Category: GDPR

How to rule a Data Protection Impact Assessment (DPIA)?

9. May 2018

Pursuant to Art. 35 of the General Data Protection Regulation (GDPR) the controller of personal data shall carry out an assessment of the impact of the data processing that takes place in the controller’s responsibility. That means mostly, to anticipate the possible data breaches and to fulfil the requirements of the GDPR before the personal data is processed.

Even if the date of enforcement of the GDPR (25th May 2018) comes closer and closer, just a few of the EU member states are well-prepared. Only Austria, Belgium, Germany, Slovakia and Sweden have enact laws for the implementation of the new data protection rules. Additional to this legislation the national data protection authorities have to publish some advises on how to rule a DPIA. Pursuant to Art. 35 (4) sent. 2 GDPR these handbooks on DPIA’s should be gathered by the European Data Protection Board for an equal European-wide data protection level. The Board as well seems not to work yet, as the Article 29 Working Part (WP29) is still the official authority.

But at least, Belgium and Germany have published their DPIA recommendations and listed processes for which a DPIA is required, pursuant to Art. 35 (4) GDPR, and in which cases a DPIA is not required, see Art. 35 (5) GDPR.

For example, in the following cases the Belgian authority requires a DPIA:

  • Processing, that involves biometric data uniquely identifying in a space—public or private—which is publicly open,
  • Personal data from a third party that determines whether an applicant is hired or fired,
  • Personal data collected without given consent by the data subject (e.g. electronic devices like smart phones, auditory, and/or video devices),
  • Processing done by medical implant. This data may be an infringement of rights and freedoms.
  • Personal data that affects the vulnerable members of society (e.g., children, mentally challenged, physically challenged individuals),
  • Highly personal data such as financial statement; employability; social service involvement; private activities; domestic situation.
Category: Article 29 WP · Belgium · Data breach · EU · GDPR

New Austrian Data Protection Law – undermining GDPR

8. May 2018

Austria’s governing parties passed a new law on data protection in the last month. This new law, which was intendet to implement the requirements of the General Data Protection Regulation (GDPR), complicates the enforcement of the new EU-wide data protection rules. This developement is result of a change in policy. Three years ago Austria’s justice minister complained that the EU’s forthcoming data protection rules were to weak, nowadays, the new government in Vienna says they are too strong.

It has been suggested, that the governing parties in Vienna are trying to turn the coountry into a sort of ‘safe haven’ – by complicating enforcement of the GDPR.

Purpose of the GDPR is, inter alia, to hand back the control of personal data to the data subjects. This aim could be undermined by the new provisions regarding the sanctions.

The GDPR stipulates, that sanctions are imposed by DPAs without any condition and without a room for specification or changes to member states’ law. In contrast to this the new Austrian data protection law contains a term that requires warnings before launching sanctions against violating firms. It must be feared, that most infringements will go unpunished.

The responsibles of the Austrian Data Protection Authority tried to weaken the concerns: The authority will still decide on a case-by-case basis whether to impose administrative fines or not – even it is the first violation of the company.

It remains to be seen how the new law will be applied in the future.

Application of the GDPR outside the EU

10. April 2018

When the General Data Protection Regulation (GDPR) comes into force on May 25th this year, not only in Europe the handling of personal data will have to change. Companies operating with customer data of EU citizens also have to observe the GDPR worldwide. But which non-European legal entity has to show consideration for the European Data Protection?

In accordance with Article 3 (1) GDPR, the GDPR applies to the processing of data of natural persons in so far as it takes place in the context of an activity of the controller (see Article 4 (7) GDPR) or a processor (see Article 4 (8) GDPR) in the Union. This applies irrespective of whether the data processing takes place on EU territory or in a third country.

If the data subject lives in the EU but the controller / data processor is located outside the EU, the scope of the GDPR according to Article 3 (2) GDPR is applicable if the data processing is related to goods or services offered within the EU (see Art. 3 (2) lit. a)). The GDPR applies cumulatively if the processor carries out a profiling on a EU-citizen (see Art. 3 (2) lit. b)).

Furthermore, the GDPR is also applied outside the EU territory to a controller / data processor who isn’t resident of the EU, if the law of a Member State becomes applicable on the basis of international public law (e.g. in consular or diplomatic matters, or on the basis of private international law).

WP29 Guidelines on the notion of consent according to the GDPR – Part 2

3. April 2018

Continued from the article about the Working Party 29 (WP29) guidelines on consent, additional elements of the term should be considered as consent plays a key role for the processing of personal data.

