© Copyright 2016 by K&L Gates LLP. All rights reserved.

The new General Data Protection Regulation Global impact, more duties, higher sanctions

May 24, 2017

Index

klgates.com 2

GDPR – place in legal order

Wide definition of personal data, territorial scope, ONE STOP SHOP

Consent, rights of people, whose data is processed

Basic principles of data processing, controller – new duties

Processor. Personal data breach. Data Protection Officer

Privacy by design, privacy by default. Privacy Impact Assessment (PIA)

Responsibilities, penalties

Privacy shield US-EU and directive

Recommendations

GDPR*

It happened!

Published in May 2016, these rules governing data protection will enter into force on May 25, 2018

klgates.com 3

*GDPR: General Data Protection Regulation 2016/579 adopted on April 27, 2016 http://eur-lex.europa.eu/eli/reg/2016/679/oj

GDPR – PLACE IN LEGAL ORDER

GDPR is a Regulation – one for all EU countries

Direct application – no need of implementation into national law

It requires revising statutory national laws as well as the “ePrivacy” Directive 2002/58: a draft “ePrivacy” Regulation has been published on January 10, 2017

klgates.com 4

WIDE DEFINITION OF PERSONAL DATA

personal data of natural person, identified or who can be identified, by the controller or by any third party, directly or indirectly, in particular…

klgates.com 5

WIDE DEFINITION OF PERSONAL DATA on the basis of identifiers such as:

name and surname, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of natural person.

klgates.com 6

WIDE DEFINITION OF PERSONAL DATA

• PSEUDONYMOUS DATA

• PROFILING

• GENETIC DATA

• BIOMETRIC DATA

• DATA CONCERNING HEALTH

New definitions!

klgates.com 7

TERRITORIAL SCOPE GDPR applies when controller or processor is: established in the EU, not established in the EU,

but offering goods or services to subjects in the EU,

not established in the EU, but monitoring behavior of subjects in the EU.

klgates.com 8

„ONE STOP SHOP”

Cross – border data processing

Lead supervisory authority

klgates.com 9

PRINCIPLES OF PERSONAL DATA PROCESSING Ability to settle accounts – key principles

Lawfulness, fairness and transparency, Limitations of purpose, Minimization of data, Adequateness, Limitations of keeping, Integrity and confidentiality.

klgates.com 10

REINFORCEMENT OF RIGHTS OF PEOPLE WHOSE DATA IS PROCESSED

when required, consent is explicit, informed and freely given

enhancement of rights connected with access to data and object to processing personal data

„right to be forgotten” (right to erasure)

„right to data portability”

new principles regarding profiling

klgates.com 11

CONDITIONS FOR CONSENT

must be freely given, specific, informed, unambiguous

can be withdrawn at any time

if the data is processed in various purposes, the consent must encompass each of them

klgates.com 12

CONDITIONS FOR CONSENT

wording of the consent must be clear, simple and easily understandable

The burden of proof relies on the controller

by a statement or by clear affirmative action

klgates.com 13

CONSENT OF CHILDREN In relation to the offering of information society services directly to a child: >16 years: processing is lawful, <16 years: processing is lawful only if and to the extent that the consent is given or authorised by the child’s parent or custodian.

klgates.com 14

CONSENT OF CHILDREN BUT: EU Member States can select lower age limit (at least 13 years). The controller shall make reasonable efforts to verify whether child’s parent or custodian gave or authorized consent.

klgates.com 15

BASICS OF DATA PROCESSING

Consent (in one or more specified purposes)

Execution of contract or at the behest of the person, whose data is processed

Fulfillment of legal duty resting upon the controller

Protection of vital interests of the person, whose data is processed or of other natural person

klgates.com 16

BASICS OF DATA PROCESSING

Performance of the task carried out in the public interest or in the exercise of official authority vested in the controller

Legally justified reasons carried out by the controller or by the third party

klgates.com 17

CARROT AND STICK APPROACH

Guidelines regarding safety standards e.g. using pseudonyms

or encrypted data

Harsher duties in the field of data security. Also processor is obliged to

guarantee data safety.

