Category: GDPR

WP29 Guidelines on the notion of consent according to the GDPR – Part 1

26. January 2018

According to the GDPR, consent is one of the six lawful bases mentioned in Art. 6. In order for consent to be valid and compliant with the GDPR it needs to reflect the data subjects real choice and control.

The Working Party 29 (WP 29) clarifies and specifies the “requirements for obtaining and demonstrating” such a valid consent in its Guidelines released in December 2017.

The guidelines start off with an analysis of Article 4 (11) of the GDPR and then discusses the elements of valid consent. Referring to the Opinion 15/2011 on the definition of consent, “obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality.”

The WP29 illustrates the elements of valid consent, such as the consent being freely given, specific, informed and unambiguous. For example, a consent is not considered as freely given if a mobile app for photo editing requires the users to have their GPS location activated simply in order to collect behavioural data aside from the photo editing. The WP29 emphasizes that consent to processing of unnecessary personal data “cannot be seen as a mandatory consideration in exchange for performance.”

Another important aspect taken into consideration is the imbalance of powers, e.g. in the matter of public authorities or in the context of employment. “Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will. “

Art. 7(4) GDPR emphasizes that the performance of a contract is not supposed to be conditional on consent to the processing of personal data that is not necessary for the performance of the contract. The WP 29 states that “compulsion to agree with the use of personal data additional to what is strictly necessary limits data subject’s choices and stands in the way of free consent.” Depending on the scope of the contract or service, the term “necessary for the performance of a contract… …needs to be interpreted strictly”. The WP29 lays down examples of cases where the bundling of situations is acceptable.

If a service involves multiple processing operations or multiple purposes, the data subject should have the freedom to choose which purpose they accept. This concept of granularity requires the purposes to be separated and consent to be obtained for each purpose.

Withdrawal of consent has to be possible without any detriment, e.g. in terms of additional costs or downgrade of services. Any other negative consequence such as deception, intimidation or coercion is also considered to be invalidating. The WP29 therefore suggests controllers to ensure proof that consent has been given accordingly.

(will be soon continued in Part 2)

WP 29 adopts guidelines on transparency under the GDPR

21. December 2017

The Article 29 Working Party (WP 29) has adopted guidelines on transparency under the General Data Protection Regulation (GDPR). The guideline intends to bring clearance into the transparency requirement regarding the processing of personal data and gives practical advice.

Transparency as such is not defined in the GDPR. However, Recital 39 describes what the transparency obligation requires when personal data is processed. Providing information to a data subject about the processing of personal data is one major aspect of transparency.

In order to explain transparency and its requirements, the WP 29 points out “elements of transparency under the GDPR” and explains their understanding of these. The following elements are named and described:

– “Concise, transparent, intelligible and easily accessible”
– “Clear and plain language”
– “Providing information to children”
– “In writing or by other means”
– “..the information may be provided orally”
– “Free of charge”

In a schedule, the WP 29 lists which information under Art. 13 and Art. 14 GDPR shall be provided to a data subject and which information is not required.

Vast majority of European businesses unprepared for GDPR

20. November 2017

According to a study only 8 % of businesses are ready for the EU General Data Protection Regulation (GDPR) and nearly one third of the companies are even unaware of the GDPR, coming into effect on 25. May 2018.

Although the new Regulation is considered too complex especially for small and medium-sized businesses, the majority of businesses agree that new rules in the field of personal data protection are necessary.

Infringements of GDPR provisions could lead to fines of up to €20 million or 4 % of the total worldwide annual turnover for the preceding financial year, whichever is higher.

Category: GDPR

WP29: Guideline for profiling and automated decision-making

19. October 2017

The Article 29 Data Protection Working Party (WP29) adopted a guideline for the automated individual decision-making and profiling which are addressed by the General Data Protection Regulation (GDPR). The GDPR will be applicable from the 25th May 2018. WP29 acknowledges that “profiling and automated decision-making can be useful for individuals and organisations as well as for the economy and society as a whole”. “Increased efficiencies” and “resource savings” are two examples that were named.

