection Regulation (GDPR) there will be established a new EU Data Protection Authority, the so-called European Data Protection Board (the “Board”). The Board replaces the Article 29 Working Party starting May 25th 2018, when the GDPR enters into force. The board has its own legal personality.

Pursuant to Art. 68 (3) GDPR the Board is composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor. It works independent and on its own initiative by issuing its opinion pursuant to Art. 64 GDPR or adopting a binding decision pursuant to Art. 65 GDPR, especially in the written cases of Art. 65 (1) GDPR. The Board hence has the authority to adopt one of the most powerful legal acts of the union from Art. 288 of the Treaty of the European Union (TFEU).

While harmonizing the data protection in the EU, the Boards main task is to maintain the consistent application of the GDPR by the national supervisory authority through the Consistency mechanism pursuant to Art. 63 GDPR. Within this Consistency mechanism, the Board comments the so-called Binding Corporate Rules (BCR), which are necessarily given by national data protection authorities for international data transfer of a company group.

The Board also has the final say if the national data protection authorities cannot reach an agreement concerning the implementation of the GDPR.

United Kingdom become a third country after Brexit

29. January 2018

Withdrawal of the United Kingdom from the Union and EU leads to United Kingdom become a third country.

The European Commission annouced, that on 30.03.2019, 00:00h (CET) the United Kingdom will no longer be member of the Union and EU, all Union and secondary law will cease to apply.

That means, tat all stakeholders processing personal data need to consider the legal repercussions of Brexit, beacuse as of the withdrawal date, the EU rules for transfer personal data to third countries apply. GDPR allows a transfer if the controller or processor provides appropriate safeguards.

Safeguards may be provided by:

  • Sandarad data protection clauses (SCC)
  • Binding corporate rules (BCR)
    • legally binding data protection rules approved by the competent data protection authority which apply within a corporate group
  • Condes of Conduct
    • Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country
  • Certification mechanisms
    • Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country

Besides a transfer may take place based on consent, for the performance of a contract, for exercise of legal claims or for important reasons of public interest.

These procedures are already well-known to business operators beacuse they are uses today for the transfer of personal data to non EU-countries like the USA, Russia or China.

The decision is disappointing for everyone who were hoping for an adequate level of data protection in the United Kingdom.

Stakeholders should prepare for the requirements associated with recognition as a third country.

Category: EU Commission · European Union · GDPR · UK

WP29 Guidelines on the notion of consent according to the GDPR – Part 1

26. January 2018

According to the GDPR, consent is one of the six lawful bases mentioned in Art. 6. In order for consent to be valid and compliant with the GDPR it needs to reflect the data subjects real choice and control.

The Working Party 29 (WP 29) clarifies and specifies the “requirements for obtaining and demonstrating” such a valid consent in its Guidelines released in December 2017.

The guidelines start off with an analysis of Article 4 (11) of the GDPR and then discusses the elements of valid consent. Referring to the Opinion 15/2011 on the definition of consent, “obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality.”

The WP29 illustrates the elements of valid consent, such as the consent being freely given, specific, informed and unambiguous. For example, a consent is not considered as freely given if a mobile app for photo editing requires the users to have their GPS location activated simply in order to collect behavioural data aside from the photo editing. The WP29 emphasizes that consent to processing of unnecessary personal data “cannot be seen as a mandatory consideration in exchange for performance.”

Another important aspect taken into consideration is the imbalance of powers, e.g. in the matter of public authorities or in the context of employment. “Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will. “

Art. 7(4) GDPR emphasizes that the performance of a contract is not supposed to be conditional on consent to the processing of personal data that is not necessary for the performance of the contract. The WP 29 states that “compulsion to agree with the use of personal data additional to what is strictly necessary limits data subject’s choices and stands in the way of free consent.” Depending on the scope of the contract or service, the term “necessary for the performance of a contract… …needs to be interpreted strictly”. The WP29 lays down examples of cases where the bundling of situations is acceptable.

If a service involves multiple processing operations or multiple purposes, the data subject should have the freedom to choose which purpose they accept. This concept of granularity requires the purposes to be separated and consent to be obtained for each purpose.

Withdrawal of consent has to be possible without any detriment, e.g. in terms of additional costs or downgrade of services. Any other negative consequence such as deception, intimidation or coercion is also considered to be invalidating. The WP29 therefore suggests controllers to ensure proof that consent has been given accordingly.

(will be soon continued in Part 2)

WP 29 adopts guidelines on transparency under the GDPR

21. December 2017

The Article 29 Working Party (WP 29) has adopted guidelines on transparency under the General Data Protection Regulation (GDPR). The guideline intends to bring clearance into the transparency requirement regarding the processing of personal data and gives practical advice.

Transparency as such is not defined in the GDPR. However, Recital 39 describes what the transparency obligation requires when personal data is processed. Providing information to a data subject about the processing of personal data is one major aspect of transparency.

In order to explain transparency and its requirements, the WP 29 points out “elements of transparency under the GDPR” and explains their understanding of these. The following elements are named and described:

– “Concise, transparent, intelligible and easily accessible”
– “Clear and plain language”
– “Providing information to children”
– “In writing or by other means”
– “..the information may be provided orally”
– “Free of charge”

In a schedule, the WP 29 lists which information under Art. 13 and Art. 14 GDPR shall be provided to a data subject and which information is not required.

Vast majority of European businesses unprepared for GDPR

20. November 2017

According to a study only 8 % of businesses are ready for the EU General Data Protection Regulation (GDPR) and nearly one third of the companies are even unaware of the GDPR, coming into effect on 25. May 2018.

Although the new Regulation is considered too complex especially for small and medium-sized businesses, the majority of businesses agree that new rules in the field of personal data protection are necessary.

