Tag Archive: GDPR

FRANCE: The French Data Protection Authority (CNIL) Publishes 6-Step Methodology For Compliance With GDPR

By Carol A.F. Umhoefer (carol.umhoefer@dlapiper.com) and Caroline Chancé (caroline.chance@dlapiper.com)

 

On March 15, 2017, the CNIL published a 6-step methodology for companies that want to prepare for the changes that will apply as from May 25, 2018 under the EU the General Data Protection Regulation (“GDPR”).

The abolishment under GDPR of registrations and filings with data protection authorities will represent fundamental shift of the data protection compliance framework in France., which has been heavily reliant on declarations to the CNIL and authorizations from the CNIL for certain types of personal data processing. In place of declarations, the CNIL underscores the importance of “accountability” and “transparency”, core principles that underlie the GDPR requirements. These principles necessitate taking privacy risk into account throughout the process of designing a new product or service (privacy by design and by default), implementing proper information governance, as well as adopting internal measures and tools to ensure optimal protection of data subjects.

In order to help organizations get ready for the GDPR, the CNIL has published the following 6 step methodology:

 

Step 1: Appoint a data protection officer (“DPO”) to “pilot” the organization’s GDPR compliance program

Pursuant to Article 37 of the GDPR, appointing a DPO will be required if the organization is a public entity; or if the core activities of the organization require the regular and systematic monitoring of data subjects on a large scale, or if such activities consist of the processing of sensitive data on a large scale. The CNIL recommends appointing a DPO before GDPR applies in May 2018.

Even when a DPO is not required, the CNIL strongly recommends appointing a person responsible for managing GDPR compliance in order to facilitate comprehension and compliance in respect of GDRP, cooperation with authorities and mitigation of risks of litigation.

Step 1 will be considered completed once the organization has appointed a DPO and provided him/her with the human and financial resources needed to carry out his/her duties.

 

Step 2: Undertake data mapping to measure the impact of the GDPR on existing data processing

Pursuant to Article 30 of the GDPR, controllers and processors will be required to maintain a record of their processing activities. In order to measure the impact of the GDPR on existing data processing and maintain a record, the CNIL advises organizations to identify data processing, the categories of personal data processed, the purposes of each processing, the persons who process the data (including data processor), and data flows, in particular data transfers outside the EU.

To adequately map data, the CNIL recommends asking:

  • Who? (identity of the data controller, the persons in charge of the processing operations and the data processors)
  • What? (categories of data processed, sensitive data)
  • Why? (purposes of the processing)
  • Where? (storage location, data transfers)
  • Until when? (data retention period)
  • How? (security measures in place)

Step 2 will be considered completed once the organization has identified the stakeholders for processing, established a list of all processing by purposes and categories of data processed, and identified the data processors, to whom and where the data is transferred, where the data is stored and for how long it is retained.

 

Step 3: Based on the results of data mapping, identify key compliance actions and prioritize them depending on the risks to individuals

In order to prioritize the tasks to be performed, the CNIL recommends:

  • Ensuring that only data strictly necessary for the purposes is collected and processed;
  • Identifying the legal basis for the processing;
  • Revising privacy notices to make them compliant with the GDPR;
  • Ensuring that data processors know their new obligations and responsibilities and that data processing agreements contain the appropriate provisions in respect of security, confidentiality and protection of personal data;
  • Deciding how data subjects will be able to exercise their rights;
  • Verifying security measures in place.

In addition, the CNIL recommends particular caution when the organization processes data such as sensitive data, criminal records and data regarding minors, when the processing presents certain risks to data subjects (massive surveillance and profiling), or when data is transferred outside the EU.

Step 3 will be considered completed once the organization has implemented the first measures to protect data subjects and has identified high risk processing.

 

Step 4: Conduct a privacy impact assessment for any data processing that presents high privacy risks to data subjects due to the nature or scope of the processing operations

Conducting a privacy impact assessment (“PIA”) is essential to assess the impact of a processing on data subjects’ privacy and to demonstrate that the fundamental principles of the GDPR have been complied with.

