avatar

Stefan Panic

Author's details

Name: Stefan Panic
Date registered: October 8, 2015

Latest posts

  1. AUSTRIA: Draft GDPR Implementation Act — May 19, 2017
  2. LITHUANIA: Impact of the CJEU Safe Harbor / Schrems Judgement — October 20, 2015
  3. ESTONIA: Impact of the CJEU Safe Harbor / Schrems Judgement — October 16, 2015
  4. LATVIA: Impact of the CJEU Safe Harbor / Schrems Judgement — October 12, 2015
  5. AUSTRIA: Update by the DPA regarding Model Clauses and BCR after the Safe Harbor judgement — October 9, 2015

Author's posts listings

AUSTRIA: Draft GDPR Implementation Act

On 12 May 2017 a Draft GDPR Implementation Act (“Draft“) has been submitted to the Austrian Parliament and is now to be reviewed, assessed and commented by various public bodies, organisations and groups.

With the GDPR Implementation Act the present Data Protection Act 2000 (Datenschutzgesetz 2000) will be repealed and a new Data Protection Act is issued which will become effective on 25 May 2018.

General overview

At first glance the Draft covers only a bare minimum of implementation: the major part of the Draft includes only the provisions necessarily required by the GDPR, but only few of the facultative opening clauses are actually included. A large part of the Draft concerns only the implementation of Directive 2016/680.

The review of the explanatory notes confirms this first impression as they state that the Draft shall mainly include the necessary implementation of the GDPR and only few of the opening clauses. The ministerial working party has deliberately not used the openings within the GDPR as it is their opinion that the GDPR is already providing a general rule which shall now apply without further specification in Austria.

Furthermore, in the explanatory notes it is stated that the majority of the opening clauses do not address general data protection matters and are therefore not to be included in the Draft. The ministerial working party was of the opinion that such “special” opening clauses should rather be implemented within the relevant specific laws, e.g. (presumably) Employment Act or Criminal Act.

On the other hand, the concern that the Austrian legislator will retain certain specific regulations of the current Data Protection Act 2000, which would not comply with the GDPR, has not been fulfilled due to the very minimalistic approach the ministerial working party took. As such, the various provisions of the Data Protection Act 2000 which were specific to Austria, such as the filing procedure or an obligation to obtain approval of the Data Protection Authority for an international data transfer even if the EU Model Clauses have been concluded, are not included in the Draft and will presumably not be part of the Austrian law anymore.

Scope of applicability and general provisions

The major change of the Austrian law which is implemented by the Draft is that, following the scope of applicability of the GDPR, its applicability is limited to natural persons, meaning legal persons are no more included in the material scope as they are now in the currently applicable Data Protection Act 2000. In this point as well the Draft follows the provisions of the GDPR.

In its first section the Draft also stipulates the fundamental right to data protection, which has already been included in the current Data Protection Act 2000. In both versions it is formulated as a constitutional provision and as a human right, but the new wording is more comprehensible than the previous one. Furthermore, as the GDPR does not apply to legal persons, the scope of the fundamental right in the Draft has also been limited to natural persons.

Data protection officers and Data Protection Authority

The first of the main implementation aspects of the Draft are the specifications regarding data protection officers. The Draft states an explicit duty of confidentiality for data protection officers, even though this shall not apply to information requests of the Data Protection Authority. Further, the Draft is providing additional provisions regarding the data protection officer in the public sector.

Another main aspect of the Draft is the specification of the supervisory authority, which will be the Data Protection Authority (“Datenschutzbehörde“) organized as the sole national supervisory authority.

Remedies, Liability And Penalties

The third section of the Draft provides specifying provisions regarding the implementation of remedies, liability and penalties. The implementation of administrative fines provides to a certain extent a possibility to impose fines primarily to legal persons, however in a very limited manner.

Thereunder, the Data Protection Authority shall only be able to impose a fine on a legal person if one of its organs holding a management position is subject to a negligence or breach of supervision. As of the scope of this provision the ministerial working party refers in its explanatory notes to a similar provision within the Austrian Banking Act (“Bankwesengesetz“), whereby the primary liability of the legal person only applies where organs of the legal person are concerned and not when an employee is acting on instructions. Therefore this limitation may not be in accordance with the GDPR as it is not providing an opening clause for the Member State to implement such limitation.

That said, the GDPR also does not specify how the remedies, liability and penalties provisions must be implemented as concerns the responsible persons, beyond the requirement that the remedies are “effective”, so it remains to be seen whether and how this manner of implementation is in line with the GDPR.

Processing for Specific Purposes

The provisions within section 5 of the Draft address data processing for specific purposes, as stated in Article 6 Sec 2 GDPR, and address points such as processing for the purpose of scientific research and statistics or in case of catastrophes.