Controller

Natural person, legal person, other

Establishes purposes and means of data processing

Novelty: joint controllers

Processor

Natural person, legal person, other

Processes data on behalf of the controller Contract to entrust processing

CONTROLLER AND PROCESSOR

CONTROLLER – DUTIES Providing technical and organizational means, policies concerning data protection, conducting PIA, Data Protection Officer

Guarantying rights of data subjects – documentation (including notification), deletion, portability

Duties regarding regulatory body, including reporting breaches, consultations prior to processing

CONTROLLER

May claim accordance with GDPR by referring to codes of conduct and certifications approved by regulatory body

Applying codes or certifications does not exclude responsibility

Documentation of data processing - registers

PROCESSOR

Technical and organizational means

Documentation of data processing

Reporting breaches to controller

Creation of Data Protection Officer

More detailed contract for provision of data

Entrusting data to third parties subject to the controller’s prior approval

HOW TO PROVE COMPLIANCE?

Approved code of conduct

Approved certification

Both controllers and processors

BREACH OF PERSONAL DATA PROTECTION

Wide definition of breach

Reporting duty – exception when

there is no risk to rights and freedom

of individuals

Processor should inform controller

Controller – if the risk is high – should inform data subjects

72 hours to inform local regulatory body where the controller

is established

DATA PROTECTION OFFICER – RIGHTS AND DUTIES

Rights

Independence

No possibility of making redundant Occupational qualifications

Duties

Informing and training

Supervision

Cooperation with regulatory body

MANDATORY DATA PROTECTION OFFICER

Public authorities (apart from courts in the scope of judicial power)

Whenever regular and systematical monitoring of subjects on large scale

Whenever processing data on large scale is core business activity

Group may have one Data Protection Officer

PRIVACY BY DESIGN Taking into account privacy when designing product

Solutions protecting privacy: - prior to data processing - throughout entire product life cycle

It is aimed at compliance with data processing rules, e.g. minimization of data

Using pseudonyms

PRIVACY BY DESIGN

PRIVACY BY DEFAULT

klgates.com 28

Defaults should protect users’ privacy

Only necessary data is processed automatically

Privacy should be protected even if no affirmative action is taken by the user

PRIVACY IMPACT ASSESSMENT (PIA)

Utilizing means adequate to risk

PIA mandatory whenever risk connected with data processing is high, e.g. when data is processed with the use of new technologies

Mandatory consultations with local regulatory body whenever PIA indicates high risk of data protection if no minimizing means will be applied

Recommended – conducting PIA before making choice of processor

WHAT SHOULD PIA CONTAIN? Description of predicted processing and its purpose

Assessment of necessity and proportionality regarding purpose

Risk assessment of rights and freedoms connected with data subjects

Means aimed at addressing risk, maintaining security of personal data and preserving compliance with GDPR

Exemption from responsibility

controller is not responsible for damage caused by

processing contradictory to regulation if:

exemption from responsibility if they can prove absence of guilt

processor is responsible for damage caused by

processing if:

it did not fulfill duties directly imposed on it

by Regulation

it acted beyond or against instructions given by controller

Conditions of imposing financial penalties

efficient, proportional, deterring character, scale, duration of

breach

prior breaches cooperation with regulatory body data categories concerned by the

breach reporting breach

intentional or unintentional character of the breach

actions taken by controller and processor in order to minimize

damage

imposing financial penalties

Rate of penalties

Fines may amount to maximum of € 10m or

up to 2% of world annual turnover,

whichever higher, for each breach

duties of collector and processor

e.g. children consent, designing, default data

protection

duties of certificating entity

duties of monitoring entity

Rate of penalties

Financial penalty may amount to

maximum of € 20m or up to 4% of world

annual turnover, whichever higher for

one breach

basic principles of processing,

including consent

rights of people whose data is

processed

transferring data to entities in third

country

The EU-US Privacy Shield on data transfers

European Commision and the United States agreed on new rules of safe personal data transfers - 2.02.2016 (EU-US Privacy Shield)

compatibile with rules set out by the European Court of Justice in the ruling of October 10, 2015 stating nullity of previously utilized rules, namely program Safe Harbour

enhanced duties of American entrepreneurs in the field of data protection of EU citizens

supervision and execution of rules by Trade Department along with the US Federal Trade Commission; cooperation with European data protection authorities.

access of public authorities to personal data will be limited and supervised

questions and complaints connected with data transfers can be presented to new advisor created especially for this purpose

Implemented since July 2016

SUMMARY

RECOMMENDATIONS: Investigate applied technical and organizational means

Should you create Data Protection Officer?

Check your contracts regarding entrusting data processing

Should you conduct PIA?

Update documentation

Introduce demand response system