The document summarizes key aspects of the EU's General Data Protection Regulation (GDPR) that takes effect in May 2018, including:
- It expands the territorial scope of EU data protection law and sets a higher standard for consent.
- It establishes principles of accountability, data protection by design/default, and data protection impact assessments to demonstrate compliance.
- It strengthens individual rights around access, rectification, erasure, data portability, and objection to processing.
- It imposes new rules around international data transfers and increases maximum fines for noncompliance.
- Organizations should review their governance, policies, procedures and consent mechanisms to prepare for the GDPR's requirements.
1. ICTLC | www.ictlegalconsulting.com
Milan - Bologna - Rome - Amsterdam
REGULATION (EU) 2016/679
CLINIC
A strategic compliance approach
Paolo Balboni Ph.D.
Founding Partner at ICT Legal Consulting &
President of the European Privacy Association
paolo.balboni@ictlegalconsulting.com
Nicola Franchetto LL.M.
Associate at ICT Legal Consulting &
Fellow of the European Privacy Association
Nicola.franchetto@ictlegalconsulting.com
3. ICTLC | www.ictlegalconsulting.com
EU Data Protection Reform
2012
• Start of reform
process aiming to
align data
protection laws
of the EU’s 28
Member States,
and update rules
for the digital age
April 2016
• GDPR is enacted
after years of
difficult
negotiations
May 4 2016
• Text published in
the OJEU - enters
into force 20 days
after publication
May 25 2018
• GDPR applies
throughout the
EU after 2-year
transition period
3
Current legal framework based on Directive 95/46/EC
inconsistent patchwork of national laws.
GDPR objectives: high level of protection (maintains data protection
principles), modernization, harmonization, more effective implementation
4. ICTLC | www.ictlegalconsulting.com
Applicable Law Rules
• Broader territorial reach than the current regime
• Test 1: GDPR applies where processing takes place “in the context of the
activities of an establishment of a controller or processor in the EU”
• Test 2: GDPR applies to controllers outside the EU when processing activities
relate to:
• offering goods or services to data subjects in the EU
• monitoring the behavior of data subjects in the EU
• No longer apply “making use of equipment” test
4
6. ICTLC | www.ictlegalconsulting.com
Key Definitions (i)
• Controller - retained
• The natural or legal person, public authority, agency or other body which, alone or jointly with others,
determine the purposes and means of the processing of personal data.
• Processor- retained
• A natural or legal person, public authority, agency or other body which processes personal data on behalf of
the controller.
• Consent - amended
• Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data
relating to him or her.
• Main establishment – new
• As regards a controller with establishments in more than one Member State, the place of its central
administration in the Union, unless the decisions on the purposes and means of the processing of personal
data are taken in another establishment of the controller in the Union and the latter establishment has the
power to have such decisions implemented, in which case the establishment having taken such decisions is
to be considered to be the main establishment.
6
7. ICTLC | www.ictlegalconsulting.com
Key Definitions (ii)
• Personal Data - retained
• Any information relating to an identified or identifiable natural person ('data subject').
• Data Subject - new
• An identified natural person or a natural person who can be identified, directly or indirectly, by means
reasonably likely to be used by the controller or by any other natural or legal person, in particular by
reference to an identification number, location data, online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that person.
• Special – i.e., sensitive – Data - amended
• Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union
membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a
natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
• Pseudonymization - new
• The processing of personal data in such a manner that the personal data can no longer be attributed to a
specific data subject without the use of additional information, provided that such additional information is
kept separately and is not subject to technical and organisation measures to ensure that the personal data
are not attributed to an identified or identifiable natural person.