The GDPR requires consent to further be specific, i.e. the data subject must be informed about the purpose of the processing and be safeguarded against function creep. The data controller has to, again, be granular when it comes to multiple consent requests and clearly separate information regarding consent from other matters.

In case the data controller wishes to process the data for a new purpose, he will have to seek new consent from the data subject and cannot use the original consent as a legitimisation for processing of further or new purposes.

Consent will also be invalid if the data controller doesn’t comply with the requirements for informed consent. The WP29 lists six key points for consent to be informed focussing on the aspect that the data subject genuinely needs to understand the processing operations at hand. Information has to be provided in a clear and plain language and should not be hidden in general terms and conditions.

Furthermore, consent has to be an unambiguous indication of wishes, i.e. it must always be given through an active motion or declaration. For example, the use of pre-ticked opt-in boxes is invalid.

However, explicit consent is required in situations where serious data protection risks emerge such as the processing of Special categories of data pursuant to Art. 9 GDPR.

In general, the burden of proof will be on the data controller according to Art. 7 GDPR, without prescribing any specific methods. The WP29 recommends that consent should be refreshed at appropriate intervals.

Concerning the withdrawal of consent, it has to be as easy as giving consent and should be possible without detriment.

The WP29 also recommends that data controllers assess whether processing of data is appropriate irrespective of data subjects’ requests.

How is a company transferring data with a non-European company able to ensure the data-protection standard according to the General Data Protection Regulation (GDPR)?

21. March 2018

A trading deal between two companies often includes a high number of coincidentally transferred personal data. From the 25th May 2018 on the new GDPR regulates the data flow in the European Economic Area (EEA) that consists of all the members of the European Union, Iceland, Liechtenstein and Norway. The future status of Great Britain will be primarily the status of a third country.

Otherwise, business relationships to companies from non-EU or EEA States (like the USA, China, …) cannot guarantee the data protection standard of the GDPR automatically. Especially since the overruling of the “safe-harbour” agreement of the EU with the USA by the European Court of Justice (ECJ), every company that transfers data over the Atlantic is obligated to fulfil the data protection by itself. The European Commission (EC) recommends in its communication from the 10th January 2017 the use of so-called standard contractual clauses (SCC) or binding corporate rules (BCR), when an EU-based company transfers personal data to a non-EU based company or non-EU based entity of its corporate group.

This has a wide impact to the daily trade deals that are made all over Europe with third country companies. The EU recommends the data protection going hand in hand with the trading deals, to ensure the relatively high data protection level, which is based on Article 8 of the Charter of Fundamental Rights of the European Union. Especially until the ePrivacy-Regulation of the EU is not in force, every company has to ensure the standard of the GDPR by implementing a privacy policy, in which transfers of data to a third country has to be mentioned.

In conclusion, a company that trades with third country companies needs to enter a special data protection contract with the trading partner and needs to inform its clients by its privacy policy.

The European Data Protection Board – A new authority under the EU General Data Protection Regulation (GDPR)

27. February 2018

Through the new General Data Protection Regulation (GDPR) there will be established a new EU Data Protection Authority, the so-called European Data Protection Board (the “Board”). The Board replaces the Article 29 Working Party starting May 25th 2018, when the GDPR enters into force. The board has its own legal personality.

Pursuant to Art. 68 (3) GDPR the Board is composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor. It works independent and on its own initiative by issuing its opinion pursuant to Art. 64 GDPR or adopting a binding decision pursuant to Art. 65 GDPR, especially in the written cases of Art. 65 (1) GDPR. The Board hence has the authority to adopt one of the most powerful legal acts of the union from Art. 288 of the Treaty of the European Union (TFEU).

While harmonizing the data protection in the EU, the Boards main task is to maintain the consistent application of the GDPR by the national supervisory authority through the Consistency mechanism pursuant to Art. 63 GDPR. Within this Consistency mechanism, the Board comments the so-called Binding Corporate Rules (BCR), which are necessarily given by national data protection authorities for international data transfer of a company group.

The Board also has the final say if the national data protection authorities cannot reach an agreement concerning the implementation of the GDPR.

United Kingdom become a third country after Brexit

29. January 2018

Withdrawal of the United Kingdom from the Union and EU leads to United Kingdom become a third country.

The European Commission annouced, that on 30.03.2019, 00:00h (CET) the United Kingdom will no longer be member of the Union and EU, all Union and secondary law will cease to apply.

