Tag Archive: GDPR

The Netherlands: DPA published phased plan to prepare for GDPR

By Richard van Schaik and Róbin de Wit

Last week, the Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”) published a step-by-step plan for organiations to prepare for the upcoming GDPR. The plan, consisting of 10 steps, reads as follows.

 

  1. Awareness

As a first step, key players within the organization (e.g. policymakers) need to be aware of the upcoming set of rules. They must assess the impact of the GDPR on current processes, services and products and the adjustments necessary to meet the requirements under the GDPR.

The AP stresses that the implementation of GDPR requirements may be time-consuming. Therefore, the AP strongly recommends to commence as soon as possible with identifying compliance gaps and implement GDPR-proof solutions.

 

  1. Rights of individuals

Secondly, the AP points out that individuals have more rights under the GDPR in view of their personal data. Therefore, processes that enable individuals to actually exercise such rights should be implemented. Organizations are strongly encouraged to create their own (technical) means to obey requests of individuals, including data portability requests.

The AP emphasizes that individuals may file complaints with the AP regarding the handling of their personal data. The AP is obliged to take each complaint into consideration and to start enforcement action where appropriate.

 

  1. Records of processing activities

Furthermore, organizations should map their processing activities as the GDPR requires organizations to maintain a record of processing actions that fall under their responsibility. Such records should not only contain information about e.g. the purposes of processing, data subjects involved and the personal data processed, but each category of personal data should also specify the legal basis for processing.

 

  1. Privacy Impact Assessment (PIA)

As a fourth step, organizations are encouraged to conduct PIA’s in order to identify privacy risks associated with data processing activities. PIA’s serve as a useful tool to identify compliance gaps and take subsequent actions in order to reduce enforcement risks.

The AP stresses that PIA’s are especially valuable with a view to high-risk processing activities, such as activities involving sensitive data.

Also, if an organization is unsuccessful in finding measures to mitigate privacy risks, consultation with the AP is required prior to the start of the relevant processing undertakings.

 

  1. Privacy by design & privacy by default

In addition, awareness shall be created within the organization where it comes to the principles of ‘privacy by design’ and ‘privacy by default’. Also, it must be verified how these principles should be implemented.

For example, organizations must take measures to ensure that – by default – personal data is only processed insofar necessary in view of the processing purpose(s). The AP clarifies that this means that, e.g.:

  • apps may not process the location of users if such processing is not necessary;
  • tickboxes related to marketing may not be pre-ticked;
  • in case of newsletter subscriptions, organizations may not request to fill out more data than necessary in view of the newsletter request.

 

  1. Data Protection Officer (DPO)

Organizations may be obliged to appoint a DPO. The AP encourages organizations to identify whether they are subject to this requirement.

If yes, the recruitment and selection procedure should start in due course.

If no, organizations may want to choose to appoint a DPO after all.

 

  1. Data breach notification duties

The obligation to report data breaches (with the AP and, under circumstances, individuals) will remain largely the same under the GDPR. However, the GDPR contains stricter rules as to the internal recordkeeping of data breaches. All breaches must be documented so that the AP is able to verify that mandatory notification duties have been complied with.

Organizations should make necessary preparations in that respect, and also create data breach awareness amongst employees.

 

  1. Data processing agreements

As a following step, the AP points out that existing data processing agreements should be examined in order to ensure that the agreements are still adequate and meet the stricter requirements under the GDPR. If not, necessary changes should be agreed upon in time.

Where relevant, new data processing agreements should be drafted with a view to the GDPR requirements.

 

  1. Lead supervisory authority

If an organization has multiple establishments throughout EU Member States, or if processing activities have an impact on various EU Member States, only one supervisory authority will be competent to act as lead supervisory authority for the cross-border processing. Organizations are encouraged to identify the lead supervisory authority applicable to them.

 

  1. Consent

As a final step, the AP indicates that the GDPR stricter rules apply to the reliance on consent as the legal basis for processing. Therefore, organizations should evaluate the manner in which consent is requested, obtained and registered, and should amend where necessary.

