Recommended
Recommended
More Related Content
Similar to 9222290.ppt
Similar to 9222290.ppt (20)
More from MichelleSaver
Recently uploaded
Recently uploaded (20)
9222290.ppt
- 1. The EU General Data Protection Regulation (GDPR) If you cannot hear us speaking, please make sure you have called into the teleconference number on your invite information. UK participants: 0800 279 5994 Outside the UK: +44 (0) 1452 584 233 Event Code: 585 479 55 The audio portion is available via conference call. It is not broadcast through your computer. *This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter. Tuesday, December 22, 2015 15:00pm GMT / 16:00pm CET / 10:00am EST WELCOME TO OUR WEBINAR
- 2. 2 Welcome You are on mute A link to a recording of the webinar will be made available Today's speakers December 22, 2015 Carol Umhoefer Partner, DLA Piper Paris firstname.lastname@dlapiper.com or dataprivacy@dlapiper.com Giangacomo Olivi Partner, DLA Piper Milano EU General Data Protection Regulation 2 CURRENTLY SPEAKING CURRENTLY SPEAKING Patrick van Eecke Partner, DLA Piper Brussels
- 3. The GDPR in 20 Questions
- 4. 1. Why all the buzz around the EU General Data Protection Regulation? One law, directly applicable in all 28 Member States. Replaces the 1995 Data Protection Directive and the national laws transposing the Directive. Will apply from 2018 – national laws apply until then. Big picture implications: Will the EU continue to lead the way in personal data protection? December 22, 2015 EU General Data Protection Regulation 4 CURRENTLY SPEAKING CURRENTLY SPEAKING Carol Umhoefer Partner, DLA Piper Paris
- 5. 2. Has it been adopted now? Are these really the final rules? Last week 17 December: EP LIBE endorsed the texts agreed in the trilogues. 18 December: COREPER confirmed the final compromise texts. Next weeks Early 2016: Legal-linguistic review of the texts Early 2016: Adoption by the Council Early 2016: Adoption by the Parliament Spring 2016 Publication in Official Journal 20 days after publication: enter into force 2016-2017 Delegated acts/implementing acts Spring 2018 Application of the rules December 22, 2015 EU General Data Protection Regulation 5 CURRENTLY SPEAKING CURRENTLY SPEAKING Patrick van Eecke Partner, DLA Piper Brussels
- 6. 3. To whom does it apply? Processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing itself takes place within the EU. Processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to the offering of goods or services to data subjects in the European Union irrespective of whether a payment of the data subject is required, or related to the monitoring of the behaviour of such data subjects as far as their behaviour takes place within the EU. December 22, 2015 EU General Data Protection Regulation 6 CURRENTLY SPEAKING CURRENTLY SPEAKING Giangacomo Olivi Partner, DLA Piper Milan
- 7. 4. Do the principles stay the same or are we starting over? Personal data must be processed lawfully, fairly and in a transparent manner. Personal data must be processed for specified, explicit and legitimate purposes and not further processed in an incompatible way. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes. Personal data must be accurate and where necessary kept up to date. Personal data must be kept in a form that permits identification of data subjects for no longer than necessary for the purposes. Personal data must be processed in a way that ensures appropriate security using appropriate technical or organizational measures. And a new principle: The controller shall be responsible for and be able to demonstrate compliance with the principles. December 22, 2015 EU General Data Protection Regulation 7 CURRENTLY SPEAKING CURRENTLY SPEAKING Carol Umhoefer Partner, DLA Piper Paris
- 8. 5. How large are the fines likely to be? Graduated approach – up to 4% worldwide turnover maximum. Due regard is to be given to: the nature, gravity and duration of the infringement; the intentional character of the infringement; actions taken to mitigate the damage suffered; degree of responsibility (e.g. data protection by design or by default) or any relevant previous infringements; cooperation with the supervisory authority (and the manner in which supervisory authority learned of infringement); categories of personal data affected; compliance with measures ordered; adherence to a code of conduct (or certification mechanism); other aggravating or mitigating factors (e.g. financial benefits, etc.) December 22, 2015 EU General Data Protection Regulation 8 CURRENTLY SPEAKING CURRENTLY SPEAKING Giangiacomo Olivi Partner, DLA Piper Milan