That means, tat all stakeholders processing personal data need to consider the legal repercussions of Brexit, beacuse as of the withdrawal date, the EU rules for transfer personal data to third countries apply. GDPR allows a transfer if the controller or processor provides appropriate safeguards.

Safeguards may be provided by:

  • Sandarad data protection clauses (SCC)
  • Binding corporate rules (BCR)
    • legally binding data protection rules approved by the competent data protection authority which apply within a corporate group
  • Condes of Conduct
    • Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country
  • Certification mechanisms
    • Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country

Besides a transfer may take place based on consent, for the performance of a contract, for exercise of legal claims or for important reasons of public interest.

These procedures are already well-known to business operators beacuse they are uses today for the transfer of personal data to non EU-countries like the USA, Russia or China.

The decision is disappointing for everyone who were hoping for an adequate level of data protection in the United Kingdom.

Stakeholders should prepare for the requirements associated with recognition as a third country.

Category: EU Commission · European Union · GDPR · UK
Tags:

WP29 Guidelines on the notion of consent according to the GDPR – Part 1

26. January 2018

According to the GDPR, consent is one of the six lawful bases mentioned in Art. 6. In order for consent to be valid and compliant with the GDPR it needs to reflect the data subjects real choice and control.

The Working Party 29 (WP 29) clarifies and specifies the “requirements for obtaining and demonstrating” such a valid consent in its Guidelines released in December 2017.

The guidelines start off with an analysis of Article 4 (11) of the GDPR and then discusses the elements of valid consent. Referring to the Opinion 15/2011 on the definition of consent, “obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality.”

The WP29 illustrates the elements of valid consent, such as the consent being freely given, specific, informed and unambiguous. For example, a consent is not considered as freely given if a mobile app for photo editing requires the users to have their GPS location activated simply in order to collect behavioural data aside from the photo editing. The WP29 emphasizes that consent to processing of unnecessary personal data “cannot be seen as a mandatory consideration in exchange for performance.”

Another important aspect taken into consideration is the imbalance of powers, e.g. in the matter of public authorities or in the context of employment. “Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will. “

Art. 7(4) GDPR emphasizes that the performance of a contract is not supposed to be conditional on consent to the processing of personal data that is not necessary for the performance of the contract. The WP 29 states that “compulsion to agree with the use of personal data additional to what is strictly necessary limits data subject’s choices and stands in the way of free consent.” Depending on the scope of the contract or service, the term “necessary for the performance of a contract… …needs to be interpreted strictly”. The WP29 lays down examples of cases where the bundling of situations is acceptable.

If a service involves multiple processing operations or multiple purposes, the data subject should have the freedom to choose which purpose they accept. This concept of granularity requires the purposes to be separated and consent to be obtained for each purpose.

Withdrawal of consent has to be possible without any detriment, e.g. in terms of additional costs or downgrade of services. Any other negative consequence such as deception, intimidation or coercion is also considered to be invalidating. The WP29 therefore suggests controllers to ensure proof that consent has been given accordingly.

(will be soon continued in Part 2)

WP 29 adopts guidelines on transparency under the GDPR

21. December 2017

The Article 29 Working Party (WP 29) has adopted guidelines on transparency under the General Data Protection Regulation (GDPR). The guideline intends to bring clearance into the transparency requirement regarding the processing of personal data and gives practical advice.

Transparency as such is not defined in the GDPR. However, Recital 39 describes what the transparency obligation requires when personal data is processed. Providing information to a data subject about the processing of personal data is one major aspect of transparency.

In order to explain transparency and its requirements, the WP 29 points out “elements of transparency under the GDPR” and explains their understanding of these. The following elements are named and described:

– “Concise, transparent, intelligible and easily accessible”
– “Clear and plain language”
– “Providing information to children”
– “In writing or by other means”
– “..the information may be provided orally”
– “Free of charge”

In a schedule, the WP 29 lists which information under Art. 13 and Art. 14 GDPR shall be provided to a data subject and which information is not required.

Vast majority of European businesses unprepared for GDPR

20. November 2017

According to a study only 8 % of businesses are ready for the EU General Data Protection Regulation (GDPR) and nearly one third of the companies are even unaware of the GDPR, coming into effect on 25. May 2018.

Although the new Regulation is considered too complex especially for small and medium-sized businesses, the majority of businesses agree that new rules in the field of personal data protection are necessary.

Infringements of GDPR provisions could lead to fines of up to €20 million or 4 % of the total worldwide annual turnover for the preceding financial year, whichever is higher.

Category: GDPR
Pages: 1 2 3 Next
1 2 3