View
2
Download
0
Category
Preview:
Citation preview
© Copyright 2016 by K&L Gates LLP. All rights reserved.
The new General Data Protection Regulation Global impact, more duties, higher sanctions
May 24, 2017
Index
klgates.com 2
GDPR – place in legal order
Wide definition of personal data, territorial scope, ONE STOP SHOP
Consent, rights of people, whose data is processed
Basic principles of data processing, controller – new duties
Processor. Personal data breach. Data Protection Officer
Privacy by design, privacy by default. Privacy Impact Assessment (PIA)
Responsibilities, penalties
Privacy shield US-EU and directive
Recommendations
GDPR*
It happened!
Published in May 2016, these rules governing data protection will enter into force on May 25, 2018
klgates.com 3
*GDPR: General Data Protection Regulation 2016/579 adopted on April 27, 2016 http://eur-lex.europa.eu/eli/reg/2016/679/oj
GDPR – PLACE IN LEGAL ORDER
GDPR is a Regulation – one for all EU countries
Direct application – no need of implementation into national law
It requires revising statutory national laws as well as the “ePrivacy” Directive 2002/58: a draft “ePrivacy” Regulation has been published on January 10, 2017
klgates.com 4
WIDE DEFINITION OF PERSONAL DATA
personal data of natural person, identified or who can be identified, by the controller or by any third party, directly or indirectly, in particular…
klgates.com 5
WIDE DEFINITION OF PERSONAL DATA on the basis of identifiers such as:
name and surname, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of natural person.
klgates.com 6
WIDE DEFINITION OF PERSONAL DATA
• PSEUDONYMOUS DATA
• PROFILING
• GENETIC DATA
• BIOMETRIC DATA
• DATA CONCERNING HEALTH
New definitions!
klgates.com 7
TERRITORIAL SCOPE GDPR applies when controller or processor is: established in the EU, not established in the EU,
but offering goods or services to subjects in the EU,
not established in the EU, but monitoring behavior of subjects in the EU.
klgates.com 8
„ONE STOP SHOP”
Cross – border data processing
Lead supervisory authority
klgates.com 9
PRINCIPLES OF PERSONAL DATA PROCESSING Ability to settle accounts – key principles
Lawfulness, fairness and transparency, Limitations of purpose, Minimization of data, Adequateness, Limitations of keeping, Integrity and confidentiality.
klgates.com 10
REINFORCEMENT OF RIGHTS OF PEOPLE WHOSE DATA IS PROCESSED
when required, consent is explicit, informed and freely given
enhancement of rights connected with access to data and object to processing personal data
„right to be forgotten” (right to erasure)
„right to data portability”
new principles regarding profiling
klgates.com 11
CONDITIONS FOR CONSENT
must be freely given, specific, informed, unambiguous
can be withdrawn at any time
if the data is processed in various purposes, the consent must encompass each of them
klgates.com 12
CONDITIONS FOR CONSENT
wording of the consent must be clear, simple and easily understandable
The burden of proof relies on the controller
by a statement or by clear affirmative action
klgates.com 13
CONSENT OF CHILDREN In relation to the offering of information society services directly to a child: >16 years: processing is lawful, <16 years: processing is lawful only if and to the extent that the consent is given or authorised by the child’s parent or custodian.
klgates.com 14
CONSENT OF CHILDREN BUT: EU Member States can select lower age limit (at least 13 years). The controller shall make reasonable efforts to verify whether child’s parent or custodian gave or authorized consent.
klgates.com 15
BASICS OF DATA PROCESSING
Consent (in one or more specified purposes)
Execution of contract or at the behest of the person, whose data is processed
Fulfillment of legal duty resting upon the controller
Protection of vital interests of the person, whose data is processed or of other natural person
klgates.com 16
BASICS OF DATA PROCESSING
Performance of the task carried out in the public interest or in the exercise of official authority vested in the controller
Legally justified reasons carried out by the controller or by the third party
klgates.com 17
CARROT AND STICK APPROACH
Guidelines regarding safety standards e.g. using pseudonyms
or encrypted data
Harsher duties in the field of data security. Also processor is obliged to
guarantee data safety.