- 9. 6. Will international transfer mechanisms be affected? Same philosophy as before i.e. only under very strict conditions: Adequacy decisions by Commission. Appropriate safeguards, such as: Binding corporate rules; Standard data protection clauses adopted by the Commission or by a supervisory authority or contractual clauses authorised by a supervisory authority; Derogations: Explicit consent/necessary for performance of the agreement/… What about legal disclosure obligations? "Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty." December 22, 2015 EU General Data Protection Regulation 9 CURRENTLY SPEAKING CURRENTLY SPEAKING Patrick van Eecke Partner, DLA Piper Brussels
- 10. 7. Will we need to appoint a DPO or not? Yes and No! - DPO to be designated when the core activities of the controller / processor: require regular and systematic monitoring of data subjects on a large scale; consists of processing on a large scale of "special categories of data" (Art. 9) or data relating to criminal convictions. A group of undertaking may appoint a single DPO. A DPO may be a staff member or a consultant (service contract), to report to the highest management level. Tasks include: inform and advise the controller / processor (and employees) of their obligations; monitor compliance with the GDPR; advise on data protection impact assessment; cooperate with the supervisory authority (including acting as point of contact). December 22, 2015 EU General Data Protection Regulation 10 CURRENTLY SPEAKING CURRENTLY SPEAKING Giangiacomo Olivi Partner, DLA Piper Milan
- 11. 8. How will one-stop-shop change our compliance program? One-stop-shop relevant to interactions with supervisory authorities in relation to cross-border processing. Definition of cross-border processing could be clarified, even if the intent is clear. With respect to its cross-border processing, the controller or processor will deal only with its lead supervisory authority. Exceptions may apply – for example, issues arising in a single Member State; employee data processing; health- care data processing. December 22, 2015 EU General Data Protection Regulation 11 CURRENTLY SPEAKING CURRENTLY SPEAKING Carol Umhoefer Partner, DLA Piper Paris
- 12. 9. What will we need to do in case of a data breach? Notification to the supervisory authority without undue delay and where feasible no more than 72 hours, unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals. Reasoned justification in case breach is not notified within 72 hours. Data subjects shall be notified without undue delay if the breach is likely to result in a high risk for the rights and freedoms of individuals to allow them to take the necessary precautions. Communication to the data subject is not required if the controller: implemented appropriate technical and organization measures to that rendered the data affected unintelligible (e.g. encryption); took subsequent measures to ensure that the high risks are no longer likely to materialise; if it causes disproportionate effort. December 22, 2015 EU General Data Protection Regulation 12 CURRENTLY SPEAKING CURRENTLY SPEAKING Giangiacomo Olivi Partner, DLA Piper Milan
- 13. 10. Can we still process personal data on the basis of consent? Yes, but: consent should be freely given, specific, informed and unambiguous; by a statement or clear affirmative action; Controller has burden of proof. In practice: ticking a box, choosing technical settings, or conduct clearly indicating acceptance of proposed processing. Silence, pre-ticked boxes or inactivity should not constitute consent. Contract performance cannot be made conditional to consent, if processing is not necessary. December 22, 2015 EU General Data Protection Regulation 13 CURRENTLY SPEAKING CURRENTLY SPEAKING Patrick van Eecke Partner, DLA Piper Brussels
- 14. 11. Can we still process personal data on the basis of legitimate interests? Yes – with some changes: Obligation to specifically inform data subjects. Data subject entitled to require restriction of processing of his/her data while verifying if fundamental rights don't override legitimate interests. Reasonable expectations of data subjects should be given consideration, such as when a data subject is a client or in the service of the controller. Examples: Preventing fraud; ensuring network and information security. Direct marketing purposes may be regarded as carried out for a legitimate interest? December 22, 2015 EU General Data Protection Regulation 14 CURRENTLY SPEAKING CURRENTLY SPEAKING Carol Umhoefer Partner, DLA Piper Paris
- 15. 12. Will data collection from kids become illegal? No - General principles of lawfulness of processing (Art. 6) shall apply. Processing of personal data of a child below the age of 16 years requires the consent (given or authorized) by the parent (or other holder of parental responsibility). Member States can lower the age threshold (but not below 13 years). The controller shall make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the child. Rules to consider available technology and not to affect general contract law. December 22, 2015 EU General Data Protection Regulation 15 CURRENTLY SPEAKING CURRENTLY SPEAKING Giangiacomo Olivi Partner, DLA Piper Milan