The CNIL recommends to conduct a PIA before collecting data and starting processing, and any time processing is likely to present high privacy risks to data subjects. A PIA contains a description of the processing and its purposes, an assessment of the necessity and proportionality of the processing, an assessment of the risks to data subjects, and measures contemplated to mitigate the risks and comply with the GDPR.

The CNIL has published guidelines in 3 volumes to help organizations conduct PIAs (see here, here and here).

Step 4 will be considered completed once the organization has implemented measures to respond to the principal risks and threats to data subjects’ privacy.

 

Step 5: Implement internal procedures to ensure a high level of protection for personal data

According to the CNIL, implementing compliant internal procedures implies adopting a privacy by design approach, increasing awareness, facilitating information reporting within the organization, responding to data suject requests, and anticipating data breach incidents.

Step 5 will be considered completed once the organization has adopted good practices in respect of data protection and knows what to do and who to go to in case of incident.

 

Step 6: Document everything to be able to prove compliance to the GDPR

In order to be able to demonstate compliance, the CNIL recommands that organizations retain documents regarding the processing of personal data, such as: records of processing activities, PIAs and documents regarding data transfers outside the EU; transparency documents such as privacy notices, consent forms, procedures for exercising data subject rights; and agreements defining the roles and responsibilities of each stakeholder, including data processing agreements, internal procedures in case of data breach, and proof of consent when the processing is based on the data subject’s consent.

Step 6 will be considered completed once the organization’s documentation shows that it complies with all the GDPR requirements.

 

The CNIL’s methology includes several useful tools (template records, guidelines, template contract clauses, etc.) and will be completed over time to take into account the WP29’s guidelines and the CNIL’s responses to frequently asked questions.

 

For more information, please contact carol.umhoefer@dlapiper.com or caroline.chance@dlapiper.com

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-french-data-protection-authority-cnil-publishes-6-step-methodology-for-compliance-with-gdpr/

POLAND: GIODO special team publishes the “Proposed procedures before the Inspector General”

By Damian Karwala (Senior Associate, Warsaw)

The Polish Data Protection Authority, GIODO (Generalny Inspektor Ochrony Danych Osobowych), as well as data controllers and data processors in Poland are currently preparing for the General Data Protection Regulation (GDPR). Among other things, GIODO has recently proposed that Administrators of Information Security (so-called “ABIs”, or Administratorzy Bezpieczeństwa Informacji – the Polish counterparts of Data Protection Officers), who are registered in the national register kept by GIODO, will ex lege become Data Protection Officers under the GDPR. According to information on GIODO’s website: “one of the provisions that should be included in the new personal data protection act, pursuant to the necessity to implement the GDPR, is a transitional provision, according to which the ABIs registered in a national, open register should ex lege become Data Protection Officers” (available here in Polish).

This statement is explained by the current status and competencies of ABIs. The function of ABI, in its current state, was introduced in Poland on 1 January 2015 with the aim of preparing a group of privacy professionals to meet the requirements of the GDPR and increasing the professionalisation of this role in organisations. In GIODO’s opinion, its proposal will make “information security administrators who have met all the criteria currently required to fulfill this function [i.e. under Polish regulations] able to continue performing this function without having to take into consideration any further formal actions”. However, this position raises some doubts because, despite their close similarities, the status of ABIs and DPOs is somewhat different. As a result, it does not seem plausible that national data controllers could “automatically” change the name ‘ABI’ into ‘DPO’ without taking any further action, e.g. in relation to a DPO’s obligation to act as a contact point for data subjects and the supervisory authority.

This was one of many issues raised by GIODO in the proposed procedure prepared by a special team working on the reform of data protection law in Poland, appointed by GIODO on 8 July 2016. The draft of this procedure (“Proposed procedures before the Inspector General”, available here in Polish) was sent to the Ministry of Digital Affairs on 27 January 2017, where it is currently subject to further work.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/poland-giodo-special-team-publishes-the-proposed-procedures-before-the-inspector-general/

DLA Piper Italy and AIGI event on the General Data Protection Regulation

DLA Piper Italy and AIGI will run an event on how the General Data Protection Regulation will impact the business of companies on 16 February 2017. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/dla-piper-italy-and-aigi-event-on-the-general-data-protection-regulation/

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:

  • the right to Data Portability;
  • Data Protection Officers (DPO); and
  • the Lead Supervisory Authority.