However, it was also stated that “profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards”. One risk could be that profiling may “perpetuate existing stereotypes and social segregation”.

The Guideline covers inter alia definitions of profiling and automated decision-making as well as the general approach of the GDPR to these. It is addressed that the GDPR introduces provisions to ensure that the use of profiling and automated decision-making does not have an “unjustified impact on individuals’ rights” and names examples, such as “specific transparency and fairness requirements” and “greater accountability obligations”.

UK government introduced Data Protection Bill

13. October 2017

The UK government introduced the Data Protection Bill to implement the General Data Protection Regulation (GDPR – 2016/679).

The GDPR enters into force on 25th May 2018 in the European Union. After the brexit, until now it was unclear if the UK would implement the GDPR into UK domestic law. The Data Protection Bill implements not only the legal requirements of the GDPR. The Law Enforcement Directive (2016/680) and the standards of the Council of Europe’s draft modernized Convention 108 on processing of personal data carried out by the intelligence services will also be adopted in the new Data Protection Law of the UK.

The new Law will replace the existing UK Data Protection Act 1998.

Currently the bill is at the beginning of the parliamentary process. The first reading in the House of Lords was held on 13th September, the second on 10th October. The bill consist of seven parts and 18 Schedules.

The data flow between European countries and the UK will not cause those problems that caused concerns after the Brexit, because the data protection level in Europe and the UK will be equal.

New Data Protection Act in Austria

31. August 2017

In regards to the General Data Protection Regulation (GDPR), coming into force on 25th May 2018, the Austrian Parliament has passed the new Data Protection Act.

The GDPR is directly applicable which means that the GDPR will regulate the data protection within the European Union, without the need for any transposing act of the member states. Nevertheless the GDPR contains a certain amount of opening clauses. Opening clauses enable the countries to complete the law. Moreover, in some cases, the member states are obliged to provide specifications. Because of this reasons the member states have to revise the existing Data Protection Law. The first country with renewed law was Germany and now Austria follows.

The first draft of the new act was published on 12th May 2017. After evaluating the results of the consultation the new Data Protection Act was published in the federal law gazette on 31st July 2017.

It is noticeable that the Austrian parliament has been reticent with deviations from the GDPR which benefits the harmonization of data protection within the European Union.

Article 29 WP releases opinion on data processing at work

11. July 2017

The Article 29 Working Party (WP) has released their opinion on data processing at work on the 8th of June 2017. The Opinion is meant as an amendment to the previous released documents on the surveillance of electronic communications (WP 55) and processing personal data in employment context (WP 48). This update should face the fast-changing technologies, the new forms of processing and the fading boundaries between home and work. It not only covers the Data Protection Directive but also the new rules in the General Data Protection Regulation that goes into effect on 25th of May 2018.

Therefore they listed nine different scenarios in the employment context where data processing can lead to a lack in data protection. These scenarios are data processing in the recruitment process and in-employment screening (especially by using social media platforms), using monitoring tools for information and communication technologies (ICT), usage at home/remote, using monitoring for time and attendance, use of video monitoring, use of vehicles by employees, the disclosure of data to third parties and the international transfer of employee data.

The Article 29 WP also pointed out the main risk for the fundamental rights of the employees. New technologies allow the employer tracking over a long time and nearly everywhere in a less visible way. This can result into chilling effects on the rights of employees because they think of a constant supervision.

As a highlight the Article 29 WP gives the following recommendations for dealing with data processing in the employment context:

  • only collect the data legitimate for the purpose and only with processing taking place under appropriate conditions,
  • consent is highly unlike to be a legal base for data processing, because of the imbalance in power between the employer and the employee,
  • track the location of employees only where it is strictly necessary,
  • communicate every monitoring to your employees effectively,
  • do a proportionality check prior the deployment of any monitoring tool,
  • be more concerned with prevention than with detection,
  • keep in mind data minimization; only process the data you really need to,
  • create privacy spaces for users,
  • on cloud uses: Ensure an adequate level of protection on every international transfer of employee data.

