avatar

Editor

Author's details

Date registered: December 30, 2013

Latest posts

  1. GLOBAL: GDPR – One Year to Go! — May 25, 2017
  2. EUROPE: Practical impacts of GDPR on the employment relationship — May 17, 2017
  3. AUSTRALIA: Privacy Awareness Week Update – Industry Debrief: Mapping the community’s privacy expectations — May 16, 2017
  4. GLOBAL: The GDPR at your fingertips – our new app — April 27, 2017
  5. UK: Government triggers Article 50 — March 29, 2017

Author's posts listings

GLOBAL: GDPR – One Year to Go!

It is one year to the day until the European General Data Protection Regulation comes in to force. The clock is now ticking to fines of up to 4% of total worldwide annual revenue for failing to comply with the requirements of the EU GDPR. To assist your organisation with preparing for 25 May 2018 we have developed a suite of useful tools.


 

 

 

 

 

 

 

 

 

 

 

 

 

Explore GDPR Mobile App

  • Our Explore GDPR mobile app is now available for downloading from both Apple’s App Store and Google Play. The app has been developed to make the text of the new EU General Data Protection Regulation (GDPR) easily accessible. It not only provides the full Regulation text but is also fully searchable and links each article to each of the relevant recitals. In addition, articles from the EU GDPR are linked to corresponding articles from its predecessor, the EU Data Protection Directive 95/46/EC.

GDPR Microsite

  • We maintain a dedicated GDPR microsite where you can find useful information to help you learn about the EU GDPR – what it covers, the impact it is likely to have on organisations across different sectors, actions to take now to prepare, as well as regular updates and information on our webinars and events. You will also find our summary Guide to the GDPR which many organisations find to be a helpful quick guide to the key requirements of the GDPR.

Data Protection Officer Training Academy

  • We have developed a Data Protection Officer Training Academy aimed at IT, compliance and legal professionals, or those taking on the role of Data Protection Officer. The course provides practical, interactive guidance on how to establish and manage compliance as a DPO, consistent with the many requirements of the GDPR.

Data Privacy Scorebox

  • Our Data Privacy Scorebox is an online tool to help you assess your data protection maturity level. It requires completing a survey covering areas such as storage of data, use of data, and customers’ rights. Once completed, a report summarising your organisation’s alignment with 12 key areas of global data protection is produced. The report also includes a practical action point check list and peer benchmarking data.

Data Protection Laws of the World Guide

  • Our Data Protection Laws of the World Guide offers a succinct overview of the areas of data protection law that have the most practical significance to businesses. The Handbook covers over 90 jurisdictions.

About DLA Piper’s Data Protection, Privacy and Security Group
The DLA Piper Data Protection, Privacy and Security Group includes over 150 privacy lawyers worldwide. We provide business-oriented legal advice on achieving effective compliance wherever you do business. For more information, please do not hesitate to contact us at dataprivacy@dlapiper.com.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-gdpr-one-year-to-go/

EUROPE: Practical impacts of GDPR on the employment relationship

In this article we focus on some of the practical impacts of GDPR on the employment relationship and what businesses can do to manage these and prepare for implementation by May 2018.

Data subject access requests

Under the GDPR, employees will have the right to much more detailed, transparent and accessible information about the processing of their data. Data subject access requests will be easier for employees. In most cases employers will not be able to charge for complying with a request and normally will have just a month to comply, rather than the current 40 days. The removal of the £10 subject access fee is a significant change from the existing rules under the Data Protection Act (DPA).

Where requests are complex a two month extension is possible, giving a total of three months to comply. Where requests are manifestly unfounded or excessive, in particular because they are repetitive, employers can  either charge a reasonable fee (not capped) taking into account the administrative costs of providing the information, or refuse to respond.

Guidance will hopefully give an indication in due course of what sorts of requests could be viewed as complex, unfounded or excessive. However, the ICO is very unlikely to consider a request from an employee as complex, unfounded or excessive, even if they are asking for all their data, unless they have made a previous request recently. The ICO will expect employers to keep information in a manner which means they can locate and supply information within the initial month.

Where an employer intends to delay the response or refuses to respond to a request, the employer must write promptly to the individual within the month explaining why the request is refused or delayed. The employer must also inform them of their right to complain to the supervisory authority and to a judicial remedy.