- 16. 13. Will individuals get new rights? Yes – several new and expanded rights. Data portability. Restriction of processing. Expanded right of erasure - the Right To Be Forgotten. Rights regarding profiling: using data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interest, reliability, behaviour, location or movements. December 22, 2015 EU General Data Protection Regulation 16 CURRENTLY SPEAKING CURRENTLY SPEAKING Carol Umhoefer Partner, DLA Piper Paris
- 17. 14. Will we get new types of sensitive data? General rule - prohibition to process personal data, revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data in order to uniquely identify a person or data concerning health or sex life and sexual orientation. But 10 exceptions apply: explicit consent vital interest assessment of the working capacity of the employee public health, … Pay attention! Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or health data. December 22, 2015 EU General Data Protection Regulation 17 CURRENTLY SPEAKING CURRENTLY SPEAKING Patrick van Eecke Partner, DLA Piper Brussels
- 18. 15. Does the Regulation still apply if we de-identify our data? Information that does not relate to an identified or identifiable natural person, or data rendered anonymous in such a way that the data subject is not or no longer identifiable, will not be subject to the Regulation. Data that has undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, is personal data subject to the Regulation. To determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used, looking at all objective factors, such as the costs and amount of time required, available technology at the time of the processing, and technological developments. December 22, 2015 EU General Data Protection Regulation 18 CURRENTLY SPEAKING CURRENTLY SPEAKING Carol Umhoefer Partner, DLA Piper Paris
- 19. 16. When will we need to conduct a privacy impact assessment? When using new technologies and likely to result in a risk for the rights and freedoms of individuals. In particular: systematic and extensive evaluation of personal aspects based on automated processing (including profiling) and on which decisions are made, significantly affecting the individual. large scale processing of "special categories of data" or criminal data. systematic monitoring of a publicly accessible area on a large scale. A single assessment may address a set of similar processing operations with similar risks. Supervisory authority to publish a list of operations subject (and not subject) to data protection impact assessment. Assessment review when risk changes. December 22, 2015 EU General Data Protection Regulation 19 CURRENTLY SPEAKING CURRENTLY SPEAKING Giangiacomo Olivi Partner, DLA Piper Milan
- 20. 17. We've always acted as a processor – what will our liability be? Direct claims: data subject can lodge a complaint directly against a P (administrative as well as judicial). Qualified liability: A P shall be liable for the damage caused by the processing only where it has not complied with obligations of this Regulation specifically directed to Ps or acted outside or contrary to lawful instructions of the C. Burden of proof: A C or P shall be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage. Joint and several liability: Where more than one C or P are involved in the same processing and, where they are responsible for any damage caused by the processing, each shall be held liable for the entire damage, in order to ensure effective compensation of the data subject. Liable for sub-processors: Where that other P fails to fulfil its data protection obligations, the initial P shall remain fully liable to the C for the performance of that other processor's obligations. December 22, 2015 EU General Data Protection Regulation 20 CURRENTLY SPEAKING CURRENTLY SPEAKING Patrick van Eecke Partner, DLA Piper Brussels
- 21. 18. Is it true the G29 will be dissolved? An independent body of the Union with legal personality – the European Data Protection Board – will be established. Will replace the Article 29 Working Party. Composed of the head of a supervisory authority in each Member State and the European Data Protection Supervisor or their respective representatives. Contribute to the consistent application of the GDPR. Empowered to issue binding decisions. Decisions subject to action for annulment before the Court of Justice of the European Union. December 22, 2015 EU General Data Protection Regulation 21 CURRENTLY SPEAKING CURRENTLY SPEAKING Carol Umhoefer Partner, DLA Piper Paris