This is one of the rare occasions in which the ministerial working party has made use of an opening clause. Unfortunately, the ministerial working party did not use the other opening clauses where in our opinion the GDPR is rather incomplete and further national legislation seems necessary. This concerns in particular the opening clauses provided in Articles 6 Sec 4 (processing for compatible purposes set out by member state law), 9 (processing of special categories of personal data) and 10 (processing of personal data relating to criminal convictions and offences) of the GDPR, even though this would have been necessary due to the very general regulation of the GDPR. It remains to be seen whether such provisions will be included in other laws; however, it is our opinion that provisions implementing the above mentioned opening clauses should in any case be included in the Draft itself and not in other laws as the ministerial working party suggests.

Processing of Employees Data

Similarly, as concerns employee data the Draft is providing only a provision stating that the existing provisions of the Employment Act (“Arbeitsverfassungsgesetz“) shall fulfil the requirements of Article 88 GDPR. According to the explanatory notes the ministerial working party wanted to clearly express with this provision that the specifics of processing employee data shall not be included in the Draft but rather in the relevant labour laws. It remains to be seen whether the legislator will stand by this decision and create provisions in the relevant laws or if there will be a modification in the Draft.

Video Surveillance / Processing of Image Data

It is quite surprising that the ministerial working party found it to be necessary to include in section 6 of the Draft provisions regarding the processing of images and video surveillance, especially in light of the very minimalistic approach implementing the GDPR. The explanatory notes explain the implementation to be based on Article 6 Sec 2 and 3 in connection with Article 23 GDPR, even though we have major doubts this approach is in line with the GDPR. It is at least our opinion that a clarification regarding the processing of data related to criminal convictions and offences or employee data would have been of greater importance than the processing of images.

Conclusion and outlook

To summarize, the Draft is taking a very minimalistic approach implementing the GDPR and leaves open many vital issues. As such, the Draft leaves the impression that the main intention was to initiate the legislative procedure and the discussion on the implementation, whereas the majority of important decisions regarding the implementation are postponed. Therefore, it remains to be seen how this draft will develop during the legislative procedure, but we are expecting either major amendments before the law is passed or further implementation actions amending other statutory laws.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/austria-draft-gdpr-implementation-act/

LITHUANIA: Impact of the CJEU Safe Harbor / Schrems Judgement

Author: Vaiva Mašidlauskienė, Associate, Sorainen law firm

Under the Lithuanian Data Protection Law, the transfers outside EU/EEA member countries from Lithuania must be authorised by the Data Protection Inspectorate (DPI) unless one of the statutory exceptions apply (e.g. consent of the data subject; transfer is necessary for the benefit of the data subject; etc.). As the employee consent is considered insufficient, given that no other exception applies, transfers of employee data is always subject to prior authorisation by the DPI.

The Ruling of the Court of Justice of the European Union (hereinafter – the Schrems Judgement) considered that the Safe Harbor framework is invalid and this create several immediate practical consequences for businesses in Lithuania that have relied on the Safe Harbor framework to transfer personal data to the US.

First, from now on personal data transfer to the US as such and also transfer related data processing registration with the DPI will be more difficult from the legal point of view.

Before the Schrems Judgement, the adequate level of data protection could have been supported by (i) valid Safe Harbor certificate for US entities and a simple Data Transfer Agreement; or (ii) agreement between the data importer and data exporter corresponding to the Standard Contractual Clauses issued by the European Commission; or (iii) Intra-group Data Transfer Agreement (e.g. Binding Corporate Rules).

With regard to the Schrems Judgement, the first of the three options for proving the adequate level of data protection (i.e. the Safe Harbor framework) becomes non-applicable and the remaining two options have to be relied upon.

Second, for those companies which have transferred the data to the US under the Safe Harbor regime until the Schrems Judgement and strive to continue legal data transfers, there is a great deal of uncertainty regarding how quickly they should implement new measures and obtain a relevant authorisation for transferring personal data to the US.

The Lithuanian DPI has not officially commented on the Schrems Judgement and consequences thereof to the national data transfer authorisation procedures so far. It is likely that the Lithuanian DPI will wait until some guidance from the European Commission of Article 29 of the Data Protection Working Party is given before guiding data controllers on how to reframe the legal basis for data transfers to the US. However, it is highly unlikely that data controllers who relied on the legality of the Safe Harbor regime for data transfers to the US until the Schrems judgement will face any negative consequences from the DPI.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/lithuania-impact-of-the-cjeu-safe-harbor-schrems-judgement/

ESTONIA: Impact of the CJEU Safe Harbor / Schrems Judgement

Author: Mikhel Miidla, Senior Associate, Sorainen law firm

Under the Estonian Personal Data Protection Act, transfers to Safe Harbour certified entities in the US took place as if they were transfers within the EU/EEA. There was no requirement to obtain a prior authorisation from the Estonian Data Protection Inspectorate (“Inspectorate”) for such transfers.

