On 25 May 2018, the European General Data Protection Regulation (GDPR) came into effect. All organizations processing personal data will need to comply with the GDPR. Of course the GDPR applies to companies in the European Union, but also to companies outside the European Union processing personal data of European Union citizens, regardless of where in the world the company is based.
What’s new or strengthened under the GDPR?
- The GDPR is based upon a risk based approach. The risks inherent in the processing should be assessed and safeguards and security measures should subsequently be implemented to mitigate such risks taking into account the state of the art and the costs of the implementation in relation to the risks and the nature of the personal data and the purpose of the processing activities.
- The GDPR includes a more detailed and clear definition of personal data (such as IP addresses and other personal identifiers).
- The GDPR imposes (direct) obligations on processors (such as security measures and notification of data breaches), with the subsequently legal liability.
- The GDPR strengthens and increases the rights of data subjects and gives them more control over their personal data:
- Right to be informed. The existing obligation for the controller to draw up a privacy statement and make such a statement easily available to the relevant data subjects has been expanded under the GDPR. The GDPR gives a list of information that has to be provided to the data subjects. This has to be in clear and plain language and in a concise, transparent, intelligible and easy accessible manner (free of charge).
- Right to not be subject to a decision solely based on an automated process – including profiling – with legal consequences or significant impact on the data subject. The data subject has the right to human intervention, to express their viewpoint, to receive a motivated decision and have the right to challenge such a decision. These rights do not apply to fully automated decisions which
- are necessary for entering into a contract to which the data subject is party;
- or necessary for the performance thereof;
- are based upon a legal ground (fraud purposes and such);
- or based upon explicit consent of the data subject.
- Right to be forgotten/right to erasure:
- if the personal data is no longer necessary;
- consent is withdrawn;
- the data subject objects to the processing and there is no overriding legitimate interest for continuing processing;
- in order to comply with a legal obligation;
- personal data is otherwise unlawfully processed.
The right to erasure is no longer limited to processing that causes unwarranted and substantial damage or distress. A refusal to comply with a request for erasure can be based upon the following relevant grounds: exercise the right of freedom of expression and information, scientific research, historical research or statistical purposes or to exercise or defend against a legal claim;
- Right to object (online). The processing must be stopped unless (a) the controller can demonstrate legitimate ground for the processing, overriding the interests and rights of the data subject; (b) the processing is needed to exercise or defend against a legal claim. In the event of direct marketing purposes, this free of charge right should be explicitly and clearly brought to the attention of the data subject separately from any other information and the processing has to be stopped upon receiving the objection.
- Right to restriction of processing.
- Specific rights for children.
- Right to be timely informed regarding data breaches.
- Right to data portability: right to transmit or receive in a free of charge, structured (enabling the data subject to extract specific elements of the data), commonly used, machine- readable and interoperable format. This right is limited to personal data provided by the data subject and to processing based upon consent or for the performance of a contract and processing is carried out by automated means. Interoperable formats are encouraged but no obligation to adopt interoperable systems. The right to data portability does not imply a right to erasure for the extent such data is necessary for the performance of such contract.
- Right of access to personal data. The GDPR recommends as best practice to provide data subjects with remote access to its personal data through a secure system, granted at reasonable intervals. Such right should not adversely affect the rights of freedom of others.
- Under the GDPR extensive, transparent, clear and easily accessible information regarding the processing of personal data should be provided to the relevant data subjects.
- Consent as ground for processing should be informed clear, easy to retract, freely given, be a given for each distinct purpose (and cover all processing activities), active (not ‘obtained’ through inaction), specific, unambiguous and verifiable. The data subject has stronger rights regarding in the event consent is relied upon as ground for processing (e.g. right to withdraw its consent). Consent will not need to be refreshed if the consent has been obtained in the manner as required under the GDPR.
- Pseudonymisation and encryption of personal data is encouraged. Pseudonymisation should be possible within the same controller, provided that the controller has taken adequate security measures to ensure that the additional information for attributing the personal data to a data subject is stored separately from the pseudonymised data.
- Under the GDPR there is a data breach notification obligation for accidental or unlawful destruction loss, alteration, unauthorized disclosure of, or access to, personal data. The Data Protection Authority should be notified within 72 hours from discovery.
- Data protection by design (integrate safeguards and modalities to facilitate the exercise of data subject’s rights, conducting privacy impact assessments) and by default (limited based on necessity regarding amount, extent, retention period and accessibility) is encouraged.