- 22. 19. Will the regulators be issuing guidelines or recommendations? The Commission will be granted implementing powers. Implementing acts: approved codes of conduct; technical standards for certification mechanisms and data protection seals and marks; third country adequacy decisions; format and procedures for the exchange of information between stakeholders for BCRs. Delegated acts: information to be presented by the icons; procedures for providing standardised icons; requirements for the data protection certification mechanisms. December 22, 2015 EU General Data Protection Regulation 22 CURRENTLY SPEAKING CURRENTLY SPEAKING Patrick van Eecke Partner, DLA Piper Brussels
- 23. 20. How far does harmonization really go? Member State law should reconcile rules governing freedom of expression and information with the protection of personal data. Member State law or collective agreements may provide for specific rules on employee personal data processing, for example, conditions under which data can be processed on the basis of employee consent. Member States may adopt specific rules if necessary to reconcile the right to the protection of personal data with an obligation of professional secrecy. Member States may maintain or introduce more specific requirements for processing pursuant to legal obligations under Member State's law. December 22, 2015 EU General Data Protection Regulation 23 CURRENTLY SPEAKING CURRENTLY SPEAKING Giangiacomo Olivi Partner, DLA Piper Milan
- 24. Stay Informed 24 December 22, 2015 EU General Data Protection Regulation Subscribe to our Privacy Matters blog for regular updates http://blogs.dlapiper.com/privacymatters/ Access our Data Protection Laws of the World Handbook at www.dlapiperdataprotection.com New edition to be released Q1 2016
- 25. QUESTIONS December 22, 2015 EU General Data Protection Regulation 25 dataprivacy@dlapiper.com www.dlapiperdataprotection.com
Editor's Notes
- PATRICK
- PATRICK Dear all, welcome to this first session on the new European Data Protection Regulation. My name is Patrick Van Eecke, I am a partner of DLA Piper in the Brussels office. Thank you for joining us, a few days before Christmas. You are not alone though, you are one of the 490 participants who called in to get a first insight on what would be the impact of these new rules on your business activities. Today, I am joined by my partner of the Paris office, Carol Umhoefer, and my partner of the Milan office, Giangi Olivi. As you know, we have about 150 data protection experts on the ground in different offices of DLA Piper throughout the world available to assist you. As you may have noticed in the meantime, your phones have automatically been put on mute. At the end of the session, we will unmute all the lines so we can sing a Christmas carol together. No, just joking; If you would like to ask a question, please either use the chat function or email us dataprivacy@dlapiper.com. If we don't have the chance to answer your question we will contact you after the presentation. NEXT SLIDE PLEASE
- PATRICK For those of you who have already taken the time to read the draft Regulation, you will have noted that it contains almost 100 articles and around 130 so-called recitals, explaining the articles. The old directive counts around 30 articles and around 70 recitals. With a piece of legislation that has almost tripled in contents, something must have changed indeed. Instead of dissecting the legislation piece by piece, we thought, that for a first exploratory session, it would be a good idea to look at the GDPR from a very practical perspective and cover the most typical questions we get from our clients nowadays. Out of our discussions with clients, we distilled the 20 frequently asked questions and would like to share this with you. Maybe a first question for Carol. What is actually all the fuzz about this new Regulation, do we really need to take it that seriously? NEXT SLIDE
- CAROL Unless the U.S. adopts a single, general application data protection law, the GDPR is the biggest development in the field of data protection in a generation. It is one law replacing 28 national laws and repealing the Directive once the Regulation takes effect, in Q1 2018. Entering into a period where current laws still in effect and enforceable, but everyone with an eye on the terms of the Regulation. Even with a single law, there will still be questions of interpretation, although the Regulation sets up mechanisms – like the European Data Protection Board – to promote harmonization and consistency of approach. Repealing the Directive does not mean that the European Commission decisions and authorisations based on the Directive are no longer in effect – those remain in force until amended, replaced or repealed We are in the early days and we can't know how the Regulation will be interpreted and whether it will serve as a model for other jurisdictions. The Directive has had considerable success, and numerous countries in Asia and Latin America particularly have been inspired by the EU principles when creating their own data protection regimes.