The ruling that the Safe Harbour framework is invalid has several immediate practical consequences for businesses in Estonia that have relied on the Safe Harbour framework to transfer personal data to the US.

First, from now on a prior authorisation from the Inspectorate has to be obtained to transfer personal data to the US. The data exporter must demonstrate that it has a valid legal basis to process the personal data and that a sufficient level of data protection is guaranteed in the US for that specific case of data transfer. To demonstrate to the Inspectorate that a sufficient level of data protection is guaranteed the data exporter can generally rely on data transfer agreements that are based on EU Model Contracts or Binding Corporate Rules.

No prior authorisation is needed from the Inspectorate only:

– if the data subject has provided a valid consent for the specific transfer to take place;

– where the transfer is necessary for the protection of the life, health or freedom of the data subject or another person if obtaining the consent of the data subject is impossible;

– if a third person requests information obtained or created in the process of performance of public duties and the data requested do not contain any sensitive personal data and access to it has not been restricted for any other reasons.

Second, for those companies that, until the Schrems judgment, have transferred data to the US under the Safe Harbour regime and urgently need to continue such data transfers legally, there is a great deal of uncertainty regarding how quickly they should implement new measures and obtain a relevant authorisation for transferring personal data to the US.

On one hand, it is clear that the Safe Harbour principles can no longer be relied upon and the data exporters have to implement new measures for the transfers, but on the other hand it is also unlikely that the Inspectorate will now direct its resources into active supervision over data controllers who are likely transferring personal data to the US. There is no official guidance available from the Inspectorate on this issue. It is expected that the Inspectorate will soon update their non-binding guidelines on data transfers.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/estonia-impact-of-the-cjeu-safe-harbor-schrems-judgement/

LATVIA: Impact of the CJEU Safe Harbor / Schrems Judgement

Author: Andis Burkevics, Senior Associate, Sorainen law firm

The CJEU judgment that the Safe Harbour framework is invalid has several immediate practical consequences for businesses in Latvia.

First, from now on the transfer of personal data to the US and also transfer-related data-processing registration with the Latvian Data State Inspectorate (the Inspectorate) from the legal point of view will be more difficult.

Before the Schrems judgment, for the Inspectorate to confirm that a data transfer was legal, it was enough to indicate in the data-processing registration application that the transfer would be to a US company that had Safe Harbor certification.

Now it is necessary to use other mechanisms for the transfer of personal data. All data transfers to the US are regarded as data transfers to a country that does not ensure the level of data protection is equivalent to that in Latvia. The options are listed in Section 28 of the Latvian Personal Data Protection Law and, among others, include:

  1. A data transfer agreement must be concluded based on the EU Model Clauses or based on the standard conditions approved by the Latvian Government.
  2. The data subject gives consent.
  3. The data controller must be bound by the Binding Corporate Rules.

Second, for those companies that until the Schrems judgment have transferred data to the US under the Safe Harbour regime and urgently need to continue such data transfers legally, there is a great deal of uncertainty regarding what they should do now

The Inspectorate is expected to announce an action plan in this respect as well as explain other practical consequences arising from the judgment. So far the Inspectorate has not officially commented on the consequences of the Schrems judgment; however, it is highly unlikely that data controllers who relied on the legality of the Safe Harbour regime for data transfers to the US until 6 October 2015 will face any negative consequences from the Inspectorate. Likewise, it seems unlikely that the Inspectorate will impose any severe sanctions on the data controllers who need reasonable time to implement new legal tools for the lawful transfer of data to replace those that have been invalidated by the CJEU.

Instead of registering personal data protection activities relating to data transfers with the Inspectorate, data controllers have always been able to appoint and register a data protection specialist with the Inspectorate. However, this does not solve the problem of the non-existence of the relevant legal basis for the international data transfers.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/latvia-impact-of-the-cjeu-safe-harbor-schrems-judgement/

AUSTRIA: Update by the DPA regarding Model Clauses and BCR after the Safe Harbor judgement

Further to its initial public statement regarding the ECJ Safe Harbor judgement, the Austrian DPA has released an update, clarifying its position that, for the time being, the Austrian DPA will accept EU Model Clauses or Binding Corporate Rules as basis for transfers of personal data to the USA. Wheras the use of both EU Model Clauses or Binding Corporate Rules requires an approval of the DPA for the specific case of data transfer, there is at least clarity now that EU Model Clauses and Binding Corporate Rules are accepted as legal basis for obtaining approval in Austria.

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/austria-update-by-the-dpa-regarding-model-clauses-and-bcr-after-the-safe-harbor-judgement/