3. New “Privacy Law” coming your way…
General Data Protection Regulation 2016/679 (GDPR/AVGB)
Regulation instead of Directive – 1 law for 28 states
Agreement reached last December 2015
Enters into force on 1 May 2018 (without grace period!)
New rules are MUCH stricter than current law and impact EVERYONE present
here today
eTrade Summit
27 September 2016
4. General Data Protection Regulation
Heavily influenced by consumer protection activists in EP
Result:
Consumer friendly, but serious restraints for direct marketing sector, e-
commerce sector and especially personalisation, profiling, real time
marketing and (big) data processing
Applicable on ALL data processing, except personal (private) contact lists (e.g.
private Outlook account)
eTrade Summit
27 September 2016
5. Don’t be this guy, be prepared…
eTrade Summit
27 September 2016
All e-commerce and online marketing run on personal data
GDPR applies to ALL databases (marketing, sales, HR, purchasing, accounting, …)
In the words of the European Commission: “data has become a currency” (cfr. Draft Directive
2015/0287 on digital content delivery contracts)
Fines up to 4% of annual turnover or 20 mio euro
6. Security & internal processes
1. Working with subcontractors that process data
Obligation to work only with subcontractors that guarantee sufficient data security
Obligation to have written contracts wth all subcontractors
List of mandatory clauses in such contracts
= Need to audit/map all existing subcontracting/service contracts
eTrade Summit
27 September 2016
7. Security & internal processes
2. Record of processing activities
Obligation to maintain a “record of processing activities”
Holding ID of processor, processed data, categories, transfers, time limits, security
measures
In writing at the seat of your company
eTrade Summit
27 September 2016
8. Security & internal processes
3. Data security measures
“Processor shall implement appropriate technical and organizational measures, to
ensure an appropriate level of security”
Pseudonymisation where possible, confidentiality, security, back ups in place,
security testing protocols, …
= Need to audit/map data within company
eTrade Summit
27 September 2016
9. Security & internal processes
4. Data Protection Impact Assessment
If possible high impact on data subject privacy rights
Obligation to run prior (documented) impact assessment
Advice of DPO required if DPO is present in the organization
Should be used as basis to ensure adequate security levels
Privacy Commission to specify when DPIA is required
If DPIA shows high risk: obtain Prior Assessment from Privacy Commission
eTrade Summit
27 September 2016
10. Security & internal processes
5. Data breach notification
Obligation to notify any data security breach to the Privacy Commission
Asap or at least within 72 hours
Nature of breach, possible consequences, measures taken, etc… (= obligation to
document data breach)
= Need to have data breach procedure in place
If possible consequences for data subjects: obligation to notify them in person!
eTrade Summit
27 September 2016
11. Security & internal processes
5. Data Protection Officer
If core activity of processor
Requires large scale data monitoring
Consists of large scale data monitoring
Series of requirements and conditions
Details to be specified
Inform & advise, monitor compliance, SPOC for authorities
eTrade Summit
27 September 2016
12. Information obligations & rights of data subjects
1. Lawfulness of processing (“on which grounds can I proces data?”) (art. 6
GDPR)
Prior opt-in remains the basic rule (+ proof required)
“Processing is required for the execution of a contract”
“Legitimate grounds”
DM “may be considered” legitimate, but “Personal data should be processed
only if the purpose of the processing could not reasonably be fulfilled by other
means”
If existing client relationship: OK, otherwise not so evidently OK
eTrade Summit
27 September 2016
13. Information obligations & rights of data subjects
2. Processing of data belonging to minor (-13 Y/O, -16 Y/O) (art. 8 GDPR)
Always requires explicit authorisation by parents!
“Reasonable efforts” to check age and obtain authorisation
eID?, Facebook login?, credit card data?, live chat, …?
eTrade Summit
27 September 2016
14. Information obligations & rights of data subjects
3. Information obligations
Obligation to notify data subject of the fact that his data is being / has been
collected (or transferred) without his explicit consent (art. 14 GDPR)
Within 30 days or upon first contact
= Data obtained from data brokers, partner organisations, online collection…
eTrade Summit
27 September 2016
15. Information obligations & rights of data subjects
3. Information obligations (art. 14 GDPR)
Obligation falls if
Data subject already knows
or
Information provision requires disproportionate effort
(= open door to creativity…)
eTrade Summit
27 September 2016
16. Information obligations & rights of data subjects
4. Right not to be submitted to profiling (art. 21 GDPR)
If the person has a legitimate interest to do so, he has a right to object against
Processing/profiling based on
public interest / official authority
or
legitimate interest
Objection against processing/profiling for direct marketing purposes is always
possible
eTrade Summit
27 September 2016
17. Information obligations & rights of data subjects
5. Right to object to automatic decision taking (art. 22 GDPR)
Right
Not to be subject to a decision (or profiling) – Exceptions (e.g. contracts)
Producing legal effects / significantly affects
Solely based on automated processing of data
Intended to evaluate certain personal aspects
Examples
Performance of work, creditworthiness reliability and conduct
Also applies to DM “decisions” (e.g. send offer or not)
eTrade Summit
27 September 2016
18. Information obligations & rights of data subjects
6. Right to be forgotten (art. 17)
Upon request by data subject, processor has to take all reasonable measures to
permantently delete data
+ to ensure that third parties that have copies of or links to data are warned of
the request and are asked to do the same
eTrade Summit
27 September 2016
19. Information obligations & rights of data subjects
7. “Pseudonymous data”
8. “Privacy by design”
9. “privacy by default” (cfr. recent Telenet “personalized advertising…”)
10. …
eTrade Summit
27 September 2016
20. Helping hand
Code of Conduct
= “ethical code” of associations
Contain rules on how to handle data for their members
Can be approved by authorities
Association has to provide control/supervision
Advantage: once approved can create presumption of compliance with series of
obligations for association members
SafeShops is currently investigating possibility to draft code and apply for approval
eTrade Summit
27 September 2016
21. Be prepared…
Follow up on discussion (e.g. through our website www.siriuslegal.be)
Start audit om data use within your organisation
Start review vendor contracts (in view of data security obligation)
Start to prepare for full update of policies, contracts, business processes
Put in place data breach notification procedure
Appoint (temporary) data security officer
Put in place impact assessment and/or risk analyses policy
Create compliance statements for annual business reports
Train staff
Sit back and wait for final text of regulation for final details…
eTrade Summit
27 September 2016
22. Be prepared…
Those who are not prepared face trouble…
Provisions of highest importance (cfr. profiling = high risk processing)
Fines up to 20 million euro
Fines up to 4% of worldwide annual turnover (for undertakings)
Reform of Privacy Commission will lead to actual enforcement…
+ Remedies for data subject
eTrade Summit
27 September 2016
23. Sirius Legal
Media & advertisement law
IP law
Internet & e-commerce
Privacy & cookies
Gambling law
Travel & consumer protection
Commercial contracts
Corporate tax labour real estate
bart@siriuslegal.be
www.siriuslegal.be
@BartVdBrande
Linkedin.com/in/bartvdb