- PATRICK Some of you have been asking, are we finally there yet, is this it, or is there more to come? Well, let's take a quick look at the schedule. As you know, last week was very important because the so-called LIBE Committee of the European Parliament, this is the Civil Liberties, Justice and Home Affairs Committee approved the texts. One day later the permanent representations of the member states, the so-called COREPER, also confirmed their agreement. This means that in the next few weeks, the Council and the EP in plenary will adopt the texts, after a legal and linguistic review of the texts (which is indeed still necessary, because there are still some inconsistencies in the text). Soon after the adoption, the Regulation will be published in the Official Journal and enter into force 20 days its publication; Does it mean it will come immediately into effect? No. We will have two years after the entry into force to ensure compliance with the rules. They will become applicable two years after the entry into force, so probably early spring 2018. What do we have to do until then? Well, we will still be working with the old rules, whilst adapting our processes and procedures to the new rules. Most DPA's will already take a look at the new rules for interpreting the old legislation. As many of the new rules are one way or another already captured in WP29 guidelines or European case law. So, will be an interesting two years ahead of us, trying to combine the old rules with the new ones. Is there more legislation to come out we should expect? Yes, the Regulation refers at different occasions to the use of delegated acts and implementing acts. These are secondary legislative acts, implementing some of the basic principles of the Regulation in more detail. We'll be talking about that later. But Giangi, could you please first tell us to whom this new legislation will be applicable? NEXT SLIDE
- GIANGI Processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing itself takes place within the EU. Processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to the offering of goods or services to data subjects in the European Union irrespective of whether a payment of the data subject is required, or related to the monitoring of the behaviour of such data subjects as far as their behaviour takes place within the EU. My company is not in the EU but we collect data from EU consumers – what do I need to do next? Designate a representative that acts on behalf of the controller or processor outside the EU, with regard to the latters' obligations under the GDPR. Designation of such representative does not affect the responsibility and liability of the controller or processor under the GDPR. "The designated representative should be subjected to enforcement actions in case of non-compliance by the controller. "
- CAROL In this Regulation like much else the devil is in the details.The six principles are largely unchanged: lawful etc. Similarly, key, foundational definitions (such as personal data, processing, controller …) have not been substantially changed. What is new is a seventh principle that The controller shall be responsible for and shall be able to demonstrate compliance with the principles – the so-called accountability principle Demonstrating compliance also means demonstrating effectiveness of measures. There are several examples given in the Whereas of what this means – a true information governance strategy with documentation to prove it. This is a far cry from the Directive. For example: Controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Processing will be documented internally; filings with regulators will no longer be required (although authorizations may be in some case) More broadly, in respect of accountability we see the risk-based approach that runs through the Regulation: Measures should take into account the nature, scope, context and purposes of the processing and the risk for the rights and freedoms of individuals
- GIANGI
- PATRICK We know that today there is a lot to do about sending personal data collected in Europe to countries outside of the European Economic area. We know it is in principle not allowed unless you take into account some very peculiar measures. Many companies would have expected that Europe would get rid with these complex rules, but the opposite is true. The new Regulation confirms the same principles we already know, with a few add ons and some specific mentioning of the so-called Binding Corporate Rules. So, we will stick with a "white list of countries", identified by the Commission as providing adequate protection; The Commission can also identify territories, or sectors within a country, or an international organisation as adequate. Next to that we will still be able to work with model contracts and BCRs. The Regulation explicitly states that these standard data transfer clauses can be incorporated in a wider contract, or that you can add other clauses or additional safeguards as long as they do not contradict, directly or indirectly, the standard contractual clauses. Also, still possible to make use of the so-called Derogations, such as consent, performance of the agreement, etc. Interesting is that a new clause has been added regarding "legal disclosure". It says , as you can read, that "Any judgment or administrative decision of a third country requiring a transfer or disclosure of personal data to that country is only allowed if there is an international agreement between those countries, such as a mutual legal assistance treaty." We are of course also all waiting for next version Safe Harbor. Probably expected for Spring 2016. But that is food for another webinar. NEXT SLIDE
- GIANGI the processing is carried out by public authority or body; A DPO may also represent associations and other bodies representing controllers / processors. No specific rules for DPO's location
