Category: General Data Protection Regulation

The future of privacy rules after UK´s referendum to leave the EU

27. June 2016

On the 23rd June, UK celebrated a referendum to vote about UK´s EU membership. About 52% of the participants, voted for leaving the EU. The process of withdrawal from the EU will have to be done according to Art. 50 of the Treaty on the European Union and will take about two years until the process is completed.

The withdrawal of the UK´s membership will also have an impact on data protection rules. First of all, the GDPR will enter into force on the 25th May 2018, so that by this time, the UK will still be in process to leave the EU. This means that UK businesses will have to prepare and be compliant with the GDPR.

Additionally, if UK businesses trade in the EU, a similar framework to that of the GDPR will be required in order to carry out data transfers within the EU member states. The British DPA, ICO, published a statement regarding the existing data protection framework in the UK. According to ICO, “if the UK wants to trade with the Single Market on equal terms we would have to prove adequacy – in other words UK data protection standards would have to be equivalent to the EU´s General Data Protection Regulation framework starting in 2018”.

Currently, the GDPR is the reference in terms of data protection and organizations will have to prepare to be compliant and, even if the GDPR is not applicable to UK, a similar framework should be in place by the time the GDPR enters into force.

French DPA launches public consultation on GDPR

21. June 2016

In June 2016, a public consultation process about the GDPR was opened by the French DPA (CNIL). The consultation is based on the topics that the WP 29 identified as having priority in its action plan for the implementation of the GDPR, published beginning 2016.

The consultation aims at encouraging stakeholders to formulate questions regarding the GDPR in order to identify potential interpretation difficulties. Once the main questions and difficulties have been addressed, the WP 29 will issue guidelines regarding the relevant topics. The CNIL also offers the possibility to formulate questions about other topics, which are not directly mentioned in the consultation.

The main topics that are object of the current consultation are the institution of the DPO, Privacy Impact Assessments (PIA), data protection certifications and the right to data portability.

The consultation is opened until the 15th July 2016 and stakeholders can participate through the CNIL´s website. After that, the French DPA will publish a summary with the contributions.

Accountability initiative by the EDPS: achieving compliance with the GDPR

8. June 2016

The EDPS announced yesterday the launch of a new initiative that may help EU institutions, public bodies and private organizations to be compliant and prepare for the GDPR. This initiative relates to the accountability principle, which is explicitly mentioned in the GDPR. Accountability regarding the processing of personal data means:

  • Implementing policies within the organization in order to achieve transparency
  • Training employees and persons within the organization with regard to the implementation of the policies
  • Monitoring the implementation of the policies
  • Establishing procedures in order to identify incompliances and act against data breaches

The EDPS states that the accountability principle involves a culture change within organizations and means the promotion of sustainable data processing. This means that organizations should assess the fairness and legality of complex data processing operations. This involve that both, public bodies and private organizations, should develop a risk management strategy that addresses their specific needs, so that they are compliant with the GDPR upon its entry into force in May 2018.

This initiative has been firstly implemented at the EDPS institution itself by using questionnaires addressed to the Supervisors, the Director, the staff responsible for processing operations and the DPO. The implemented actions were also documented and followed up on a regular basis. The questions aimed at ensuring a control over the processing of personal data and the lawfulness of the processing.

The role of the DPOs under the new GDPR: the German reference

7. June 2016

The new GDPR, which will enter into force in May 2018, updates the current European Data Protection legislation. One of the key aspects of the Regulation is the obligation to appoint a Data Protection Officer (DPO) in the following cases:

  • If the processing is carried out by a public authority, except court acting in their judicial capacity
  • If the core activities of the controller or the processor consist of processing operations which according to their nature or scope require regular and systematic monitoring of data subjects on a large scale or
  • If the core activities of the controller or the processor consist of processing on a large scale of sensitive data

Currently, several jurisdictions mention the possibility to appoint a DPO, but Germany is the only EU member State that imposes the obligation to appoint a DPO if more than nine people within an organization handle with personal data. The DPO can be a member of the organization or an external expert.