7
8. ICTLC | www.ictlegalconsulting.com
Substantive Principles (i)
• Lawfulness, fairness, and transparency
• Purpose limitation
• Incompatible further processing still prohibited
• Criteria for assessing compatibility identified
• Further non-consensual uses allowed in certain cases
• where required by law; or
• for scientific or historical research or statistical purposes
• Data minimization
• Accuracy
• Including erasure and rectification “without delay”
• Storage limitation
8
9. ICTLC | www.ictlegalconsulting.com
Substantive Principles (ii)
• Lawfulness of processing
• Legitimate interests
• still a valid legal basis to process non-sensitive data
• balanced against the interests and fundamental rights and freedoms of the individual
– extra protection for children
• reasonable expectations of the individual
• Consent
• specific and informed
• unambiguous
• statement or clear affirmative action
• freely given – not the case where:
• imbalance between the controller and the data subject
• consent for non-essential processing is a precondition to entering into a contract
• special rules relating to children in the context of information society services
• Other available grounds for lawfulness
9
10. ICTLC | www.ictlegalconsulting.com
Substantive Principles (iii)
• Special data
• Processing prohibited unless the GDPR permits it
• Biometric and genetic data are sensitive data
• Room for stricter Member States rules where processing based on health,
biometric, and genetic data
• Profiling
• Restrictions where profiling has:
• legal consequences; or
• significantly affects the individual
• Only allowed in exceptional cases
• necessary to enter into or for the performance of a contract
• authorized by EU or Member State law
• explicit consent
• Profiling with special data prohibited unless explicit consent or substantial public
interest backed by EU or Member State law
10
12. ICTLC | www.ictlegalconsulting.com
Accountability (i)
• Responsibility of controllers
• To ensure and to be able to demonstrate compliance of data processing with the
GDPR
• may include appropriate data protection policies, approved codes of conduct or
certification mechanisms
• Data protection by design and by default
• Controllers to put in place measures to effectively implement data protection
principles and to integrate necessary safeguards to comply with the GDPR and to
protect data subjects’ rights
• e.g., pseudonymization and data minimization
• Controllers to implement privacy settings so that only minimal necessary
personal data are processed
• e.g., personal data are not made public by default
12
13. ICTLC | www.ictlegalconsulting.com
Accountability (ii)
• Data protection officer (“DPO”)
• Potentially required for controllers and processors
• Must designate a DPO where core activities involve monitoring data subjects or
processing special categories of data “on a large scale”
• EU law or laws of Member States may provide for other situations where DPOs must
be appointed
• groups of undertakings may appoint a single DPO
• Significant powers and independence of DPOs
13
X
14. ICTLC | www.ictlegalconsulting.com
Accountability (iii)
• Data protection impact assessment (“DPIA”)
of envisaged processing operations prior to the processing
• Mandatory for controllers where processing is likely to result in “high risks” for
the rights and freedoms of individuals, in particular:
• systematic and extensive evaluation of personal aspects based on automated
processing and on which decisions with legal effects or similar significant effects on
the individuals are based
• processing on a large scale of special categories of data
• systematic monitoring of a publicly accessible area on a large scale
• Supervisory authorities (“SAs”) to establish a list of processing for which a DPIA is
(not) required
• Prior consultation of SA where the DPIA indicates high risks
14
15. ICTLC | www.ictlegalconsulting.com
Accountability (iv)
• Data security
• Enhanced obligations both for controllers and processors in comparison to the
current regime
• List of possible types of security measures
• Data breach notification
• Controllers to notify the competent SA “without undue delay” and, where
feasible, no later than 72 hours after becoming aware
• unless data breach is unlikely to result in a risk for rights and freedoms of individuals
• Processors to notify controllers without undue delay
• Controllers to communicate personal data breach to data subjects if likely to
result in a “high risk” for the rights and freedoms of individuals, subject to
exceptions (e.g., encryption)
• Form and content requirements
• Controllers to document data breaches and to provide to SA
15
16. ICTLC | www.ictlegalconsulting.com
Accountability (v)
• Additional obligations and liability for processors
• Certain provisions directly applicable to processors
• e.g., DPO designation, records of processing, security of processing, data breach
notification
• Extended minimum requirements for processor agreements and restrictions on
sub-processing
• Reduced administrative burden
• Notification and authorization requirements considerably relaxed
• Quid pro quo of reinforced accountability and record-keeping obligations
16
17. ICTLC | www.ictlegalconsulting.com
Data Subject Rights (i)
• General points
• Controllers must facilitate the exercise of rights
• Controllers may not charge data subjects a fee
• unless they can show that requests are “manifestly unfounded or excessive”
• Set time limits for responding
• Right to be provided with fair processing information
• Right to access
• In addition to information required under existing law, controllers must now
provide, for example, information regarding:
• anticipated retention period
• existence of profiling
• safeguards relating to international transfers
• GDPR recommends “where possible” providing users with “remote access to a
secure system”
17
18. ICTLC | www.ictlegalconsulting.com
Data Subject Rights (ii)
• Right to rectify
• Right to rectify inaccurate data and incomplete data
• Right to restrict processing
• Right to restrict processing in certain cases
• where the accuracy of the data is contested
• where the data subject has objected to processing on grounds argued as legitimate
by the controller
• Suggested mechanisms to restrict
• temporarily moving data to another processing system
• using technical means to ensure that the data are not subject to further processing
operations and cannot be changed
• Right to object to processing
• Where processing is pursuant to the controller’s legitimate interests
• Or processing for the purposes of direct marketing
18
19. ICTLC | www.ictlegalconsulting.com
Data Subject Rights (iii)
• Right to erasure – “right to be forgotten”
• Right to require erasure of personal data without undue delay in certain cases
• e.g., data no longer necessary for original purposes, consent withdrawn where
previously provided, data subject objects and no legitimate grounds, etc.