- CAROL Likely very little, at least at first. Compliance programs are principally inward looking, whereas one-stop-shop concerns the external enforcement environment for controllers and processors, that over time will impact your compliance program. First it's important to remember. By definition one-stop-shop is relevant only as concerns interaction with supervisory authorities, and only in relation to cross-border processing. The definition of cross border processing is limited to two situations: first, where processing is carried out the context of activities of a single establishment of the controller or processor but substantially affects data subjects in more than one MS; second, the controller or processor is processing in the context of activities of its establishments in more than one member state, and the controller or processor is established in more than one MS. If that sounds completely redundant to you, you are not alone. But more importantly, this definition throws us back to the definition of establishment that we'd have preferred to leave behind. With respect to its cross-border processing, the controller or processor will deal only with the supervisory authority - called the lead supervisory authority - which is the supervisory authority where the controller or processor has its central administration in the EU, unless an exception applies: for controllers, the lead supervisory authority may alternatively be where decisions are taken as to how and why to process personal data if those decisions are not taken where central administration is located, and for processors, the lead supervisory authority may alternatively be where the main processing activities are conducted. "Lead" authority means exactly that – there is not a monopoly. For example, a supervisory authority other than the lead supervisory authority is competent to handle any complaint or possible violation of the GDPR where the subject matter relates only to an establishment in a Member State of the other supervisory authority , or where the subject matter substantially affects data subjects only in the MS of that other supervisory authority. Although in such case the lead supervisory authority can still decide in the end to handle the matter, given the territorial limitations on the power of the lead supervisory authority, it will need to cooperate with the other supervisory authority. Another example: current Article 51 of the GDPR states that one stop shop does not apply where the legal basis for the processing is compliance with a legal obligation to which the controller is subject. In other words, depending on the MS, a significant amount of employee data processing and health-care data processing should logically be outside the purview of the lead supervisory authority.
- GIANGI As soon as a controller becomes aware that a personal data breach has occurred, the controller shall notify the breach to the competent supervisory authority without undue delay and where feasible no more than 72 hours after having become aware of it, unless the controller is able to demonstrate that the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals. Data breach notification to the supervisory authority to include at least: description with (where possible) the categories and approximate number of data subjects (and records) concerned contact details of DPO or other contact point description of likely consequences measures to be taken (including mitigation) Data breach communication to the data subjects to be in plain language and to include at least: contact details of DPO or other contact point description of likely consequences measures to be taken (including mitigation)
- PATRICK Of course, consent is still going to be a very important legal basis allowing companies to collect and further process personal data. The Regulation says "If the data subject has given consent to the processing of their personal data for one or more specific purposes", so at first sight, that's an easy one. Let's get consent from the individual. But please pay attention, the definition of "consent" has been dramatically changed in the Regulation. Consent should be freely given, specific, informed and unambiguous Implied consent, (eg, by just staying on a website) will probably not be sufficient; The Regulation states that the consent should be done "by a statement or clear affirmative action", and it will be you, the data controller, to prove that proper consent was given. Important to note is that requiring consent from an end user in order to give that person access to a service, where you do not actually need that data to perform the contract, is not allowed. The Regulation says (recital 32) that "Consent should not be regarded as freely-given if the data subject has no genuine and free choice and is unable to refuse or withdraw consent without detriment". NEXT SLIDE
- CAROL Yes. The principle has not changed, unless you're used to a national law or regulator interpretation that permitted processing on the basis of a legitimate business interest. But what's new is that when processing on the basis of legitimate interests it will be necessary to specifically inform the data subject what those interests are in a notice. And under the Regulation, processing on the basis of legitimate interests will entitle the data subject to request the restriction of processing of his or her data – we'll talk about that in detail in a minute. The Whereas provide interesting comments on legitimate interests, however. For example, one of the Whereas states that when balancing interests against the data subject's fundamental rights and freedoms, it the reasonable expectations of data subjects, based on the relationship with the controller, should be taken into consideration - such as when a data subject is a client or in the service of the controller. The Whereas also give examples of legitimate interests: Processing personal data strictly necessary for the purposes of preventing fraud constitutes a legitimate interest Processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security constitutes a legitimate interest. Controllers that are part of a group of undertakings may have a legitimate interest to transmit personal data within the group for internal administrative purposes. It is also stated that processing of personal data for directly marketing purposes may be regarded as carried out for a legitimate interest.