The DPA contains various exemptions to the duty to disclose such as in relation to legal privilege but at present, the GDPR contains no such exemptions which an employer can rely on to avoid provision of the employee’s personal data. It may be that, in the UK at least, the doctrine of privilege will ‘trump’ data protection rights, but that remains to be tested.

Employers need to update procedures and plan how to handle requests within the new timescales. The GDPR introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information. This will not be appropriate for all organisations, but there are some sectors where this may work well. In any event the ICO will expect employers to keep employee personal data in a manner which means that requests for access can be responded to promptly.

What this means in practice is that employers will need sophisticated policies and IT systems to manage DSARs within reasonable timeframes. In order to prepare for compliance, employers should take steps now to:

  • Update procedures and plan how to handle SARs and provide any additional information within the new timescales;
  • Develop template response letters to ensure that all elements of a response to a SAR under the GDPR are complied with;
  • Assess the organisation’s ability to isolate data pertaining to a specific individual quickly and to provide data in compliance with the GDPR’s format obligations;
  • Ensure that employees are trained to recognise and respond quickly and appropriately to SARs.
  • Consider putting a ‘data subject access portal’ in place allowing an individual to access their information easily online.

Automated processing and profiling

Employees have a right under the GDPR to not be subject to a decision made solely by automated processing where that decision significantly affects them. This includes decisions based on profiling (any form of automated processing to evaluate certain personal aspects of individuals, in particular to analyse or predict indicators such as their performance at work, health, personal preferences, reliability, and behaviour).

The ICO recently published a discussion paper on profiling in which it set out its initial thoughts on where automated processing may significantly affect an employee. In their view this includes processing that:

  • Limits rights or denies an opportunity;
  • Affects individuals’ financial or economic status or circumstances;
  • Leaves individuals open to discrimination or unfair treatment;
  • Involves the analysis of the special categories of personal data or other intrusive data;
  • Causes, individuals to change their behaviour in a significant way; or
  • Has unlikely, unanticipated or unwanted consequences for individuals.

It is not difficult to see how these might be the outcome of automated processing of HR data. Areas where employers might currently use automated decision-making, which they should therefore review, include:

  • Recruitment, including automated rejection or shortlisting;
  • Performance management/triggers for sickness absence;
  • Eligibility for attendance bonuses;
  • Holiday or shift rostering;
  • Employee monitoring; and
  • Profiling, particularly where this may impact on selection for talent programmes or career progression rather than purely for development purposes.

From a practical perspective employers need to ensure that where they use automated decision making they can explain how it works and there is another way to make an equivalent assessment of the individual if he/she objects.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-practical-impacts-of-gdpr-on-the-employment-relationship/

AUSTRALIA: Privacy Awareness Week Update – Industry Debrief: Mapping the community’s privacy expectations

By Sinead Lynch and Jessica Noakesmith

Today our Australian IPT team attended the ‘Industry Debrief: Mapping the community’s privacy expectations’ presented by the Australian Information and Privacy Commissioner, Timothy Pilgrim, and Principal from The Wallis Group, Jayne Van Souwe.

We heard some of the key issues raised by the 2017 Australian Community Attitudes to Privacy Survey and part of the Office of the Australian Information Commissioner’s (OAIC) plan to address rising privacy concerns in Australia. It was also notable that the survey confirmed many Australians as being comfortable with and welcoming the new mandatory data breach notification rules due to come into effect in early 2018.

Survey findings:

  • 83% of all Australians viewed online interactions are inherently more risky in privacy terms (although many privacy breaches that the OAIC currently handle are offline and low tech).
  • 25% never ask why their personal information is being collected.
  • 9 in 10 Australians are concerned about personal information being transferred overseas and confirm they do not like it.
  • 79% are uncomfortable with sharing their data in a commercial sector.
  • Young Australians under 35 are the most likely to exchange data for benefit.
  • The health sector continues to be regarded as the most trustworthy, with financial institutions and government sector following closely behind.

Some notable key points:

  • there is a considerable gap between privacy concern and actions of all Australians;
  • consumer’s decision making relies on existing goodwill and trust in an organisation over detailed policies – for example, many Australians are not likely to read a long and complex privacy policy; OAIC confirming that simplifying privacy policies will be a core focus; and
  • there is significant personal responsibility in personal information protection. Everyone has a role to play.

