Category: GDPR
10. April 2018
When the General Data Protection Regulation (GDPR) comes into force on May 25th this year, not only in Europe the handling of personal data will have to change. Companies operating with customer data of EU citizens also have to observe the GDPR worldwide. But which non-European legal entity has to show consideration for the European Data Protection?
In accordance with Article 3 (1) GDPR, the GDPR applies to the processing of data of natural persons in so far as it takes place in the context of an activity of the controller (see Article 4 (7) GDPR) or a processor (see Article 4 (8) GDPR) in the Union. This applies irrespective of whether the data processing takes place on EU territory or in a third country.
If the data subject lives in the EU but the controller / data processor is located outside the EU, the scope of the GDPR according to Article 3 (2) GDPR is applicable if the data processing is related to goods or services offered within the EU (see Art. 3 (2) lit. a)). The GDPR applies cumulatively if the processor carries out a profiling on a EU-citizen (see Art. 3 (2) lit. b)).
Furthermore, the GDPR is also applied outside the EU territory to a controller / data processor who isn’t resident of the EU, if the law of a Member State becomes applicable on the basis of international public law (e.g. in consular or diplomatic matters, or on the basis of private international law).
3. April 2018
Continued from the article about the Working Party 29 (WP29) guidelines on consent, additional elements of the term should be considered as consent plays a key role for the processing of personal data.
The GDPR requires consent to further be specific, i.e. the data subject must be informed about the purpose of the processing and be safeguarded against function creep. The data controller has to, again, be granular when it comes to multiple consent requests and clearly separate information regarding consent from other matters.
In case the data controller wishes to process the data for a new purpose, he will have to seek new consent from the data subject and cannot use the original consent as a legitimisation for processing of further or new purposes.
Consent will also be invalid if the data controller doesn’t comply with the requirements for informed consent. The WP29 lists six key points for consent to be informed focussing on the aspect that the data subject genuinely needs to understand the processing operations at hand. Information has to be provided in a clear and plain language and should not be hidden in general terms and conditions.
Furthermore, consent has to be an unambiguous indication of wishes, i.e. it must always be given through an active motion or declaration. For example, the use of pre-ticked opt-in boxes is invalid.
However, explicit consent is required in situations where serious data protection risks emerge such as the processing of Special categories of data pursuant to Art. 9 GDPR.
In general, the burden of proof will be on the data controller according to Art. 7 GDPR, without prescribing any specific methods. The WP29 recommends that consent should be refreshed at appropriate intervals.
Concerning the withdrawal of consent, it has to be as easy as giving consent and should be possible without detriment.
The WP29 also recommends that data controllers assess whether processing of data is appropriate irrespective of data subjects’ requests.
21. March 2018
A trading deal between two companies often includes a high number of coincidentally transferred personal data. From the 25th May 2018 on the new GDPR regulates the data flow in the European Economic Area (EEA) that consists of all the members of the European Union, Iceland, Liechtenstein and Norway. The future status of Great Britain will be primarily the status of a third country.
Otherwise, business relationships to companies from non-EU or EEA States (like the USA, China, …) cannot guarantee the data protection standard of the GDPR automatically. Especially since the overruling of the “safe-harbour” agreement of the EU with the USA by the European Court of Justice (ECJ), every company that transfers data over the Atlantic is obligated to fulfil the data protection by itself. The European Commission (EC) recommends in its communication from the 10th January 2017 the use of so-called standard contractual clauses (SCC) or binding corporate rules (BCR), when an EU-based company transfers personal data to a non-EU based company or non-EU based entity of its corporate group.
This has a wide impact to the daily trade deals that are made all over Europe with third country companies. The EU recommends the data protection going hand in hand with the trading deals, to ensure the relatively high data protection level, which is based on Article 8 of the Charter of Fundamental Rights of the European Union. Especially until the ePrivacy-Regulation of the EU is not in force, every company has to ensure the standard of the GDPR by implementing a privacy policy, in which transfers of data to a third country has to be mentioned.
In conclusion, a company that trades with third country companies needs to enter a special data protection contract with the trading partner and needs to inform its clients by its privacy policy.
27. February 2018
Through the new General Data Protection Regulation (GDPR) there will be established a new EU Data Protection Authority, the so-called European Data Protection Board (the “Board”). The Board replaces the Article 29 Working Party starting May 25th 2018, when the GDPR enters into force. The board has its own legal personality.
Pursuant to Art. 68 (3) GDPR the Board is composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor. It works independent and on its own initiative by issuing its opinion pursuant to Art. 64 GDPR or adopting a binding decision pursuant to Art. 65 GDPR, especially in the written cases of Art. 65 (1) GDPR. The Board hence has the authority to adopt one of the most powerful legal acts of the union from Art. 288 of the Treaty of the European Union (TFEU).
While harmonizing the data protection in the EU, the Boards main task is to maintain the consistent application of the GDPR by the national supervisory authority through the Consistency mechanism pursuant to Art. 63 GDPR. Within this Consistency mechanism, the Board comments the so-called Binding Corporate Rules (BCR), which are necessarily given by national data protection authorities for international data transfer of a company group.
The Board also has the final say if the national data protection authorities cannot reach an agreement concerning the implementation of the GDPR.
29. January 2018
Withdrawal of the United Kingdom from the Union and EU leads to United Kingdom become a third country.
The European Commission annouced, that on 30.03.2019, 00:00h (CET) the United Kingdom will no longer be member of the Union and EU, all Union and secondary law will cease to apply.
That means, tat all stakeholders processing personal data need to consider the legal repercussions of Brexit, beacuse as of the withdrawal date, the EU rules for transfer personal data to third countries apply. GDPR allows a transfer if the controller or processor provides appropriate safeguards.