- Giangi
- CAROL Yes. In addition to the existing rights of access and rectification and to object to processing – which of course will still exist -- there will be new rights of data portability and restriction of processing, an expanded right of erasure - the RTBF – and rights regarding profiling. Portability means that the data subject shall have the right to receive personal data concerning him or her in a structured and commonly used and machine-readable format and have the right to transmit the data to another controller whenever the processing is based on consent or on a contract entered into with the data subject. The data subject is also entitled to have the data transmitted directly from one controller to another. Restriction is a new concept meaning that the data subject shall have the right to obtain from the controller the restriction of the personal data processing in several situations, particularly where the accuracy of the data is contested, in which case the restriction remains in place for the period during which the controller verifies the accuracy of the data. Similarly, the data subject has the right to obtain restriction on processing where s/he has objected to processing that is conducted on the basis of legitimate interests, pending verification of whether the controller's interests override the rights of the data subject. The RTBF has been adopted as a requirement on the controller to inform other controllers to erase data (a significant step back from the Parliament's proposal for ensuring erasure, which was unworkable). Specifically, whenever the controller has made personal data public and required to erase the data, the controller must take reasonable steps to inform controllers that are processing the data that the data subject has requested erasure of any links to, or copy or replication of that personal data. And the right – contained in the Directive - not to be subject to a decision based solely on automated processing when the decision either (i) produces legal effects, or (ii) significantly affects the data subject , has been extended to profiling – Profiling is defined as using data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interest, reliability, behavior, location or movements.
- PATRICK Will we get new types of sensitive data ? Yes, the old ones remain such as personal data relating to ethnic origin, but there a few added such as genetic data and biometric data. Genetic data is defined as all personal data relating to the genetic characteristics of an individual that have been inherited or acquired, which give unique information about the physiology or the health of that individual, resulting in particular from an analysis of a biological sample from the individual in question. "Biometric data" is defined as any personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual which allows or confirms the unique identification of that individual, such as facial images, or dactyloscopic data; Only when these biometric data are being used to "uniquely identify a person", their processing is prohibited. Their processing is forbidden unless exceptions apply. There are about 10 possible ways enumerated in the Regulation; It is very often being discussed to what extent de-identifying these data would get you out of scope of the legislation. Carol, would that be possible under the new Regulation? NEXT SLIDE
- Carol (anonimisation/pseudonymisation) The Regulation does not fundamentally alter the status quo: irrevocably anonymized data – that is, information that does not relate to an identified or identifiable natural person or data rendered anonymous in such a way that the data subject is not or no longer identifiable - is not subject to data protection law and therefore to the Regulation. Data that has undergone pseudonymization, that is, data that could be attributed to a natural person by the use of additional information, is personal data. But the Whereas to the Regulation state that application of pseudonymization to personal data can reduce the risks for the data subjects concerned and help controllers and processors meet their obligations. Moreover, to encourage pseudonymization, the Regulation's Whereas states that pseudonymization is possible within the same controller if measures are taken to ensure that additional information that would permit attributing information to a specific data subject is kept separately. We can still hope for changes to supervisory authorities' approaches with the consistency mechanism introduced by the Regulation. For example, some supervisory have had very broad conceptions of when a person is identifiable. Whereas 23 specifically repeats the Whereas of the Directive, which states that to determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used. Some supervisory authorities have not followed this approach. The new Whereas expounds on the Directive by adding that when determining if identification is reasonably likely, one should be looking at all objective factors, such as the costs of and the amount of time required to identification, taking under consideration available technology at the time of the processing and technological development.
- GIANGI Data protection impact assessment to be made where a type of processing using new technologies is likely to result in a risk for the rights and freedoms of individuals. In particular: systematic and extensive evaluation of personal aspects based on automated processing (including profiling) and on which decisions are made, significantly affecting the individual. large scale processing of "special categories of data" or criminal data. systematic monitoring of a publicly accessible area on a large scale. A single assessment may address a set of similar processing operations with similar risks. Supervisory authority to publish a list of operations subject (and not subject) to data protection impact assessment. Coordination with the European Data Protection Board / consistency mechanism. Assessment to contain at least: a systematic description of the envisaged processing operations and the purpose of the processing; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risk to the rights and freedoms of data subjects; measures to be taken (including mitigation). Compliance with approved code of conduct shall be taken into account. Assessment review when risk changes.