The Commissioner, Mr. Pilgrim, highlighted some actions the OAIC has recently undertaken and some currently in progress, including:

  • working with CSIRO to develop tools to assist with de-identification of data and information – the OAIC posing the question “Can you really de-identify personal information?”;
  • preparing the OAIC response to the Productivity Commission report on Data Availability and Use that was released last week;
  • working with the Prime Minister’s public data groups to establish how data can be used for “good purposes” and how to avoid the impact on individuals – in line with a trend towards open and effective use of data;
  • exploring the social / economic use of personal information – a possible social licence for innovative data use, including options of notice and consent;
  • their recently published guide to “personal information” on the OAIC website;
  • the final Australian businesses and the EU General Data Protection Regulation guidance is to be released within the coming weeks. See the draft resource here – according to the Privacy Commissioner, the GDPR is “extraordinarily important” to Australian businesses; and
  • educating Australians about the Right of Access to personal information, indicating a potential focus point on data subject access right here also.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/australia-privacy-awareness-week-update-industry-debrief-mapping-the-communitys-privacy-expectations/

GLOBAL: The GDPR at your fingertips – our new app

We are delighted to announce the launch of DLA Piper’s new Explore GDPR mobile app! It is now available for downloading from Apple’s App Store and Google Play.

The Explore GDPR mobile app has been developed to make the text of the new EU General Data Protection Regulation (GDPR) easily accessible. The app not only provides the full Regulation text but is also fully searchable and links each article to each of the relevant recitals. In addition, articles from the EU GDPR are linked to corresponding articles from its predecessor, the EU Data Protection Directive 95/46/EC.

It is suitable for use on smartphones and also works particularly well on tablets. After downloading the app the content is available even when you are offline.

The text is available in 13 languages, including Czech, Dutch, English, Finnish, French, German, Hungarian, Italian, Polish, Romanian, Slovakian, Spanish and Swedish.

The app requires iOS 8.1, Android 4.1, or later.

Privacy Matters GDPR App

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-the-gdpr-at-your-fingertips-our-new-app/

UK: Government triggers Article 50

After months of speculation and legal and political wrangling, Theresa May, the UK Prime Minister, has today triggered Article 50 and formally begun the process of the withdrawal of the UK from the European Union.

For latest insights on all aspects of Brexit, including the GDPR and data transfers to / from the UK after April 2019, please see our dedicated Brexit microsite.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-government-triggers-article-50/

AUSTRALIA: Mandatory data breach reporting comes to Australia

By Peter Jones (Partner, Sydney) and Josephine Gardiner (Associate, Sydney)

After a gestation period that would make African Bush Elephants proud, it is finally here…

It would be an understatement to say that data breach notification laws have been on the table for some years in Australia. The long-awaited mandatory data breach laws, which passed the Senate on Monday, are the result of a long and winding five year road through the Australian Parliament, three governments and many abandoned attempts. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which amends the Privacy Act 1988, will legally compel organisations to disclose a data breach to the Australian Privacy Commissioner and affected individuals in certain circumstances.

When will the regime start?

At the time of writing, an exact commencement date has not been set (though our bet is that it will be within the next 12 months).

What’s it all about?

Basically, the legislation requires an entity to report a ‘serious data breach’ to customers, the Privacy Commissioner and, potentially, the media.

What is a ‘serious data breach’ you ask? Well, given the importance of this term to the notification regime, it is not ideal that more objective certainty has not been provided. We do know that a serious data breach includes unauthorised access to, disclosure of, or loss of customer information held by the entity (for example personal information, credit reporting information or tax file information) and puts individuals affected at ‘real risk of serious harm.’ This will require judgement calls to be made by organisations as to when notification is required to be made, introducing compliance uncertainty, at least until a number of incidents have arisen and been considered by the Privacy Commissioner.

The notification should include specific details including the information involved and how those affected can respond to the incident (by cancelling credit cards or changing a passwords for example). The entity must not only make such a notification after a breach has been known to have occurred, but also when it becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. The entity must comply with these notification steps as soon as practicable. We note too that there are also quite robust obligations to undertake investigations into whether there has been a data breach where an entity has a ‘suspicion’ that there may have been such a breach.

It is recommended that entities currently bound by the Privacy Act review their internal procedures to update data breach response plans and related requirements to align with the new requirements. Easy, huh?