- The GDPR strengthens the principles of data protection such as:
- data minimization: adequate, relevant and limited to what is necessary for the respective purpose and the retention period should be limited to the strict minimum;
- transparency: concise, easy accessible and easy to understand information for data-subjects regarding the type of personal data to be processed, the reasons of processing their personal data, the period of processing, use of visualized icons is stimulated;
and adds a new principle:
- accountability: the obligation of organizations to demonstrate – through internal governance processes – its compliance with the applicable laws and regulations regarding the protection of personal data, including applicable codes of conduct within the sector; demonstrate which and how decisions have been reached and which relevant factors have been taken into account. Each controller shall maintain a record of processing activities under his responsibility.
- Under the GDPR the processor should provide sufficient guarantee that appropriate technical and organizational measures will be implemented to ensure the rights of the data subject and be compliant with the GDPR. The processor agreement sets out the processing activities and duration of the processing, the nature and purpose of the processing, the (categories of) personal data and (categories of) data subjects and the obligations of the processor. The processor agreement shall stipulate that the processor:
- shall process the personal data only under written instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the processor is subject;
- ensures that its personnel authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
- respects the conditions for engaging another processor. The processor shall not engage another processor without prior specific or general written authorization of the controller. In the event of general written authorization, the processor shall inform the controller of any intended changes concerning the addition or replacement of (sub-)processors, thereby giving the controller the opportunity to object such changes (new under the GDPR). Besides, the same data protection obligations as set out in the processor agreement between the controller and the processor shall have to be imposed on any (sub-)processor engaged by the initial processor by means of a processor agreement. Where that other (sub-)processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations;
- taking into account the nature of the processing, assists the controller with its obligation to respond to the requests for exercising the data subject’s rights;
- assists the controller in ensuring compliance with the obligations pursuant to the security of processing and prior consultation taking into account the nature of processing and the information available to the processor;
- at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of personal data;
- makes available to the controller all information necessary to demonstrate compliance with his obligations and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. The processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
- Under the GDPR there is an obligation to perform a Privacy Impact Assessment (“PIA”) in some specific instances (such as systematic processing of sensitive data and tracking the behavior of data subjects or other high risk processing operations). A PIA should contain a description of the (categories of) processing activities and the purposes thereof, assessment of the necessity and proportionality of such processing activities, an assessment of the risks involved regarding the data subjects and the implemented measures to mitigate such risks.
- Under the GDPR there is an obligation to appoint an (internal or external) Data Protection Officer (“DPO”) in some specific instances (such as systematic processing of sensitive data, large scale behavior tracking or other large scale systematic monitoring of data subjects and organizations with more than 250 employees) with specific knowledge of relevant data protection laws and regulations who can monitor compliance with the GDPR, laws and regulations of the respective Member State(s) and company policies. A single DPO may be appointed for a group of companies. A DPO reports to the board, must be able to operate independently, may not be dismissed or penalized for performing his/her task as DPO and is provided with adequate resources to perform its task in compliance with the GDPR.
- The supervisory authority of the Member State in which the organization has its main establishment will be the leading supervisory authority.
- Under the GDPR the material and territorial scope is broadened. Processing of personal data is subject to GDPR if:
- data controller and/or processor is established within the EU and personal data is processed in the context of the activities of such establishment, or;
- processing of personal data is related to the offering of goods and/or services (against payment or for free) to EU citizen(s), and/or;
- behavior of data subjects is monitored within the EU.
- Under the GDPR profiling and automated decisions is further restricted. Data subject should be informed of the envisaged profiling and the consequences of such profiling. In addition, if profiling is done by means of automatic personal data processing, the logic involved therein.
- Public authorities may no longer rely on legitimate interest as processing ground. The GDPR imposes the obligation to inform relevant data subjects regarding the reliance upon this ground. Examples of possible legitimate interests are: direct marketing, fraud prevention, ensuring network and information security and transfer within a group of undertakings for internal administrative purposes. An important factor to be weighed is the reasonable expectation of the data subject regarding the further processing of their personal data.
- The GDPR strengthens the enforcement possibilities of the Data Protection Authority, increased administrative fines. The Data Protection Authority is entitled to impose fines up to 2 – 4% of the global turnover of a company.
On behalf of Privacy team Cordemeyer & Slager Advocaten
Bob Cordemeyer, Evelien van den Berg