According to German Data Protection law, DPOs are appointed by the management of the organization but fulfill their duties without being subject to any instructions of the data controller. Moreover, they have the obligation to report the management regarding the compliance status of the organization and, even if they recommendations are not followed, the DPO has fulfilled his/her duty. This DPO culture in Germany means also that not only people with legal backgrounds are DPO; furthermore, the role of the DPO is assumed by persons with different backgrounds, for example by engineers or HR employees that have been given this responsibility.

Thomas Spaeing, CEO of the German Association of Data Protection Officers, remarks the importance that the appointed person knows the processes and organization of the company and that he/her can integrate the legislation with the organizational data processing activities. The DPO should be seen as a person who helps businesses implementing data protection processes in interest of both, the data subjects and the company itself.

The GDPR mentions the possibility to appoint either an external or an internal DPO and describes their position in similar terms to those existing under German Data Protection law. In Germany, this will not mean a greater change in the local legislation, but other countries who do not even currently regulate the institution of the DPO, will have to make any necessary changes to be compliant with the requirements of the GDPR until May 2018.

GDPR published in the Official Journal of the EU

9. May 2016

After the EU Parliament voted the final draft of the GDPR on April 14th and the EU Commission signed it, the GDPR was finally published in the Official Journal of the EU on May 4th. The GDPR will harmonize several aspects of data protection in order to achieve a higher data protection level within the EU.

The Regulation will enter into force 20 days after publication in the Official Journal of the EU but will be directly applicable two years after its entry into force, this is ending May 2018. This means that organizations have two years to implement the provisions of the GDPR and be compliant.

About 28,000 data protection officers are requiered to be appointed under the GDPR

20. April 2016

Article 37 of the GDPR states that data controllers and processors of personal information are required to appoint a data protection officer in cace:

(a)  The processing is carried out by a public authority or body (except courts); or

(b)  The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”

A data protection officer is able to be appointed by a group, public authorities or individual legal entity. Article 39 of the GDPR requires that a data protection officer is “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. Compliance, trainings on how to process data according to the law and the communication with the national authorities are part of the task area of a data protection officer.

Therefore, due to the GDPR organizations worldwide have to prepare for a number of new requirements in terms of data collection and processing. One particular requirement is that certain organizations will now have to appoint a data protection officer according to Arcticle 37 of the GDPR, as mentioned above. Research indicates the number of data protection officers required to be appointed under the GDPR will be about 28,000. This is an estimate based on official statistics regarding both public and private sector data controllers in the EU and taking further assumptions into account such assuming that US companies obliged to comply with the GDPR would also require a data protection officer, and of those companies who self-certified under Safe Harbor are likely included in that number.

Parliament finally approves of GDPR

15. April 2016

The European Union will have a new data protection regulation. After four years of ups and downs, the European Parliament came to an agreement on thursday in a plenary vote of support for the GDPR and the companion Data Protection Directive for policing and the judiciary.

The German MEP Jan Philipp Albrecht commented that “the General Data Protection Regulation makes a high, uniform level of data protection throughout the EU a reality,” and added that, “the regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty, and fairer competition.”

In order to give businesses and organizations time to adjust their compliance and data protection issues, the new GDPR will officially become effective in two years. The GDPR includes provisions such as the impositions of a clear and affirmative consent for processing personal data and a clear privacy notice. Further, there will be obligations concerning the breach of notification and the implementation of potential fines up to 4 percent of a company’s global annual turnover.

European Commission First Vice-President Frans Timmermans, Vice-President of the Digital Single Market Andrus Ansip, and Commissioner for Justice, Consumers and Gender Equality Vera Jourova welcomed the new regulation as it will “help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.” They went on commenting the Data Protection Directive for police and the judiciary, saying that it “ensures a high level of data protection while improving cooperation in the fight against terrorism and other serious crime across Europe.”