Well, not so fast. We all know that privacy provides fertile ground for legal exposure but also reputation and brand damage. If an obligation to notify arises, how do you manage the potentially competing demands of legally mandated notification with PR advice which, often, recommends against notification unless you have first identified the problem, resolved it/put in place workarounds and ideally come to some view on ‘customer compensation’. Crisis management advisers may well be popping the odd champagne cork or two (although probably not Krug or Cristal just yet).

Also, in a world where personal information is increasingly the subject of third party processing and storage arrangements, how will your compliance obligations be cascaded into the agreements with those third party suppliers? Do any existing ‘compliance with law’ obligations extend to cover the operational requirements of the new regime? Are contract amendments required? What leverage do you have to require those amendments?  How can you provide for contract certainty where the legislative requirements are not themselves absolutely crystal clear? Will third party providers, particularly global vendors such as cloud providers, accept obligations to ‘self-police’ breach and disclosure matters?

Maybe not so easy after all…

Consequences of non-compliance

If an individual or business fails to comply with the new notification legislation, it can be liable for serious or repeated interferences with the privacy of an individual and can face a civil penalty of up to $360,000 and $1.8 million respectively.

How will the new laws impact your business?

The US and EU have already established advanced regulation in this area. While Australia is late to the party, the overall effect of the laws for Australia will align – to some extent – privacy requirements with a wide range of other jurisdictions. For international companies operating already under other mandatory breach notification regimes, the changes may be minimal, such as tweaking internal compliance functions. However, for companies with local footprints only, these changes may be more significant.

We realise that the legislation has not yet commenced but reviewing your business’ privacy regime would not be a bad place to start. It should also be a priority to ensure your customers information is not compromised in any way and to ensure you have operational procedures in place to adequately manage a data breach event. Thinking this through your existing and future supplier environment and the nature of required upstream contract obligations will also be needed.

Response to the new laws?

Despite the bill only being passed yesterday, concerns with the legislation have already been expressed by legislators (Senator Cory Bernardi for one). Specifically, some have criticised the ability of the Office of the Australian Information Commissioner (OAIC) to manage the new regime given its current resourcing levels.

Additionally, others are concerned that the legislation is one of the strictest disclosure laws in the world. Its threshold is relatively low as disclosure must be made by the entity not only if it knows a breach has occurred but in the event they believe a breach may have occurred (plus the onerous investigation obligations that are triggered by having a ‘suspicion’ that a breach may have occured). This can be seen as both a positive and a negative depending on what which side of the privacy debate spectrum you sit on.

Senator Bernardi has also called out what he considers to be the unnecessary red tape and the ‘lack of specificity.’ Specifically, he claims that, ‘a serious breach’ is too broadly defined in the laws suggesting that someone with a mere ‘mailing list could fall foul’ of the new rules. Some of these arguments were supported by the recently formed group, Data Governance Australia, whose CEO Graeme Samuels (former head of the ACCC) stated that the legislation was ‘heavy handed’ and suggested a voluntary industry code of conduct instead.

On the other side are those who put the privacy of the individuals above the concerns of over regulation. Senator Penny Wong for example has pointed out that before these laws commence, a government agency, a bank or an online store can incur a breach of an individual’s data and would not have to alert the individual to protect themselves (mainly out of fear of damage to the corporation’s reputation).

So, what will the OAIC do? Again, if we were placing bets we would probably place a responsible wager on the Privacy Commissioner pursuing a suitable ‘example’ in the initial 12 months of the regimes.

Commentary

In Timothy Pilgrim’s (Australia’s Privacy Commissioner as well as the Acting Information Commissioner) statement made yesterday, he welcomed the new data breach legislation and working with the government, businesses and consumer groups in preparation for commencement of the new laws.

However, as noted, it is difficult to escape the reality that the legislation adds further grey areas to an already difficult area of law for businesses to navigate (as the Privacy Act in Australia is largely a ‘principles-based’, as opposed to a prescriptive, regime). For example, the lack of specification as to what constitutes ‘serious harm.’ The interpretation of such ambiguities and the overall application of the laws can only be clarified through a combination of Privacy Commissioner guidance and eventual action.