Whilst WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.

Guidelines on the right to Data Portability

In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.

From this opinion it appears for example that:

  • this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
  • this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
  • data controllers must inform the data subjects regarding the availability of the new right to portability (e.g. WP29 recommends that data controllers always include information about the right to data portability before any account closure);
  • data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The WP29 Guidelines on Data Portability can be found here.

Guidelines on Data Protection Officers

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.

WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR)  refers to  the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).

Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.

WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.

In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.

The WP29 guidelines on the DPO can be found here.

 

Guidelines on the Lead Supervisory Authority

In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.

In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.

In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.

Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

The WP29 Guidelines on the Lead Supervisory Authority can be found here.

 

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-first-gdpr-guidance-published-by-article-29-wp/

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-new-european-eprivacy-rules-in-the-making-internet-services-but-also-iot-heavily-impacted/

GERMANY: Cloud Computing and trans-border transfers of personal data under review of German DPAs

GERMANY: Cloud Computing and trans-border transfers of personal data under review of German DPAs

by Jan Spittka und Jan Pohle

While Cloud Computing and other types of trans-border transfers are nowadays vitally important for data processing, the transfer of personal data to third countries (i.e. non-EU/EEA countries) is subject to specific requirements under European data protection law. The data controller, e.g. the company transferring personal data to its affiliates or service providers, must ensure an adequate level of data protection, according to the EU Data Protection Directive (Directive 95/46/EC). Trans-border flows of personal data are now reviewed by German Data Protection Agencies (DPAs).

Enquiry of the DPAs

On 3 November 2016, ten German DPAs made a statement to the press (available here – in German only), explaining that the transfer of personal data has increased strongly over the last years. In order to raise awareness of the legal frame regarding cross-border data transfers, a questionnaire (available here – in German only) will be send to 500 German companies of all size and with various fields of activity. Both management and companies´ data protection officer shall sign the questionnaire. The companies are expected to specify which services and products used by them require cross-border data transfer. The questionnaire contains in particular inquiries relating to marketing, recruiting, cloud storage, internal communication systems, and intra-group data transfer. The legal ground for each data transfer must be communicated.

Legal Background

The EU Data Protection Directive provides for several options to ensure an adequate level of data protection: Standard Contractual Clauses, Binding Corporate Rules, a special agreement, especially the US-EU-privacy Shield or a decision of the European Commission, stating that a certain country ensures such level of data protection. German DPAs notice an unsatisfying level of sensibility regarding data protection in cross-border scenarios. Their aim is to evaluate if and to what extent companies comply with European Data Protection law.

 Practical Impact

 

  • Companies using Cloud Computing should be alarmed.
  • DPAs expressed that the questionnaires and the corresponding answers may constitute a reason to conduct a “more thorough investigation”.
  • Such investigations could lead to administrative fines up to EU 300,000.
  • Therefore, the questionnaire has to be considered thoroughly and reviewed carefully. If German DPAs are not satisfied with the answers,       following measures will probably be taken.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-cloud-computing-and-trans-border-transfers-of-personal-data-under-review-of-german-dpas/

EUROPE: ECJ – Dynamic IP addresses may constitute personal data

By Jan Pohle and Jan Spittka

In its landmark decision in the case Breyer v. Federal Republic of Germany (decision dated 19 October 2016, case number C-582/14), the European Court of Justice (ECJ) not only ended the long and tricky debate whether dynamic IP addresses constitute personal data even if the data controller processing the IP addresses does not hold the means to link it to the respective data subject. The court also came to the conclusion the provisions of German law dealing with the processing of personal data in the online environment do not comply with the EU Data Protection Directive (Directive 95/46/EC) as these provision do not provide for a statutory permission to process personal data based on a balancing of interest between legitimate interest of the data controller and the interest of the data subjects.