Infringements of GDPR provisions could lead to fines of up to €20 million or 4 % of the total worldwide annual turnover for the preceding financial year, whichever is higher.

Category: GDPR

WP29: Guideline for profiling and automated decision-making

19. October 2017

The Article 29 Data Protection Working Party (WP29) adopted a guideline for the automated individual decision-making and profiling which are addressed by the General Data Protection Regulation (GDPR). The GDPR will be applicable from the 25th May 2018. WP29 acknowledges that “profiling and automated decision-making can be useful for individuals and organisations as well as for the economy and society as a whole”. “Increased efficiencies” and “resource savings” are two examples that were named.

However, it was also stated that “profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards”. One risk could be that profiling may “perpetuate existing stereotypes and social segregation”.

The Guideline covers inter alia definitions of profiling and automated decision-making as well as the general approach of the GDPR to these. It is addressed that the GDPR introduces provisions to ensure that the use of profiling and automated decision-making does not have an “unjustified impact on individuals’ rights” and names examples, such as “specific transparency and fairness requirements” and “greater accountability obligations”.

UK government introduced Data Protection Bill

13. October 2017

The UK government introduced the Data Protection Bill to implement the General Data Protection Regulation (GDPR – 2016/679).

The GDPR enters into force on 25th May 2018 in the European Union. After the brexit, until now it was unclear if the UK would implement the GDPR into UK domestic law. The Data Protection Bill implements not only the legal requirements of the GDPR. The Law Enforcement Directive (2016/680) and the standards of the Council of Europe’s draft modernized Convention 108 on processing of personal data carried out by the intelligence services will also be adopted in the new Data Protection Law of the UK.

The new Law will replace the existing UK Data Protection Act 1998.

Currently the bill is at the beginning of the parliamentary process. The first reading in the House of Lords was held on 13th September, the second on 10th October. The bill consist of seven parts and 18 Schedules.

The data flow between European countries and the UK will not cause those problems that caused concerns after the Brexit, because the data protection level in Europe and the UK will be equal.

New Data Protection Act in Austria

31. August 2017

In regards to the General Data Protection Regulation (GDPR), coming into force on 25th May 2018, the Austrian Parliament has passed the new Data Protection Act.

The GDPR is directly applicable which means that the GDPR will regulate the data protection within the European Union, without the need for any transposing act of the member states. Nevertheless the GDPR contains a certain amount of opening clauses. Opening clauses enable the countries to complete the law. Moreover, in some cases, the member states are obliged to provide specifications. Because of this reasons the member states have to revise the existing Data Protection Law. The first country with renewed law was Germany and now Austria follows.

The first draft of the new act was published on 12th May 2017. After evaluating the results of the consultation the new Data Protection Act was published in the federal law gazette on 31st July 2017.

It is noticeable that the Austrian parliament has been reticent with deviations from the GDPR which benefits the harmonization of data protection within the European Union.

Article 29 WP releases opinion on data processing at work

11. July 2017

The Article 29 Working Party (WP) has released their opinion on data processing at work on the 8th of June 2017. The Opinion is meant as an amendment to the previous released documents on the surveillance of electronic communications (WP 55) and processing personal data in employment context (WP 48). This update should face the fast-changing technologies, the new forms of processing and the fading boundaries between home and work. It not only covers the Data Protection Directive but also the new rules in the General Data Protection Regulation that goes into effect on 25th of May 2018.

Therefore they listed nine different scenarios in the employment context where data processing can lead to a lack in data protection. These scenarios are data processing in the recruitment process and in-employment screening (especially by using social media platforms), using monitoring tools for information and communication technologies (ICT), usage at home/remote, using monitoring for time and attendance, use of video monitoring, use of vehicles by employees, the disclosure of data to third parties and the international transfer of employee data.

The Article 29 WP also pointed out the main risk for the fundamental rights of the employees. New technologies allow the employer tracking over a long time and nearly everywhere in a less visible way. This can result into chilling effects on the rights of employees because they think of a constant supervision.

As a highlight the Article 29 WP gives the following recommendations for dealing with data processing in the employment context:

  • only collect the data legitimate for the purpose and only with processing taking place under appropriate conditions,
  • consent is highly unlike to be a legal base for data processing, because of the imbalance in power between the employer and the employee,
  • track the location of employees only where it is strictly necessary,
  • communicate every monitoring to your employees effectively,
  • do a proportionality check prior the deployment of any monitoring tool,
  • be more concerned with prevention than with detection,
  • keep in mind data minimization; only process the data you really need to,
  • create privacy spaces for users,
  • on cloud uses: Ensure an adequate level of protection on every international transfer of employee data.

New German Data Protection Act

4. May 2017

The new German Federal Data Protection Act (Bundesdatenschutzgesetz – the ‘’new BDSG”), which will replace the Federal Data Protection Act of 2003, was adopted by the German Federal Parliament on April 27th 2017. The new Act´s aim is to adapt the current German data protection law to the GDPR (General Data Protection Regulation).

In a couple of weeks (probably on the May 12, 2017), the approval of the new BDSG by the German Federal Council is expected on plenary meeting. Once the new BDSG is adopted, it will become effective the same day as the GDPR.

In some respects, there are new BDSG requirements that are different from the GDPR. Among those, there are for instance such issues as: Data Protection Officer appointment, employee personal data processing, specific data processing requirements with respect to the video surveillance, scoring and creditworthiness and consumer credit.

For violations regarding exclusively the German law, the new BDSG imposes fines in amount up to 50, 000 EUR.

Category: GDPR · German Law
Pages: 1 2 3 Next
1 2 3