Also, organizations should be able to demonstrate that valid consent has been obtained from individuals to process their personal data. Moreover, it must be as easy to withdraw consent as to give it. Therefore, organizations should have appropriate (technical) tools in place to make sure stricter consent requirements under the GDPR are observed.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-dpa-published-phased-plan-to-prepare-for-gdpr/

FRANCE: The French Data Protection Authority (CNIL) Publishes 6-Step Methodology For Compliance With GDPR

By Carol A.F. Umhoefer (carol.umhoefer@dlapiper.com) and Caroline Chancé (caroline.chance@dlapiper.com)

 

On March 15, 2017, the CNIL published a 6-step methodology for companies that want to prepare for the changes that will apply as from May 25, 2018 under the EU the General Data Protection Regulation (“GDPR”).

The abolishment under GDPR of registrations and filings with data protection authorities will represent fundamental shift of the data protection compliance framework in France., which has been heavily reliant on declarations to the CNIL and authorizations from the CNIL for certain types of personal data processing. In place of declarations, the CNIL underscores the importance of “accountability” and “transparency”, core principles that underlie the GDPR requirements. These principles necessitate taking privacy risk into account throughout the process of designing a new product or service (privacy by design and by default), implementing proper information governance, as well as adopting internal measures and tools to ensure optimal protection of data subjects.

In order to help organizations get ready for the GDPR, the CNIL has published the following 6 step methodology:

 

Step 1: Appoint a data protection officer (“DPO”) to “pilot” the organization’s GDPR compliance program

Pursuant to Article 37 of the GDPR, appointing a DPO will be required if the organization is a public entity; or if the core activities of the organization require the regular and systematic monitoring of data subjects on a large scale, or if such activities consist of the processing of sensitive data on a large scale. The CNIL recommends appointing a DPO before GDPR applies in May 2018.

Even when a DPO is not required, the CNIL strongly recommends appointing a person responsible for managing GDPR compliance in order to facilitate comprehension and compliance in respect of GDRP, cooperation with authorities and mitigation of risks of litigation.

Step 1 will be considered completed once the organization has appointed a DPO and provided him/her with the human and financial resources needed to carry out his/her duties.

 

Step 2: Undertake data mapping to measure the impact of the GDPR on existing data processing

Pursuant to Article 30 of the GDPR, controllers and processors will be required to maintain a record of their processing activities. In order to measure the impact of the GDPR on existing data processing and maintain a record, the CNIL advises organizations to identify data processing, the categories of personal data processed, the purposes of each processing, the persons who process the data (including data processor), and data flows, in particular data transfers outside the EU.

To adequately map data, the CNIL recommends asking:

  • Who? (identity of the data controller, the persons in charge of the processing operations and the data processors)
  • What? (categories of data processed, sensitive data)
  • Why? (purposes of the processing)
  • Where? (storage location, data transfers)
  • Until when? (data retention period)
  • How? (security measures in place)

Step 2 will be considered completed once the organization has identified the stakeholders for processing, established a list of all processing by purposes and categories of data processed, and identified the data processors, to whom and where the data is transferred, where the data is stored and for how long it is retained.

 

Step 3: Based on the results of data mapping, identify key compliance actions and prioritize them depending on the risks to individuals

In order to prioritize the tasks to be performed, the CNIL recommends:

  • Ensuring that only data strictly necessary for the purposes is collected and processed;
  • Identifying the legal basis for the processing;
  • Revising privacy notices to make them compliant with the GDPR;
  • Ensuring that data processors know their new obligations and responsibilities and that data processing agreements contain the appropriate provisions in respect of security, confidentiality and protection of personal data;
  • Deciding how data subjects will be able to exercise their rights;
  • Verifying security measures in place.

In addition, the CNIL recommends particular caution when the organization processes data such as sensitive data, criminal records and data regarding minors, when the processing presents certain risks to data subjects (massive surveillance and profiling), or when data is transferred outside the EU.

Step 3 will be considered completed once the organization has implemented the first measures to protect data subjects and has identified high risk processing.

 

Step 4: Conduct a privacy impact assessment for any data processing that presents high privacy risks to data subjects due to the nature or scope of the processing operations

Conducting a privacy impact assessment (“PIA”) is essential to assess the impact of a processing on data subjects’ privacy and to demonstrate that the fundamental principles of the GDPR have been complied with.