New German Data Protection Act

4. May 2017

The new German Federal Data Protection Act (Bundesdatenschutzgesetz – the ‘’new BDSG”), which will replace the Federal Data Protection Act of 2003, was adopted by the German Federal Parliament on April 27th 2017. The new Act´s aim is to adapt the current German data protection law to the GDPR (General Data Protection Regulation).

In a couple of weeks (probably on the May 12, 2017), the approval of the new BDSG by the German Federal Council is expected on plenary meeting. Once the new BDSG is adopted, it will become effective the same day as the GDPR.

In some respects, there are new BDSG requirements that are different from the GDPR. Among those, there are for instance such issues as: Data Protection Officer appointment, employee personal data processing, specific data processing requirements with respect to the video surveillance, scoring and creditworthiness and consumer credit.

For violations regarding exclusively the German law, the new BDSG imposes fines in amount up to 50, 000 EUR.

Category: GDPR · German Law

CIPL´s certifications

20. April 2017

On 12 April 2017, a discussion paper on Seals, Marks and Certifications under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms has been released by the Centre for Information Policy Leadership (“CIPL”).

It is regarded as a formal input into that process and contains recommendations on GDPR`s provisions on use of certification mechanisms and their development implementation.

Certifications may be profitable for multinational companies as they may facilitate business arrangements with service providers and business partners. Their comprehensive GDPR compliance structure should also be useful for medium-sized and small enterprises. Their potential to create interoperability with other legal regimes can also be used efficiently.

Namely, the Discussion Paper contains the following:

  • Certification is foreseen to be available for service, system, product and particular process or an entire privacy program
  • Certification should be created for the purpose of data transfers (art. 42 (2)(f))
  • Specific GDPR certification sectors may be covered by a sector-specific codes of conduct
  • Certification proliferation should be avoided in order to make it most wanted
  • Certifications should be adaptable to different contexts, affordable and scalable to the different companies sizes
  • Organization`s BCR approvals should be leveraged in order to achieve the certification
  • There should be created a common baseline certification, which may be directly used
  • Baseline certification should differentiate in its application depending on the certification bodes and processes
  • GDPR certification should be consistent with other certification schemes (the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, Japan Privacy Mark, ISO/IEC Standards, and the APEC CBPR)
  • DPAs should affirm certifications as recognized means of GDPRs compliance

The highest sanctions in Europe so far imposed by the Italian DPA

16. March 2017

Ultimately, the Italian police department (in cooperation with Garante – Italian data protection authority) has carried out an investigation, which has revealed a violation of a data protection legislation and specific actions aimed at introducing the legal circulation of money onto the Chinese market.

Four agent companies and one multinational have turned out to split money transfers for remaining sub-threshold under this perspective. Under these circumstances an unlawful massive personal data processing of unaware individuals (payments and senders) has been performed. What is more, some of the records were up to be filed by not existing individuals or even deceased. Other records however, were left blank.

Taking into account all of the gathered facts, which actually indicated that personal data were used in order to unlawfully avoid the money laundering provisions, a wide-ranging Italian data protection authority sanctioning initiative has been launched. As a result, Garante has issued the highest fines ever in Europe.

Given the number of violations of data protection provisions, the Garante has set the whole amount of sanctions up to a total sum of almost 11,000,000 euros (850,000; 1,260,000; 1,590,000 1,430,000 euros for the agent companies and 5,880,000 euros for the multinational company).

It is believed that such a strict data protection authorities sanction will encourage individual data controllers and companies to accelerate their compliance with the upcoming GDPR (May 2018).

Pages: Prev 1 2 3 ... 11 12 13 14 15 16 17 18 19 20 21 Next
1 17 18 19 20 21