On a practical level, another potential problem of this legislation is that the data breach scheme could lead to ‘notification fatigue’ among members of the public. This means that a bombardment of notifications could eventually undermine the effectiveness of the entire reporting scheme. As the cyber threat environment continues to evolve, and as ‘big data’ analytics and the internet of things continue to expand in Australia, the chances of a breaches occurring (and such breaches meeting the required standard) could increase dramatically and ‘notification fatigue’ could come with it.

Ultimately, if the new notification regime was in itself perceived to provide something of a panacea for individuals, and to provide greater clarity to business in terms of the Legislature’s requirements, in our view that perception can be challenged.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/australia-mandatory-data-breach-reporting-comes-to-australia/

POLAND: GIODO special team publishes the “Proposed procedures before the Inspector General”

By Damian Karwala (Senior Associate, Warsaw)

The Polish Data Protection Authority, GIODO (Generalny Inspektor Ochrony Danych Osobowych), as well as data controllers and data processors in Poland are currently preparing for the General Data Protection Regulation (GDPR). Among other things, GIODO has recently proposed that Administrators of Information Security (so-called “ABIs”, or Administratorzy Bezpieczeństwa Informacji – the Polish counterparts of Data Protection Officers), who are registered in the national register kept by GIODO, will ex lege become Data Protection Officers under the GDPR. According to information on GIODO’s website: “one of the provisions that should be included in the new personal data protection act, pursuant to the necessity to implement the GDPR, is a transitional provision, according to which the ABIs registered in a national, open register should ex lege become Data Protection Officers” (available here in Polish).

This statement is explained by the current status and competencies of ABIs. The function of ABI, in its current state, was introduced in Poland on 1 January 2015 with the aim of preparing a group of privacy professionals to meet the requirements of the GDPR and increasing the professionalisation of this role in organisations. In GIODO’s opinion, its proposal will make “information security administrators who have met all the criteria currently required to fulfill this function [i.e. under Polish regulations] able to continue performing this function without having to take into consideration any further formal actions”. However, this position raises some doubts because, despite their close similarities, the status of ABIs and DPOs is somewhat different. As a result, it does not seem plausible that national data controllers could “automatically” change the name ‘ABI’ into ‘DPO’ without taking any further action, e.g. in relation to a DPO’s obligation to act as a contact point for data subjects and the supervisory authority.

This was one of many issues raised by GIODO in the proposed procedure prepared by a special team working on the reform of data protection law in Poland, appointed by GIODO on 8 July 2016. The draft of this procedure (“Proposed procedures before the Inspector General”, available here in Polish) was sent to the Ministry of Digital Affairs on 27 January 2017, where it is currently subject to further work.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/poland-giodo-special-team-publishes-the-proposed-procedures-before-the-inspector-general/

UK: Implementation of the Network and Information Security Directive

By Ross McKean (Partner, London) and Linzi Penman (Associate, Edinburgh)

With the annual cost of cybercrime and cyber espionage to the world economy estimated in the hundreds of billions of dollars and accusations from various Western governments and law enforcement agencies that a sustained campaign of cyber-attacks targeting democracy and critical infrastructure is being carried out in the West, there has been sustained pressure on legislators to toughen cyber laws.

The cybersecurity strategy for the European Union and the European agenda on security provide an overall framework for the numerous EU initiatives to improve cybersecurity and tackle cybercrime. This remains a key priority for the EU institutions which have repeatedly stated that the digital economy within the single market depends on trust in secure information networks and systems.

Progress was made at an EU level in 2016 with a view to bolstering cybersecurity across Europe, with the adoption of the Network and Information Security Directive which requires implementation by Member States on or before 9 May 2018. The Directive is the first EU-wide piece of legislation concerning cybersecurity with its core objectives being to:

  • enhance cyber security at a national level,
  • increase cooperation among Member States on the matter, and
  • impose certain obligations aimed at improving cybersecurity on operators of ‘essential services’ (i.e. water, energy, transport, health, finance, banking, ISPs, DNS).

UK Position – DCMS implementation of NIS Directive

The UK Government advised last year that it is ‘taking stock of the EU referendum outcome and looking at what impact this might have, if any, on the UK Government’s plans for implementing the NIS Directive’.  This coupled with reports that the UK Government may use access to UK intelligence services as a bargaining chip in the forthcoming Brexit negotiations and reports that GCHQ has concerns about the ability of its European equivalent organisations to keep secrets, had led some to question whether the NIS Directive would be implemented at all in the UK. However, Stuart Peters – the Head of EU Cyber Security Regulatory Policy – noted last week that the UK “will still be members of the EU in May 2018 when the Directive is due to come into force…. [and the] UK Government is therefore continuing to implement the Directive.”