Safeguards may be provided by:
- Sandarad data protection clauses (SCC)
- the Commission has adopted three sets of model clauses which are available on the Commission’s website
- Binding corporate rules (BCR)
- legally binding data protection rules approved by the competent data protection authority which apply within a corporate group
- Condes of Conduct
- Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country
- Certification mechanisms
- Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country
Besides a transfer may take place based on consent, for the performance of a contract, for exercise of legal claims or for important reasons of public interest.
These procedures are already well-known to business operators beacuse they are uses today for the transfer of personal data to non EU-countries like the USA, Russia or China.
The decision is disappointing for everyone who were hoping for an adequate level of data protection in the United Kingdom.
Stakeholders should prepare for the requirements associated with recognition as a third country.
26. January 2018
According to the GDPR, consent is one of the six lawful bases mentioned in Art. 6. In order for consent to be valid and compliant with the GDPR it needs to reflect the data subjects real choice and control.
The Working Party 29 (WP 29) clarifies and specifies the “requirements for obtaining and demonstrating” such a valid consent in its Guidelines released in December 2017.
The guidelines start off with an analysis of Article 4 (11) of the GDPR and then discusses the elements of valid consent. Referring to the Opinion 15/2011 on the definition of consent, “obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality.”
The WP29 illustrates the elements of valid consent, such as the consent being freely given, specific, informed and unambiguous. For example, a consent is not considered as freely given if a mobile app for photo editing requires the users to have their GPS location activated simply in order to collect behavioural data aside from the photo editing. The WP29 emphasizes that consent to processing of unnecessary personal data “cannot be seen as a mandatory consideration in exchange for performance.”
Another important aspect taken into consideration is the imbalance of powers, e.g. in the matter of public authorities or in the context of employment. “Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will. “
Art. 7(4) GDPR emphasizes that the performance of a contract is not supposed to be conditional on consent to the processing of personal data that is not necessary for the performance of the contract. The WP 29 states that “compulsion to agree with the use of personal data additional to what is strictly necessary limits data subject’s choices and stands in the way of free consent.” Depending on the scope of the contract or service, the term “necessary for the performance of a contract… …needs to be interpreted strictly”. The WP29 lays down examples of cases where the bundling of situations is acceptable.
If a service involves multiple processing operations or multiple purposes, the data subject should have the freedom to choose which purpose they accept. This concept of granularity requires the purposes to be separated and consent to be obtained for each purpose.
Withdrawal of consent has to be possible without any detriment, e.g. in terms of additional costs or downgrade of services. Any other negative consequence such as deception, intimidation or coercion is also considered to be invalidating. The WP29 therefore suggests controllers to ensure proof that consent has been given accordingly.
(will be soon continued in Part 2)
21. December 2017
The Article 29 Working Party (WP 29) has adopted guidelines on transparency under the General Data Protection Regulation (GDPR). The guideline intends to bring clearance into the transparency requirement regarding the processing of personal data and gives practical advice.
Transparency as such is not defined in the GDPR. However, Recital 39 describes what the transparency obligation requires when personal data is processed. Providing information to a data subject about the processing of personal data is one major aspect of transparency.
In order to explain transparency and its requirements, the WP 29 points out “elements of transparency under the GDPR” and explains their understanding of these. The following elements are named and described:
– “Concise, transparent, intelligible and easily accessible”
– “Clear and plain language”
– “Providing information to children”
– “In writing or by other means”
– “..the information may be provided orally”
– “Free of charge”
In a schedule, the WP 29 lists which information under Art. 13 and Art. 14 GDPR shall be provided to a data subject and which information is not required.
20. November 2017
According to a study only 8 % of businesses are ready for the EU General Data Protection Regulation (GDPR) and nearly one third of the companies are even unaware of the GDPR, coming into effect on 25. May 2018.
Although the new Regulation is considered too complex especially for small and medium-sized businesses, the majority of businesses agree that new rules in the field of personal data protection are necessary.
Infringements of GDPR provisions could lead to fines of up to €20 million or 4 % of the total worldwide annual turnover for the preceding financial year, whichever is higher.
19. October 2017
The Article 29 Data Protection Working Party (WP29) adopted a guideline for the automated individual decision-making and profiling which are addressed by the General Data Protection Regulation (GDPR). The GDPR will be applicable from the 25th May 2018. WP29 acknowledges that “profiling and automated decision-making can be useful for individuals and organisations as well as for the economy and society as a whole”. “Increased efficiencies” and “resource savings” are two examples that were named.
However, it was also stated that “profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards”. One risk could be that profiling may “perpetuate existing stereotypes and social segregation”.
The Guideline covers inter alia definitions of profiling and automated decision-making as well as the general approach of the GDPR to these. It is addressed that the GDPR introduces provisions to ensure that the use of profiling and automated decision-making does not have an “unjustified impact on individuals’ rights” and names examples, such as “specific transparency and fairness requirements” and “greater accountability obligations”.
13. October 2017
The UK government introduced the Data Protection Bill to implement the General Data Protection Regulation (GDPR – 2016/679).
The GDPR enters into force on 25th May 2018 in the European Union. After the brexit, until now it was unclear if the UK would implement the GDPR into UK domestic law. The Data Protection Bill implements not only the legal requirements of the GDPR. The Law Enforcement Directive (2016/680) and the standards of the Council of Europe’s draft modernized Convention 108 on processing of personal data carried out by the intelligence services will also be adopted in the new Data Protection Law of the UK.
The new Law will replace the existing UK Data Protection Act 1998.
Currently the bill is at the beginning of the parliamentary process. The first reading in the House of Lords was held on 13th September, the second on 10th October. The bill consist of seven parts and 18 Schedules.
The data flow between European countries and the UK will not cause those problems that caused concerns after the Brexit, because the data protection level in Europe and the UK will be equal.