The CNIL recommends to conduct a PIA before collecting data and starting processing, and any time processing is likely to present high privacy risks to data subjects. A PIA contains a description of the processing and its purposes, an assessment of the necessity and proportionality of the processing, an assessment of the risks to data subjects, and measures contemplated to mitigate the risks and comply with the GDPR.

The CNIL has published guidelines in 3 volumes to help organizations conduct PIAs (see here, here and here).

Step 4 will be considered completed once the organization has implemented measures to respond to the principal risks and threats to data subjects’ privacy.

 

Step 5: Implement internal procedures to ensure a high level of protection for personal data

According to the CNIL, implementing compliant internal procedures implies adopting a privacy by design approach, increasing awareness, facilitating information reporting within the organization, responding to data subject requests, and anticipating data breach incidents.

Step 5 will be considered completed once the organization has adopted good practices in respect of data protection and knows what to do and who to go to in case of incident.

 

Step 6: Document everything to be able to prove compliance to the GDPR

In order to be able to demonstrate compliance, the CNIL recommends that organizations retain documents regarding the processing of personal data, such as: records of processing activities, PIAs and documents regarding data transfers outside the EU; transparency documents such as privacy notices, consent forms, procedures for exercising data subject rights; and agreements defining the roles and responsibilities of each stakeholder, including data processing agreements, internal procedures in case of data breach, and proof of consent when the processing is based on the data subject’s consent.

Step 6 will be considered completed once the organization’s documentation shows that it complies with all the GDPR requirements.

 

The CNIL’s methology includes several useful tools (template records, guidelines, template contract clauses, etc.) and will be completed over time to take into account the WP29’s guidelines and the CNIL’s responses to frequently asked questions.

 

For more information, please contact carol.umhoefer@dlapiper.com or caroline.chance@dlapiper.com

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-french-data-protection-authority-cnil-publishes-6-step-methodology-for-compliance-with-gdpr/

POLAND: GIODO special team publishes the “Proposed procedures before the Inspector General”

By Damian Karwala (Senior Associate, Warsaw)

The Polish Data Protection Authority, GIODO (Generalny Inspektor Ochrony Danych Osobowych), as well as data controllers and data processors in Poland are currently preparing for the General Data Protection Regulation (GDPR). Among other things, GIODO has recently proposed that Administrators of Information Security (so-called “ABIs”, or Administratorzy Bezpieczeństwa Informacji – the Polish counterparts of Data Protection Officers), who are registered in the national register kept by GIODO, will ex lege become Data Protection Officers under the GDPR. According to information on GIODO’s website: “one of the provisions that should be included in the new personal data protection act, pursuant to the necessity to implement the GDPR, is a transitional provision, according to which the ABIs registered in a national, open register should ex lege become Data Protection Officers” (available here in Polish).

This statement is explained by the current status and competencies of ABIs. The function of ABI, in its current state, was introduced in Poland on 1 January 2015 with the aim of preparing a group of privacy professionals to meet the requirements of the GDPR and increasing the professionalisation of this role in organisations. In GIODO’s opinion, its proposal will make “information security administrators who have met all the criteria currently required to fulfill this function [i.e. under Polish regulations] able to continue performing this function without having to take into consideration any further formal actions”. However, this position raises some doubts because, despite their close similarities, the status of ABIs and DPOs is somewhat different. As a result, it does not seem plausible that national data controllers could “automatically” change the name ‘ABI’ into ‘DPO’ without taking any further action, e.g. in relation to a DPO’s obligation to act as a contact point for data subjects and the supervisory authority.

This was one of many issues raised by GIODO in the proposed procedure prepared by a special team working on the reform of data protection law in Poland, appointed by GIODO on 8 July 2016. The draft of this procedure (“Proposed procedures before the Inspector General”, available here in Polish) was sent to the Ministry of Digital Affairs on 27 January 2017, where it is currently subject to further work.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/poland-giodo-special-team-publishes-the-proposed-procedures-before-the-inspector-general/

DLA Piper Italy and AIGI event on the General Data Protection Regulation

DLA Piper Italy and AIGI will run an event on how the General Data Protection Regulation will impact the business of companies on 16 February 2017. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/dla-piper-italy-and-aigi-event-on-the-general-data-protection-regulation/

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:

  • the right to Data Portability;
  • Data Protection Officers (DPO); and
  • the Lead Supervisory Authority.

