3. New “Privacy Law” coming your way…
General Data Protection Regulation 2016/679 (GDPR/AVGB)
Regulation instead of Directive – 1 law for 28 states
Agreement reached last December 2015
Enters into force on 1 May 2018 (without grace period!)
New rules are MUCH stricter than current law and impact EVERYONE present
here today
ABTO
7 June 2017
4. General Data Protection Regulation
Heavily influenced by consumer protection activists in EP
Result:
Consumer friendly, but serious restraints for direct marketing, e-commerce
and especially personalisation, profiling, real time marketing and big data
Applicable on ALL data processing, except personal (private) contact lists (e.g.
private Outlook account)
ABTO
7 June 2017
5. Don’t be this guy, be prepared…
All e-commerce and online marketing run on personal data
This is no different in today’s digital travel industry
GDPR applies to ALL databases (clients, marketing, sales, HR, purchasing, accounting, …)
In the words of the European Commission: “data has become a currency” (cfr. Draft Directive
2015/0287 on digital content delivery contracts)
Fines up to 4% of annual turnover or 20 mio euro
ABTO
7 June 2017
6. Basic principles of GDPR
Accountability
Transaprancy
Data Protection by design
Data protection by default
Purpose limitation
Data minimisation
Accuracy
Limited retention time
Data security
ABTO
7 June 2017
8. (Online) marketing vandaag…
Basis van alle marketing is data
Heatmapping
Alles is meetbaar
Basis van alle marketing is data
Remarketing
Iedereen is individualiseerbaar en bereikbaar
ABTO
7 June 2017
9. Security & internal processes
1. Working with subcontractors that process data
Obligation to work only with subcontractors that guarantee sufficient data security
Obligation to have written contracts wth all subcontractors
List of mandatory clauses in such contracts
Booking engine, TO/agency, external marketeer, …
= Need to audit/map all existing subcontracting/service contracts/licenses
Mailchimp, Criteo, Eventbrite, (Google) Analytics, internal messaging (e.g.Slack), …
ABTO
7 June 2017
10. Security & internal processes
2. Record of processing activities
Obligation to maintain a “record of processing activities”
Holding ID of processor, processed data, categories, transfers, time limits, security
measures
In writing at the seat of your company
Privacy Commission to launch template by 15 June
Bookings, mailings, transfers to third parties, opt-outs, …
ABTO
7 June 2017
11. Security & internal processes
3. Data security measures
“Processor shall implement appropriate technical and organizational measures, to
ensure an appropriate level of security”
Pseudonymisation where possible, confidentiality, security, back ups in place,
security testing protocols, …
= Need to audit/map data within company
ABTO
7 June 2017
12. Security & internal processes
4. Data Protection Impact Assessment
If possible high impact on data subject privacy rights
Obligation to run prior (documented) impact assessment
Advice of DPO required if DPO is present in the organization
Should be used as basis to ensure adequate security levels
Privacy Commission to specify when DPIA is required
If DPIA shows high risk: obtain Prior Assessment from Privacy Commission
ABTO
7 June 2017
13. Security & internal processes
5. Data breach notification
Obligation to notify any data security breach to the Privacy Commission
Asap or at least within 72 hours
Nature of breach, possible consequences, measures taken, etc… (= obligation to
document data breach)
= Need to have data breach procedure in place
If possible consequences for data subjects: obligation to notify them in person!
ABTO
7 June 2017
14. Security & internal processes
5. Data Protection Officer
If core activity of processor
Requires large scale data monitoring
Consists of large scale data monitoring
Series of requirements and conditions
Details to be specified
Inform & advise, monitor compliance, SPOC for authorities
ABTO
7 June 2017
15. Information obligations & rights of data subjects
1. Lawfulness of processing (“on which grounds can I proces data?”)
Prior opt-in remains the basic rule (+ proof required)
“Processing is required for the execution of a contract”
“Legitimate grounds”
DM “may be considered” legitimate, but “Personal data should be processed
only if the purpose of the processing could not reasonably be fulfilled by other
means”
If existing client relationship: OK, otherwise not so evidently OK
ABTO
7 June 2017
16. (Online) marketing vandaag…
Basis van alle marketing is data
Heatmapping
Alles is meetbaar
De impact van de GDPR op uw marketing en prospectie
Business meets IT, Blue Point Antwerpen, 1 juni 2017
Analytics – e-mail tagging
Most often no opt-in
Processing personal data (IP-adres)? Legitimate grounds?