Controller
Natural person, legal person, other
Establishes purposes and means of data processing
Novelty: joint controllers
Processor
Natural person, legal person, other
Processes data on behalf of the controller Contract to entrust processing
CONTROLLER AND PROCESSOR
CONTROLLER – DUTIES Providing technical and organizational means, policies concerning data protection, conducting PIA, Data Protection Officer
Guarantying rights of data subjects – documentation (including notification), deletion, portability
Duties regarding regulatory body, including reporting breaches, consultations prior to processing
CONTROLLER
May claim accordance with GDPR by referring to codes of conduct and certifications approved by regulatory body
Applying codes or certifications does not exclude responsibility
Documentation of data processing - registers
PROCESSOR
Technical and organizational means
Documentation of data processing
Reporting breaches to controller
Creation of Data Protection Officer
More detailed contract for provision of data
Entrusting data to third parties subject to the controller’s prior approval
HOW TO PROVE COMPLIANCE?
Approved code of conduct
Approved certification
Both controllers and processors
BREACH OF PERSONAL DATA PROTECTION
Wide definition of breach
Reporting duty – exception when
there is no risk to rights and freedom
of individuals
Processor should inform controller
Controller – if the risk is high – should inform data subjects
72 hours to inform local regulatory body where the controller
is established
DATA PROTECTION OFFICER – RIGHTS AND DUTIES
Rights
Independence
No possibility of making redundant Occupational qualifications
Duties
Informing and training
Supervision
Cooperation with regulatory body
MANDATORY DATA PROTECTION OFFICER
Public authorities (apart from courts in the scope of judicial power)
Whenever regular and systematical monitoring of subjects on large scale
Whenever processing data on large scale is core business activity
Group may have one Data Protection Officer
PRIVACY BY DESIGN Taking into account privacy when designing product
Solutions protecting privacy: - prior to data processing - throughout entire product life cycle
It is aimed at compliance with data processing rules, e.g. minimization of data
Using pseudonyms
PRIVACY BY DESIGN
PRIVACY BY DEFAULT
klgates.com 28
Defaults should protect users’ privacy
Only necessary data is processed automatically
Privacy should be protected even if no affirmative action is taken by the user
PRIVACY IMPACT ASSESSMENT (PIA)
Utilizing means adequate to risk
PIA mandatory whenever risk connected with data processing is high, e.g. when data is processed with the use of new technologies
Mandatory consultations with local regulatory body whenever PIA indicates high risk of data protection if no minimizing means will be applied
Recommended – conducting PIA before making choice of processor
WHAT SHOULD PIA CONTAIN? Description of predicted processing and its purpose
Assessment of necessity and proportionality regarding purpose
Risk assessment of rights and freedoms connected with data subjects
Means aimed at addressing risk, maintaining security of personal data and preserving compliance with GDPR
Exemption from responsibility
controller is not responsible for damage caused by
processing contradictory to regulation if:
exemption from responsibility if they can prove absence of guilt
processor is responsible for damage caused by
processing if:
it did not fulfill duties directly imposed on it
by Regulation
it acted beyond or against instructions given by controller
Conditions of imposing financial penalties
efficient, proportional, deterring character, scale, duration of
breach
prior breaches cooperation with regulatory body data categories concerned by the
breach reporting breach
intentional or unintentional character of the breach
actions taken by controller and processor in order to minimize
damage
imposing financial penalties
Rate of penalties
Fines may amount to maximum of € 10m or
up to 2% of world annual turnover,
whichever higher, for each breach
duties of collector and processor
e.g. children consent, designing, default data
protection
duties of certificating entity
duties of monitoring entity
Rate of penalties
Financial penalty may amount to
maximum of € 20m or up to 4% of world
annual turnover, whichever higher for
one breach
basic principles of processing,
including consent
rights of people whose data is
processed
transferring data to entities in third
country
The EU-US Privacy Shield on data transfers
European Commision and the United States agreed on new rules of safe personal data transfers - 2.02.2016 (EU-US Privacy Shield)
compatibile with rules set out by the European Court of Justice in the ruling of October 10, 2015 stating nullity of previously utilized rules, namely program Safe Harbour
enhanced duties of American entrepreneurs in the field of data protection of EU citizens
supervision and execution of rules by Trade Department along with the US Federal Trade Commission; cooperation with European data protection authorities.
access of public authorities to personal data will be limited and supervised
questions and complaints connected with data transfers can be presented to new advisor created especially for this purpose
Implemented since July 2016
SUMMARY
RECOMMENDATIONS: Investigate applied technical and organizational means
Should you create Data Protection Officer?
Check your contracts regarding entrusting data processing
Should you conduct PIA?
Update documentation
Introduce demand response system
Recommended