• Obligation to take reasonable steps to inform third parties
• Limited exceptions
• right of freedom of expression and information, public health interest, legal claims,
etc.
• Right to data portability
• Right to receive personal data in a structured, commonly-used, and machine-
readable format in certain cases
• Right that the controller transmit personal data to another controller “where
technically feasible”
19
20. ICTLC | www.ictlegalconsulting.com
International Transfers (i)
• Basic principles remain the same
• Restrictions on transfers to non-adequate countries outside the EU
• Existing adequacy decisions remain in force until amended, replaced or repealed
• Authorizations granted by SAs and the existing Standard Contract Clauses (SCC)
remain valid until amended, replaced or repealed
• Major changes
• GDPR applies to onward transfers, irrespective of transfer mechanism used
• Binding Corporate Rules (BCR) and SCC
• BCR expressly recognized by the GDPR
• no prior approval from SAs for transfers based on Commission SCC and approved BCR
• local SAs authorized to issue own SCCs
• Approved codes of conduct and seals
• can now be used as a basis for international transfers
20
21. ICTLC | www.ictlegalconsulting.com
International Transfers (ii)
• Major changes (continued)
• Derogations “for specific situations”
• consent
• must be explicit and transparent regarding the risks of the transfer
• compelling legitimate interest introduced as a new derogation
• subsidiary ground – only if contracts, BCRs or other derogations cannot be used
• non-repetitive transfer
• only for a limited number of data subjects
• legitimate interest not overridden by the interests, rights, and freedoms of data subjects
• controller assessed all the circumstances surrounding the transfer and applied suitable
safeguards
• obligation to inform the SA and the data subjects about the transfer
21
22. ICTLC | www.ictlegalconsulting.com
International Transfers (iii)
• Major changes (continued)
• Non-EU judicial or administrative procedures
• data transfer requests can only be recognized or enforceable in the EU if based on an
international agreement, such as an MLAT
• such transfers can also take place if the controller or processor can rely on another
ground in the GDPR for international transfers
• Member States may restrict data transfers
• in the absence of an adequacy decision
• for specific categories of personal data only
• restrictions must be based on important reasons of public interest
• Member States must notify the Commission
22
24. ICTLC | www.ictlegalconsulting.com
Enforcement, Remedies & Liabilities (i)
• At Member State level
• Through the Supervisory Authorities (SAs)
• Harmonized powers
• investigative powers (audits, access to data, and premises)
• authorization and advisory powers (Codes of Conduct, BCRs)
• corrective powers (order to comply, ban on processing, suspension of data flows,
fines)
24
25. ICTLC | www.ictlegalconsulting.com
Enforcement, Remedies & Liabilities (ii)
• Fines
• Among the most significant changes introduced by the GDPR
• Up to the greater of 2% of an undertaking’s total annual worldwide turnover or
€10 million for a large number of violations
• Up to the greater of 4% of an undertaking’s total annual worldwide turnover or
€20 million for a more limited set of violations, including
• violation of data subject rights
• violation of the basic principles for processing (legal basis, new consent rules,
sensitive data)
• violation of the data transfer rules
• Not automatic – series of considerations that influence the fine
25
26. ICTLC | www.ictlegalconsulting.com
Enforcement, Remedies & Liabilities (iii)
• One-stop-shop
• Not much left of original idea
• Interplay between Lead Supervisory Authority (“LSA”) and Supervisory Authority
Concerned (“SAC”)
• LSA = the SA of the main establishment of the controller in the EU
• SAC = an SA is concerned where:
• controller or processor have an establishment in the territory of the SAC
• data subjects residing in the territory of the SAC are substantially affected
• the SAC received a complaint
26
27. ICTLC | www.ictlegalconsulting.com
Enforcement, Remedies & Liabilities (iv)
• One-stop-shop (continued)
• Cross-border processing: the LSA is the competent authority but it has to co-
operate with one or more SACs in accordance with the co-operation procedure
laid out in art. 54a of the GDPR
• SAC may object to planned course of action suggested by the LSA - if no
consensus, then complicated process for resolving
• Local issues: each SAC is competent to deal with:
• a complaint that it received
• a possible infringement of the GDPR, if the subject matter relates only to an
establishment in its Member State or only affects data subjects in its Member State
(e.g., processing of HR data)
27
28. ICTLC | www.ictlegalconsulting.com
Enforcement, Remedies & Liabilities (v)
• Data subjects’ right to remedies
• Right to lodge a complaint with an SA for processing of their data in violation with
the GDPR
• Right to start legal action
• against an SA for failure to investigate a complaint or keeping the data subject
informed
• against a controller or processor for processing of their data in violation with the
GDPR (courts where controller or processor is established/courts of place of
residence of data subject)
• Right to obtain compensation for material or immaterial damage
• joint liability of controllers and processors for the entire damage
• Class actions
• certain not-for-profit organizations can be mandated by data subjects to lodge
complaints and claim compensation on their behalf
• Member States may also mandate organizations to act on behalf of data subjects
28
29. ICTLC | www.ictlegalconsulting.com
How to Prepare?