Next Steps

As of yet, there are no official proposals as to how the UK will implement the NIS Directive, however the Department of Culture, Media and Sport notes that the government intends to submit its proposed plan by the end of February/beginning of March, with an impact assessment and public consultation planned to be conducted in April and June 2017, respectively.

View further details of the changes envisaged under the NIS Directive >>

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-implementation-of-the-network-and-information-security-directive/

Data Protection Day 2017!

At DLA Piper we pride ourselves in providing the insights, tools and know how you need to plan ahead and manage change in a privacy landscape that is constantly evolving. With publication of the final text of the EU General Data Protection Regulation in April 2016, many organisations are now actively looking ahead to a challenging timetable to secure GDPR readiness, ahead of May 2018.

International Data Protection Day provides an opportunity to reflect on where we see organisations are in terms of managing privacy to an appropriate standard of protection, and share some of the materials and learning we have created to help those on the compliance journey navigate the road ahead.

Data Protection Laws of the World

We are pleased to launch the 2017 edition of our newly designed Data Protection Laws of the World, which now covers over 95 jurisdictions. This highly regarded complimentary go-to guide offers a high-level snapshot of selected aspects of data protection laws across the globe, in an easily accessible online format.

Access the handbook

Data Privacy Snapshot

Over 250 organisations have completed our Data Privacy Scorebox to assess current levels of privacy compliance in their respective business operations. Our inaugural Global Data Privacy Snapshot draws on data from the scorebox assessments to provide a perspective on current maturity levels in levels of compliance across the market. The report pays particular focus on maturity levels in the Financial Services, Life Sciences and Healthcare, and Technology and Telecoms sectors, with an overall finding that suggests most organisations have a lot of work on their plate to achieve the levels of compliance they need.

This report will be launching soon.

Data Privacy Scorebox

Launched in 2016, this online tool will help you assess your organisation’s data protection maturity level. Complete a survey covering areas such as storage of data, use of data, and customers’ rights to generate a report that shows your organisation’s maturity levels against 12 key areas of privacy compliance. The report includes a practical action point check list and peer benchmarking data.

Access the scorebox.

Privacy Matters Blog

Our Privacy Matters blog is where you will find the latest updates (often within hours) from our global privacy team on all matters related to data protection, privacy and security. Subscribe with your email address on the home page to receive a message whenever a new post is made.

Access the blog.

Want to know more about the EU Data Protection Regulation? 

We maintain a dedicated GDPR microsite, where you can find lots of useful information to help you learn about the EU Data Protection Regulation – what it covers, the impact it is likely to have on organisations across different sectors, actions to take now to prepare, as well as regular updates and information on our webinars and events.

You will also find our summary Guide to the GDPR which many organisations find a helpful quick guide to the key requirements of the GDPR.

Access the microsite.

COMING SOON: EU GDPR App

We are soon to launch an EU GDPR App which gives easy access to the Regulation text. Available for download on iOS and Android, the App will provide a handy guide to the GDPR so you can quickly access Articles, link to relevant Recitals and make comparisons back to the Directive. The App will be available in 13 different languages.

For more information on any of these tools or to contact us, please email dataprivacy@dlapiper.com.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/data-protection-day-2017/

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:

  • the right to Data Portability;
  • Data Protection Officers (DPO); and
  • the Lead Supervisory Authority.

Whilst WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.

Guidelines on the right to Data Portability

In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.

From this opinion it appears for example that:

  • this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
  • this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
  • data controllers must inform the data subjects regarding the availability of the new right to portability (e.g. WP29 recommends that data controllers always include information about the right to data portability before any account closure);
  • data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The WP29 Guidelines on Data Portability can be found here.

Guidelines on Data Protection Officers

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.

WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR)  refers to  the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).

Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.

WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.

In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.

The WP29 guidelines on the DPO can be found here.

 

Guidelines on the Lead Supervisory Authority

In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.

In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.

In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.

Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

The WP29 Guidelines on the Lead Supervisory Authority can be found here.

 

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-first-gdpr-guidance-published-by-article-29-wp/

Older posts «