ABTO
7 June 2017
17. (Online) marketing vandaag…
Basis van alle marketing is data
Heatmapping
Alles is meetbaar
Basis van alle marketing is data
Remarketing
Iedereen is individualiseerbaar en bereikbaar
ABTO
7 June 2017
18. Information obligations & rights of data subjects
2. Processing of data belonging to minor (-13 Y/O, -16 Y/O)
Always requires explicit authorisation by parents!
“Reasonable efforts” to check age and obtain authorisation
eID?, Facebook login?, credit card data?, live chat, …?
ABTO
7 June 2017
19. Information obligations & rights of data subjects
3. Information obligations
Obligation to notify data subject of the fact that his data is being / has been
collected (or transferred) without his explicit consent
Within 30 days or upon first contact
= Data obtained from booking tools, travel agency, affiliate, data brokers,
partner organisations, online collection…
ABTO
7 June 2017
20. Information obligations & rights of data subjects
3. Information obligations
Obligation falls if
Data subject already knows (= online booking engine or affiliate, travel agency, …)
or
Information provision requires disproportionate effort
(= open door to creativity…)
ABTO
7 June 2017
21. Information obligations & rights of data subjects
4. Right not to be submitted to profiling
If the person has a legitimate interest to do so, he has a right to object against
processing/profiling
Objection against processing/profiling for direct marketing purposes is always
possible
Remarketing, trigger based marketing, …
ABTO
7 June 2017
22. (Online) marketing vandaag…
Basis van alle marketing is data
Heatmapping
Alles is meetbaar
De impact van de GDPR op uw marketing en prospectie
Business meets IT, Blue Point Antwerpen, 1 juni 2017
Basis of all marketing is data and profiling/segmentation
Remarketing – Segmentation – trigger based – location based
The right offer for the right consumer at the right moment
But right to be informed and right to object
Challenge: convince people not to object…
ABTO
7 June 2017
23. Information obligations & rights of data subjects
5. Right to object to automatic decision taking
Right
Not to be subject to a decision
Producing legal effects / significantly affects
Solely based on automated processing of data
Intended to evaluate certain personal aspects
Examples
Creditworthiness, reliability and conduct
Also applies to DM “decisions” (e.g. send offer or not)
ABTO
7 June 2017
24. Information obligations & rights of data subjects
6. Right to be forgotten
Upon request by data subject, processor has to take all reasonable measures to
permantently delete data
+ to ensure that third parties that have copies of or links to data are warned of
the request and are asked to do the same
ABTO
7 June 2017
25. Information obligations & rights of data subjects
7. “Pseudonymous data”
8. “Privacy by design”
9. “privacy by default” (cfr. recent Telenet “personalized advertising…”)
10. …
ABTO
7 June 2017
26. Helping hand
Code of Conduct
= “ethical code” of associations
Contain rules on how to handle data for their members
Can be approved by authorities
Association has to provide control/supervision
Advantage: once approved can create presumption of compliance with series of
obligations for association members
ABTO / VVR / …?
ABTO
7 June 2017
27. Be prepared…
Those who are not prepared face trouble…
Provisions of highest importance (cfr. profiling = high risk processing)
Fines up to 20 million euro
Fines up to 4% of worldwide annual turnover (for undertakings)
Reform of Privacy Commission will lead to actual enforcement…
+ Remedies for data subject
ABTO
7 June 2017
31. Independants
Work load +/- 2 days
Timing: 3 to 4 weeks
SME’s
Work load
Depending on size, maturity and complexity
Work load: 5 to 25 days
Timing: 1 to 4 months
Corporate entities
Depending on size, maturity and complexity
Work load: 20 to … days
Timing: 3 to 10 months
Be prepared…
32. Sirius Legal
Media & advertisement law
IP law
Internet & e-commerce
Privacy & cookies
Gambling law
Travel & consumer protection
Commercial & contracts
Corporate - tax - labour - immo
bart@siriuslegal.be
www.siriuslegal.be
@BartVdBrande
Linkedin.com/in/bartvdb