- PATRICK As you know both the current and future data protection legislation makes a distinction between Data Controllers and Data Processors. Data Controller is the one who decides upon the purposes and the means, and the Data Processor is the one who acts on behalf of the Data Controller. The definitions and the role have actually not changed. However an important change appears now when it comes to liability of the data processor. Until now, data processors have always been able to shield themselves from direct liability towards the data subject, but as the policy makers believe data processors have been playing a much more active role in data processing, they decided to set up a separate liability regime for data processors. As a data processor, you should be aware about the following rules which we have put on this slide. Direct claims: Important to know is that a data subject can lodge a complaint directly against a Processor (administrative as well as judicial) Qualified liability: So, a Processor shall be DIRECTLY liable for the damage caused by the processing to a data subject. BUT only where it has not complied with obligations of this Regulation specifically directed to Ps or acted outside or contrary to lawful instructions of the C. Burden of proof: As a processor, you will be exempted from liability only if you can prove that you are not in any way responsible for the event giving rise to the damage. Joint and several liability: Where more than one C or P are involved in the same processing and, where they are responsible for any damage caused by the processing, each shall be held liable for the entire damage. The reason for this rule is that the regulator wanted to ensure the data subject would be effectively compensated. Liable for sub-processors: Where that other P fails to fulfil its data protection obligations, the initial P shall remain fully liable to the C for the performance of that other processor's obligations. Also good to know is that "if a processor in breach of this Regulation determines the purposes and means of data processing, the processor shall be considered to be a controller in respect of that processing." The data controller will of course also have additional, more specific obligations, such as the need to implement appropriate technical and organisational measures to meet the requirements of the Regulation. Before, the Directive only referred to such kind of measures in the framework of information security. Other new principles that are being introduced are the principle of "privacy by design" and "privacy by default". Also specific rules for joint controllers. NEXT SLIDE
- CAROL The Working Party on the Protection of Individuals with regard to the Processing of Personal Data - more commonly the Article 29 Working Party or simply G29 - was created by the Directive. The logical consequence of the repeal of the Directive is that the G29 will cease to exist. In any case, in the Whereas it is stated that the European Data Protection Board should replace the G29. While the composition of the European Data Protection Board will be essentially the same, it will no longer be purely advisory h The Board will be able to issue binding decisions, particularly in the event of a dispute between a lead supervisory authority and another supervisory authority, or if a supervisory authority unilaterally takes action where it is required to consult the Board. For example, if a SA issues requirements for conducting a privacy impact assessment, or approves standard data protection clauses, despite not having sought the opinion of the European Data Protection Board. Decisions of the board will be subject to action for annulment before the Court of Justice
- PATRICK The examination procedure is used by the Commission to adopt implementing acts and delegated acts. Delegated acts: The Commission shall be empowered to adopt delegated acts for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons/ The Commission shall be empowered to adopt delegated acts in accordance with Article 86, for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred Implementing Acts: The Commission may adopt implementing acts for deciding that the approved codes of conduct and amendments or extensions to existing approved codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Third country adequacy decision the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules NEXT SLIDE
- GIANGI
- CAROL Data Protection Handbook with 77 countries covered and a new edition to be released in Q1 2016. With an additional 15 jurisdictions, to bring the total to over 90. We encourage you to visit our blog and sign up to receive an email whenever news is posted. General Data Protection Regulation mini-site to be launched in early 2016. This can be accessed by visiting www.dlapiper.com and searching for General Data Protection Regulation.
- GIANGI If time… Questions We now welcome your questions. As the lines are muted, we would like to ask you to pose your question using the chat function. If we don't have the chance to answer your question we will contact you after the presentation.
- Patrick Other issues not covered: profiling & automated decision making data protection impact assessment Codes of conduct & Certification That brings us to a close. Thank you very much for joining us. Well, we truly hope you enjoyed our session and that we have been able to give you some good tips on what should happen next. Please stay tuned for any updates that we post on our blog "DLA Piper Privacy Matters" and of course our Global Handbook of Data Protection Laws of the World. So stay tuned, have a great afternoon or a wonderful evening, and do not hesitate to get in touch with us on any matters we can assist you with. Thank you all.