Whilst WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.

Guidelines on the right to Data Portability

In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.

From this opinion it appears for example that:

  • this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
  • this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
  • data controllers must inform the data subjects regarding the availability of the new right to portability (e.g. WP29 recommends that data controllers always include information about the right to data portability before any account closure);
  • data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The WP29 Guidelines on Data Portability can be found here.

Guidelines on Data Protection Officers

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.

WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR)  refers to  the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).

Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.

WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.

In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.

The WP29 guidelines on the DPO can be found here.

 

Guidelines on the Lead Supervisory Authority

In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.

In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.

In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.

Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

The WP29 Guidelines on the Lead Supervisory Authority can be found here.

 

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-first-gdpr-guidance-published-by-article-29-wp/

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-new-european-eprivacy-rules-in-the-making-internet-services-but-also-iot-heavily-impacted/

GERMANY: Cloud Computing and trans-border transfers of personal data under review of German DPAs

GERMANY: Cloud Computing and trans-border transfers of personal data under review of German DPAs

by Jan Spittka und Jan Pohle

While Cloud Computing and other types of trans-border transfers are nowadays vitally important for data processing, the transfer of personal data to third countries (i.e. non-EU/EEA countries) is subject to specific requirements under European data protection law. The data controller, e.g. the company transferring personal data to its affiliates or service providers, must ensure an adequate level of data protection, according to the EU Data Protection Directive (Directive 95/46/EC). Trans-border flows of personal data are now reviewed by German Data Protection Agencies (DPAs).

Enquiry of the DPAs

On 3 November 2016, ten German DPAs made a statement to the press (available here – in German only), explaining that the transfer of personal data has increased strongly over the last years. In order to raise awareness of the legal frame regarding cross-border data transfers, a questionnaire (available here – in German only) will be send to 500 German companies of all size and with various fields of activity. Both management and companies´ data protection officer shall sign the questionnaire. The companies are expected to specify which services and products used by them require cross-border data transfer. The questionnaire contains in particular inquiries relating to marketing, recruiting, cloud storage, internal communication systems, and intra-group data transfer. The legal ground for each data transfer must be communicated.

Legal Background

The EU Data Protection Directive provides for several options to ensure an adequate level of data protection: Standard Contractual Clauses, Binding Corporate Rules, a special agreement, especially the US-EU-privacy Shield or a decision of the European Commission, stating that a certain country ensures such level of data protection. German DPAs notice an unsatisfying level of sensibility regarding data protection in cross-border scenarios. Their aim is to evaluate if and to what extent companies comply with European Data Protection law.

 Practical Impact

 

  • Companies using Cloud Computing should be alarmed.
  • DPAs expressed that the questionnaires and the corresponding answers may constitute a reason to conduct a “more thorough investigation”.
  • Such investigations could lead to administrative fines up to EU 300,000.
  • Therefore, the questionnaire has to be considered thoroughly and reviewed carefully. If German DPAs are not satisfied with the answers,       following measures will probably be taken.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-cloud-computing-and-trans-border-transfers-of-personal-data-under-review-of-german-dpas/

EUROPE: ECJ – Dynamic IP addresses may constitute personal data

By Jan Pohle and Jan Spittka

In its landmark decision in the case Breyer v. Federal Republic of Germany (decision dated 19 October 2016, case number C-582/14), the European Court of Justice (ECJ) not only ended the long and tricky debate whether dynamic IP addresses constitute personal data even if the data controller processing the IP addresses does not hold the means to link it to the respective data subject. The court also came to the conclusion the provisions of German law dealing with the processing of personal data in the online environment do not comply with the EU Data Protection Directive (Directive 95/46/EC) as these provision do not provide for a statutory permission to process personal data based on a balancing of interest between legitimate interest of the data controller and the interest of the data subjects.