 

Background

The case has been presented to the ECJ by the German Federal Court of Justice (Bundesgerichtshof – “BGH“). The claimant Mr. Breyer had sued the German Federal Department of Justice and Consumer Protection (Bundesministerium für Justiz und Verbraucherschutz – “BMJV“) to cease-and-desist the registration and storing of his dynamic IP address after visiting the BMJV’s websites. The BMJV argued that IP addresses have to be retained after the end of the visit of the website to protect itself against cyberattacks. The BGH asked the ECJ whether dynamic IP addresses constitute personal data with respect to an “online media service provider” (i.e. the operator of a website), if only a third party (here the internet service provider) holds the additional data necessary to identify a visitor of this website. Furthermore, the BGH asked whether the operator of a website has the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website.

Ruling of the ECJ

The ECJ decided that a dynamic IP address does not only constitute personal data with respect to the internet service provider (which has the means to link the IP address to the individual behind the address in any case), but also with respect to the operator of a website, if this website operator has legal means to identify the visitor with the help of additional information from the visitor’s internet service provider. The ECJ confirmed this with respect to German law. Although the operator of a website does not have any direct claims against an internet service provider to provide the name of an individual behind an IP address, the court found it to be sufficient, if the website operator can obtain the information required to identify the visitor of the website from the internet provider via a competent authority which requests the information to prepare criminal proceedings, e.g. in the event of cyberattacks. As a consequence, the processing of IP addresses by website operators is subject to and has to comply with the applicable member state data protection requirements. Beyond this specific case, the ECJ has provided sufficient tools to determine whether information constitutes personal data, if the information cannot be directly linked to an individual, but only by using additional information which is held by a third party. According to the ECJ, this is not the case, if  the identification of the data subject was

  •  prohibited by law or
  •  practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.

The classification of dynamic IP addresses as personal data required the ECJ to have a closer look on the German data protection rules dealing with the processing of personal data in the online environment. Currently applicable law allows the processing of personal data without the data subject’s consent only in specific comprehensive cases. A general provision which provides for the possibility of a balancing of interest in a particular case is not included. According to the ECJ, this lack of a statutory permission is not complaint with Article 7 lit. f) of the Data Protection Directive. This finding also has a fundamental impact going beyond the case at hand as all member state data protection laws now have to be reviewed whether they allow for balancing of interests, at least in individual cases.

Conclusion

The decision of the ECJ forces all operators of websites, irrespective of whether they are public administration or private businesses, to review the collection, processing and use of IP addresses in connection with their websites. However, the ECJ has also strengthened IT security as it pointed out that member state law has to provide for the possibility to process personal data without consent for cybersecurity purposes.

Jan Spittka and Jan Pohle

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/ecj-dynamic-ip-addresses-constitute-personal-data-and-german-law-not-compliant-with-data-protection-directive-by-jan-spittka-and-jan-pohle/

The Netherlands: new chairman DPA announces fines

By Richard van Schaik and Róbin de Wit

Last week, the chairman of the Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens, “AP”), Aleid Wolfsen, announced that several investigations around data breaches are pending and that the first serious fine is just a matter of time.

Mr. Wolfsen is optimistic about the impact of the upcoming General Data Protection Regulation (“GDPR”), effective from May 25, 2018. Data subjects’ rights are boosted up and the responsibilities for companies significantly increased, Wolfsen says. Furthermore, the possibilities for the AP to step up the level of enforcement and to impose “draconian fines” will further expand. Under the GDPR, fines of up to EUR 20 million or 4% of the worldwide annual turnover may be imposed, whilst the maximum amount is substantially lower under current Dutch data privacy laws.

Although the AP has not imposed any fines in 2016, changes are imminent. Mr. Wolfsen indicated that almost 4,000 cases of data breaches have been notified to the AP and that several investigations are still pending. Investigations relate to cases where the protection of personal data is “drastically insufficient”. It is therefore to be expected that the first fines will follow in due course.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-new-chairman-dpa-announces-fines/

How the new privacy portability right will change your industry

The new privacy data portability right is empowering individuals to have a full control on their personal data representing both an opportunity and a risk for companies.  Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/how-the-new-privacy-portability-right-will-change-your-industry/

EU – US: Privacy Shield in Force – But For How Long?