Review your governance structure
Review your privacy policies
Prepare adequate data breach procedures and templates
Prepare response mechanisms for data subject requests
Start implementing privacy by design and by default
Appoint a DPO
Revise informed consent forms and methods to obtain
consent
Implement data protection impact assessments
29
30. ICTLC | www.ictlegalconsulting.com 30
Accounta-
bility
Data
protection
by design &
by default
Data
protection
impact
assessment
Information
to the data
subject
Legitimate
basis
Rights of
the data
subject
Simplified Data
Processing Cycle
31. ICTLC | www.ictlegalconsulting.com
ICTLC | info@ictlegalconsulting.com - www.ictlegalconsulting.com
“L’eccellenza non è un atto, ma un’abitudine” Aristotele
Thank you for your attention!
Paolo Balboni Ph.D.
Founding Partner at ICT Legal Consulting &
President of the European Privacy Association
paolo.balboni@ictlegalconsulting.com
Nicola Franchetto LL.M.
Associate at ICT Legal Consulting &
Fellow of the European Privacy Association
Nicola.franchetto@ictlegalconsulting.com
33. ICTLC | www.ictlegalconsulting.com 33
ICTLC I Paolo Balboni
PAOLO BALBONI, Ph.D - Presidentof the European Privacy Association, Cloud Computing Sector Director and
responsible for Foreign Affairs at the Italian Institute for Privacy, Lawyer admitted to the Milan Bar specialised in ICT, new
technologies law and personal data protection. Lead Auditor BS ISO/IEC 27001:2013 (IRCA Certified). He provides legal
advice to multinational companies, especially concerning personal data protection, e-contracts, e-commerce, e-
marketing, advertising, cloud computing, Web 2.0 service providers' liability, Internet content providers’ liability, e-
signatures, digital retention of documents and intellectual property rights. He also advises celebrities on privacy and
copyright matters. He has considerable experience in the following areas: IT, media & entertainment, e-Health, fashion
and banking.
Author of the book ‘Trustmarks in E-commerce’, Paolo Balboni is a Research Associate at Tilburg University (The
Netherlands), where he lectures in the “Liability of Web 2.0 Service Providers” master course. He was selected to be part
of the drafting group of the European Union Commission Data Protection Code of Conduct for Cloud Service Providers
(under Key Action 2: Safe and fair contract terms and conditions of the European Union Cloud Strategy). He co-chairs the
Privacy Level Agreement (PLA) Working Group of Cloud Security Alliance and has acted as the legal counsel for the
European Network and Information Security Agency (ENISA) projects on ‘Cloud Computing Risk Assessment’, ‘Security and
Resilience in Governmental Clouds’, ‘Procure Secure: A guide to monitoring of security service levels in cloud contracts’
and ‘Common Assurance Maturity Model – Beyond the Cloud (CAMM)’. He is actively involved in European Commission
studies on new technologies and data protection.
He obtained his Law Degree with distinction from the University of Bologna in 2002 and a Ph.D. from Tilburg University on
Comparative ICT Law in 2008. He speaks fluent Italian, English and Dutch, and has good knowledge of French, Spanish and
German.
35. ICTLC | www.ictlegalconsulting.com 35
ICTLC I Contacts
ICTLC | ICT Legal Consulting is present in 19 other countries:
Australia, Austria, Belgium, Brasil, China, France, Germany, Greece, Mexico, Poland, Portugal, United Kingdom, Romania, Russia, Slovakia, Spain, United States, Turkey, Hungary
Milano
Via Zaccaria, 4
20122 - Milano - Italia
Phone: +39 02 84247194
Fax: +39 02 700512101
Bologna
Via Ugo Bassi, 3
40121 - Bologna - Italia
Phone: +39 051 272036
Fax: +39 051 272036
Roma
Piazza di San Salvatore in Lauro, 13
00186 - Roma - Italia
Phone: +39 06 97842491
Fax: +39 06 23328983
Amsterdam
Veemkade, 396
1019 HE - Amsterdam – The Netherlands
Phone: +31 (0)20 894 6338
Fax: +31 (0)20 808 5050
Follow us on:
Email contact
info@ictlegalconsulting.com
Skype contact
Ict.legal.consulting
Editor's Notes
A.6.4 “the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.”
(Cash register) To register/record privacy transactions in order to demonstrate compliance
+ A. 30: Records of processing
32.1
“the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
28.4 ”Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.”