 

Background

The case has been presented to the ECJ by the German Federal Court of Justice (Bundesgerichtshof – “BGH“). The claimant Mr. Breyer had sued the German Federal Department of Justice and Consumer Protection (Bundesministerium für Justiz und Verbraucherschutz – “BMJV“) to cease-and-desist the registration and storing of his dynamic IP address after visiting the BMJV’s websites. The BMJV argued that IP addresses have to be retained after the end of the visit of the website to protect itself against cyberattacks. The BGH asked the ECJ whether dynamic IP addresses constitute personal data with respect to an “online media service provider” (i.e. the operator of a website), if only a third party (here the internet service provider) holds the additional data necessary to identify a visitor of this website. Furthermore, the BGH asked whether the operator of a website has the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website.

Ruling of the ECJ

The ECJ decided that a dynamic IP address does not only constitute personal data with respect to the internet service provider (which has the means to link the IP address to the individual behind the address in any case), but also with respect to the operator of a website, if this website operator has legal means to identify the visitor with the help of additional information from the visitor’s internet service provider. The ECJ confirmed this with respect to German law. Although the operator of a website does not have any direct claims against an internet service provider to provide the name of an individual behind an IP address, the court found it to be sufficient, if the website operator can obtain the information required to identify the visitor of the website from the internet provider via a competent authority which requests the information to prepare criminal proceedings, e.g. in the event of cyberattacks. As a consequence, the processing of IP addresses by website operators is subject to and has to comply with the applicable member state data protection requirements. Beyond this specific case, the ECJ has provided sufficient tools to determine whether information constitutes personal data, if the information cannot be directly linked to an individual, but only by using additional information which is held by a third party. According to the ECJ, this is not the case, if  the identification of the data subject was

  •  prohibited by law or
  •  practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.

The classification of dynamic IP addresses as personal data required the ECJ to have a closer look on the German data protection rules dealing with the processing of personal data in the online environment. Currently applicable law allows the processing of personal data without the data subject’s consent only in specific comprehensive cases. A general provision which provides for the possibility of a balancing of interest in a particular case is not included. According to the ECJ, this lack of a statutory permission is not complaint with Article 7 lit. f) of the Data Protection Directive. This finding also has a fundamental impact going beyond the case at hand as all member state data protection laws now have to be reviewed whether they allow for balancing of interests, at least in individual cases.

Conclusion

The decision of the ECJ forces all operators of websites, irrespective of whether they are public administration or private businesses, to review the collection, processing and use of IP addresses in connection with their websites. However, the ECJ has also strengthened IT security as it pointed out that member state law has to provide for the possibility to process personal data without consent for cybersecurity purposes.

Jan Spittka and Jan Pohle

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/ecj-dynamic-ip-addresses-constitute-personal-data-and-german-law-not-compliant-with-data-protection-directive-by-jan-spittka-and-jan-pohle/

The Netherlands: new chairman DPA announces fines

By Richard van Schaik and Róbin de Wit

Last week, the chairman of the Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”), Aleid Wolfsen, announced that several investigations around data breaches are pending and that the first serious fine is just a matter of time.

Mr. Wolfsen is optimistic about the impact of the upcoming General Data Protection Regulation (“GDPR”), effective from May 25, 2018. Data subjects’ rights are boosted up and the responsibilities for companies significantly increased, Wolfsen says. Furthermore, the possibilities for the AP to step up the level of enforcement and to impose “draconian fines” will further expand. Under the GDPR, fines of up to EUR 20 million or 4% of the worldwide annual turnover may be imposed, whilst the maximum amount is substantially lower under current Dutch data privacy laws.

Although the AP has not imposed any fines in 2016, changes are imminent. Mr. Wolfsen indicated that almost 4,000 cases of data breaches have been notified to the AP and that several investigations are still pending. Investigations relate to cases where the protection of personal data is “drastically insufficient”. It is therefore to be expected that the first fines will follow in due course.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-new-chairman-dpa-announces-fines/

How the new privacy portability right will change your industry

The new privacy data portability right is empowering individuals to have a full control on their personal data representing both an opportunity and a risk for companies.  Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/how-the-new-privacy-portability-right-will-change-your-industry/

Older posts «