By Dr. Thomas Jansen and Mari Martin

On July 12, 2016 the European Commission (EC) voted to adopt the final version of the EU-U.S. Privacy Shield.The Privacy Shield agreement replaces the previous agreement, Safe Harbor, which was struck down in October 2015 following revelations regarding U.S. mass surveillance.

According to EC Commissioner Jourova, the Privacy Shield, “is fundamentally different from the old ‘Safe Harbor’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice. For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data.”

Implementation of the Privacy Shield is critical to the flow of over $250 billion in international trade between the U.S. and EU. After Safe Harbor was struck down, organizations were forced to undertake more complex, time consuming and costly data transfer arrangements.

Thus, industry groups have largely embraced the Member States’ decision to adopt the Privacy Shield. The Digital Europe group, which represents tech firms such as Google and Apple, welcomed the decision. “Our members are ready to implement the new framework and meet the compliance challenge that the strengthened provisions demand from companies,” said John Higgins, Digital Europe’s director general. TechUK, which represents 900 firms in the UK, applauded the Privacy Shield as “restoring a stable legal footing” to transatlantic data flows.

However, many expect an upcoming legal challenge to the Privacy Shield, based on the continued mass surveillance by the United States. As noted by Commissioner Jourova, the Privacy Shield is underpinned by written assurances from the U.S. will not conduct indiscriminate mass surveillance of European citizens’ data. European Data Protection Authorities (DPAs) may find these assurances insufficient. For example, European Parliament Member Jan Philipp Albrecht called it “highly dangerous” to rely on the vague promises made by the U.S. government. In its April 2016 Opinion, the Article 29 Working Party, a group of independent DPAs, strongly recommended strengthening the framework, citing concerns with loopholes through which the U.S. could continue bulk data collection. Kirsten Fiedler, managing director of European Digital Rights (EDRi), has called the Privacy Shield agreement ‘deeply flawed’.

Some in Europe are of the opinion that the Privacy Shield has not gone far enough in addressing the concerns expressed by the ECJ in its decision striking down Safe Harbor. According to Hamburg data protection officer Johannes Caspar, the Privacy Shield is not sufficient to produce an adequate level of data protection, especially as there are no legal guarantees against mass surveillance by U.S. authorities, only assurances. Likewise, Chairman of the Article 29 Working Party and French Data Protection Authority, the CNIL, Isabelle Falque-Pierrotin said she particularly regretted the absence of several principles such as the prohibition of automated decisions and lamented the fact that “US authorities have not provided sufficiently precise information to rule out a massive and indiscriminate surveillance of European citizens’ data.”

Background

The EC presented a draft decision on the EU-U.S. Privacy Shield on February 29, 2016. In accordance with the Data Protection Directive (95/46/EC ), the Article 29 Working Party, a group of independent data protection authorities, issued an opinion on April 13, 2016. The European Parliament adopted a resolution in favor of the Privacy Shield on May 16, 2016. On July 8, 2016 EU member states voted to adopt the final version of the  EU-U.S. Privacy Shield, paving the way for the adoption of the decision by the EC.

Our Recommendations

As of now, the Privacy Shield is a valid legal basis for data transfer between the U.S. and EU. However, as explained above, the Privacy Shield may be valid only temporarily. A legal challenge appears imminent.

Importantly, the Privacy Shield, in addition to the strong possibility that its validity will soon be in question, only addresses data transfer between the U.S. and EU. The Privacy Shield is inapplicable to the data transfer involving jurisdictions other than the U.S. and EU Member States.

Thus, we continue to recommend data transfer agreements based on EU Standard Model Clauses as the best choice for data transfer outside of the EU/EEA and countries approved by the EC as providing an adequate level of data protection. In particular, any organization considering implementing Model Clause agreements for international data transfers outside the U.S. and EU Member States would be wise to include transfers involving the U.S. in the Model Clause agreement rather than relying on the Privacy Shield.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-us-privacy-shield-in-force-but-for-how-long/

Older posts «