Therefore, in order to build public awareness of the reforms “the EU will launch public awareness-raising campaigns about the new data protection rules” Albrecht and Jourova, along with MEP Marju Lauristin commented and added that “the European Commission will work closely with member states, the national data protection authorities, and stakeholders to ensure the rules will be applied uniformly across the EU.”

Council of Ministers votes on latest draft of GDPR

12. April 2016

In the past week, the EU national governments endorsed the latest draft of the European Union’s General Data Protection Regulation (GDPR) in a vote held by the Council of Ministers. It is now expected that the European Parliament will approve the GDPR within this week, along with a new Data Protection Directive for police and criminal justice authorities.

According to a press release of the Council of Ministers, which was published shortly after the vote last week, one of the main benefits of the Regulation is the fact that it provides for a single set of rules, which are valid across the EU and applicable both to European and non-European companies offering online services in the EU. Thus, the regulation provides the framework for increased cooperation between EU member states to ensure coherent application of the data protection rules.

The regulation follows a risk-based approach, which means that data controllers will be able to implement measures according to the risk involved in the data processing operations they perform. This will likely reduce administrative costs, as companies will not be forced to implement a “one-size-fits all“ solution.

European Council accelerates the process for adopting the GDPR

7. April 2016

The Council of the European Union announced that the process for adopting the GDPR will be accelerated. This is due to the the fact that the General Secretariat of the Council sent a Note requesting the Permanent Representatives Committee to use the so called “written procedure” in order to adopt the Council’s position. Initially a vote on the Council’s position was planned on 21st April 2016, when the next Justice and Home Affairs Council takes place. However, the Council has decided to accelerate the process for adoption by using the “written procedure”. Proceding this way is an exemption as it does not include public deliberation.

The mentioned Note states that the “need to send the Council’s position at first reading to the European Parliament during its April I plenary, will only be possible to adopt the Council’s position at first reading within this very short deadline via the written procedure, which would be launched on Thursday 7th April 2016 and would end on Friday 8th April 2016, at midday. Delegations’ attention is drawn to the exceptionally short duration of this written procedure.”

When looking on the next steps it is to say that once the Council’s position is adopted,  it will then be sent to the European Parliament. The European Parliament will go on by acknowledging the receipt during the next plenary session taking place on 11-13 April 2016. Afterwards, the Parliament’s Civil Liberties Committee will vote on a recommendation to Parliament regarding the Council’s position. These recommendation will then be used as a foundation for the Parliament’s adoption of the GDPR in one of the following plenary meetings.

EU Council releases statement at first reading on the upcoming GDPR

23. March 2016

On March 17th, the EU Council issued its position on the draft of the GDPR.

The statement of the EU Council identifies and analyzes the following key aspects of the GDPR:

  • Material, formal and territorial scope of application of the GDPR in order to achieve a harmonization at a EU level.
  • Principles of the data processing, especially “pseudonymization” and “data minimization”
  • Lawfulness of the processing based on the consent of the data subject, a contract, a legal obligation, etc.
  • Empowerment of data subjects through the enhancement of their rights as data subjects to access the information that is held about them, the right to be forgotten, right to transparency on the processing, right to object to the processing of their personal data, etc.
  • Controller and processor´s accountability for the processing operations. Additionally their obligation to appoint a Data Protection Officer (DPO) in order to ensure compliance with the GDPR.
  • Transfers of personal data to third countries on the basis of adequacy decisions or other mechanisms that ensure an adequate level of data protection in third countries.
  • The EU DPAs supervisory role on the application of the GDPR on each Member State.
  • Remedies, liabilities and penalties as compensation mechanism in case of data breaches or damages caused to the data subjects.
  • Specific data processing situations, for example regarding employee´s personal data

The EU Council remarks that the GDPR reflects the compromise reached between the EU Parliament and the EU Council. Furthermore, it invites the EU Parliament to formally approve the position of the EU Council.

Pages: Prev 1 2 3 4 5 6 7 8 Next
1 5 6 7 8