Impact on e-commerce of the GDPR- Etrade Summit 2016

Sirius Legal
eTrade Summit
27 September 2016

2016’s Marketing buzz…
eTrade Summit
27 September 2016

New “Privacy Law” coming your way…
General Data Protection Regulation 2016/679 (GDPR/AVGB)
Regulation instead of Directive – 1 law for 28 states
Agreement reached last December 2015
Enters into force on 1 May 2018 (without grace period!)
New rules are MUCH stricter than current law and impact EVERYONE present
here today
eTrade Summit
27 September 2016

General Data Protection Regulation
Heavily influenced by consumer protection activists in EP
Result:
Consumer friendly, but serious restraints for direct marketing sector, e-
commerce sector and especially personalisation, profiling, real time
marketing and (big) data processing
Applicable on ALL data processing, except personal (private) contact lists (e.g.
private Outlook account)
eTrade Summit
27 September 2016

Don’t be this guy, be prepared…
eTrade Summit
27 September 2016
All e-commerce and online marketing run on personal data
GDPR applies to ALL databases (marketing, sales, HR, purchasing, accounting, …)
In the words of the European Commission: “data has become a currency” (cfr. Draft Directive
2015/0287 on digital content delivery contracts)
Fines up to 4% of annual turnover or 20 mio euro

Security & internal processes
1. Working with subcontractors that process data
Obligation to work only with subcontractors that guarantee sufficient data security
Obligation to have written contracts wth all subcontractors
List of mandatory clauses in such contracts
= Need to audit/map all existing subcontracting/service contracts
eTrade Summit
27 September 2016

2. Record of processing activities
Obligation to maintain a “record of processing activities”
Holding ID of processor, processed data, categories, transfers, time limits, security
measures
In writing at the seat of your company
eTrade Summit
27 September 2016

3. Data security measures
“Processor shall implement appropriate technical and organizational measures, to
ensure an appropriate level of security”
Pseudonymisation where possible, confidentiality, security, back ups in place,
security testing protocols, …
= Need to audit/map data within company
eTrade Summit
27 September 2016

4. Data Protection Impact Assessment
If possible high impact on data subject privacy rights
Obligation to run prior (documented) impact assessment
Advice of DPO required if DPO is present in the organization
Should be used as basis to ensure adequate security levels
Privacy Commission to specify when DPIA is required
If DPIA shows high risk: obtain Prior Assessment from Privacy Commission
eTrade Summit
27 September 2016

5. Data breach notification
Obligation to notify any data security breach to the Privacy Commission
Asap or at least within 72 hours
Nature of breach, possible consequences, measures taken, etc… (= obligation to
document data breach)
= Need to have data breach procedure in place
If possible consequences for data subjects: obligation to notify them in person!
eTrade Summit
27 September 2016

5. Data Protection Officer
If core activity of processor
Requires large scale data monitoring
Consists of large scale data monitoring
Series of requirements and conditions
Details to be specified
Inform & advise, monitor compliance, SPOC for authorities
eTrade Summit
27 September 2016

Information obligations & rights of data subjects
1. Lawfulness of processing (“on which grounds can I proces data?”) (art. 6
GDPR)
Prior opt-in remains the basic rule (+ proof required)
“Processing is required for the execution of a contract”
“Legitimate grounds”
DM “may be considered” legitimate, but “Personal data should be processed
only if the purpose of the processing could not reasonably be fulfilled by other
means”
If existing client relationship: OK, otherwise not so evidently OK
eTrade Summit
27 September 2016

2. Processing of data belonging to minor (-13 Y/O, -16 Y/O) (art. 8 GDPR)
Always requires explicit authorisation by parents!
“Reasonable efforts” to check age and obtain authorisation
eID?, Facebook login?, credit card data?, live chat, …?
eTrade Summit
27 September 2016

3. Information obligations
Obligation to notify data subject of the fact that his data is being / has been
collected (or transferred) without his explicit consent (art. 14 GDPR)
Within 30 days or upon first contact
= Data obtained from data brokers, partner organisations, online collection…
eTrade Summit
27 September 2016

3. Information obligations (art. 14 GDPR)
Obligation falls if
Data subject already knows
or
Information provision requires disproportionate effort
(= open door to creativity…)
eTrade Summit
27 September 2016

4. Right not to be submitted to profiling (art. 21 GDPR)
If the person has a legitimate interest to do so, he has a right to object against
Processing/profiling based on
public interest / official authority
or
legitimate interest
Objection against processing/profiling for direct marketing purposes is always
possible
eTrade Summit
27 September 2016

5. Right to object to automatic decision taking (art. 22 GDPR)
Right
Not to be subject to a decision (or profiling) – Exceptions (e.g. contracts)
Producing legal effects / significantly affects
Solely based on automated processing of data
Intended to evaluate certain personal aspects
Examples
Performance of work, creditworthiness reliability and conduct
Also applies to DM “decisions” (e.g. send offer or not)
eTrade Summit
27 September 2016

6. Right to be forgotten (art. 17)
Upon request by data subject, processor has to take all reasonable measures to
permantently delete data
+ to ensure that third parties that have copies of or links to data are warned of
the request and are asked to do the same
eTrade Summit
27 September 2016

7. “Pseudonymous data”
8. “Privacy by design”
9. “privacy by default” (cfr. recent Telenet “personalized advertising…”)
10. …
eTrade Summit
27 September 2016

Helping hand
Code of Conduct
= “ethical code” of associations
Contain rules on how to handle data for their members
Can be approved by authorities
Association has to provide control/supervision
Advantage: once approved can create presumption of compliance with series of
obligations for association members
SafeShops is currently investigating possibility to draft code and apply for approval
eTrade Summit
27 September 2016

Be prepared…
Follow up on discussion (e.g. through our website www.siriuslegal.be)
Start audit om data use within your organisation
Start review vendor contracts (in view of data security obligation)
Start to prepare for full update of policies, contracts, business processes
Put in place data breach notification procedure
Appoint (temporary) data security officer
Put in place impact assessment and/or risk analyses policy
Create compliance statements for annual business reports
Train staff
Sit back and wait for final text of regulation for final details…
eTrade Summit
27 September 2016

Be prepared…
Those who are not prepared face trouble…
Provisions of highest importance (cfr. profiling = high risk processing)
Fines up to 20 million euro
Fines up to 4% of worldwide annual turnover (for undertakings)
Reform of Privacy Commission will lead to actual enforcement…
+ Remedies for data subject
eTrade Summit
27 September 2016

Sirius Legal
Media & advertisement law
IP law
Internet & e-commerce
Privacy & cookies
Gambling law
Travel & consumer protection
Commercial contracts
Corporate tax labour real estate
bart@siriuslegal.be
www.siriuslegal.be
@BartVdBrande
Linkedin.com/in/bartvdb

Impact on e-commerce of the GDPR- Etrade Summit 2016

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (13)

Similar to Impact on e-commerce of the GDPR- Etrade Summit 2016

Similar to Impact on e-commerce of the GDPR- Etrade Summit 2016 (20)

More from Bart Van Den Brande

More from Bart Van Den Brande (20)

Recently uploaded

Recently uploaded (20)

Impact on e-commerce of the GDPR- Etrade Summit 2016