General Data Protection Regulation: Global Scope, More Duties, Big - - PowerPoint PPT Presentation
General Data Protection Regulation: Global Scope, More Duties, Big Fines October 5, 2017 Presented By: Etienne Drouard, Partner, K&L Gates (Paris) Ignasi Guardans, Partner, K&L Gates (Brussels) Ewelina Madej, Senior Associate, K&L
Presented By: Etienne Drouard, Partner, K&L Gates (Paris) Ignasi Guardans, Partner, K&L Gates (Brussels) Ewelina Madej, Senior Associate, K&L Gates (Warsaw)
* http://eur-lex.europa.eu/eli/reg/2016/679/oj
1
for implementing law
certain data protection matters
2
3
4
data subjects in the EU; or
monitoring behavior of data subjects in the EU.
5
6
purpose
purpose
the purpose
7
consent is explicit, informed and freely given enhanced rights to (i) access personal data and (ii)
“right to be forgotten” (right to erasure) right to data portability new principles regarding profiling
8
Freely given, specific, informed and unambiguous Right to withdraw consent at any time Unbundled
9
clear, simple and easily understandable Controller bears burden of proof that consent was granted Clear affirmative action
10
consent before personal information is collected from children under age 13.
11
BUT:
not younger than age 13.
child’s parent or custodian provided or authorized consent.
12
Consent Execution of contract with data subject Controller’s obligations Protection of vital interests of data subject or other person
13
Processing carried out in the public interest or in the exercise of official authority vested in the controller Legally justified reasons carried out by the controller or by the third party
14
Natural or legal person Establishes purposes and means of data processing Joint controllers
Natural or legal person Processes data on behalf of the controller Contract to ensure processing is lawful
15
Provide technical and organizational safeguards for data protection, conduct PIA, appoint Data Protection Officer Guarantee rights of data subjects – documentation (including notification), deletion, portability Duties regarding DPA or other regulators – reporting security breaches, consultations prior to processing
16
Compliance with GDPR by adherence to codes of conduct and certifications approved by regulatory body Applying codes or certifications does not eliminate responsibility Documentation of data processing - registers
17
Technical and
Documentation of data processing Reporting breaches to controller Appointment of Data Protection Officer More detailed contract for provision of data Share personal data with third parties only with controller’s prior approval
18
Broad definition of personal data breach Reporting unless no risk to rights and freedom of individuals Processor must inform controller Controller – if high risk to rights and freedom of individuals, then inform data subjects 72 hours to inform local regulatory body where the controller is established
19
Independence Adequate resources Expertise
Informing and training Involved in all material data protection matters Cooperating with regulatory body
20
Public authorities (apart from courts in the scope of judicial power) Regular and systematic monitoring of subjects on large scale Processing data on large scale is core business activity One Data Protection Officer for group of companies
21
Consider privacy when designing product Consider security of personal data:
Compliance with data processing principles, e.g., data minimization Pseudonymization
22
23
Identify and minimize data protection risk PIA is mandatory when “high risk” processing, e.g., when data is processed by new technologies Mandatory consultations with local regulatory body whenever PIA indicates high risk of data protection if no minimizing means will be applied Recommended – conducting PIA before making choice of processor
24
Description of processing and its purpose Assessment of necessity and proportionality of processing Assessment of risk of infringing rights and freedoms of data subjects Assessment of safeguards for personal data and ensuring compliance with GDPR
25
controller is not responsible for unlawful processing if:
can prove absence
processor is responsible for unlawful processing if:
it did not fulfill duties directly imposed on it by GDPR it acted outside of scope of or against controller’s instructions
26
Fines may amount to maximum of € 10m or up to 2% of world annual turnover, whichever higher, for each breach duties of collector and processor e.g., children, consent, default data protection duties of certifying entity duties of monitoring entity
27
Financial penalty may amount to maximum of € 20m or up to 4% of world annual turnover, whichever higher for one breach basic principles of processing, including consent rights of data subjects cross-border data transfers 28
European Commission and the United States agreed on new rules for EU personal data transfers - 2.02.2016 (EU-US Privacy Shield) Compatible with rules set out CJEU Schrems ruling (October 10, 2015) Enhanced duties for protection of EU citizens’ personal data Supervised by U.S. Department of Commerce and US Federal Trade Commission in cooperation with European data protection authorities. Access to personal data will be limited and supervised Questions and complaints connected with data transfers can be presented to new regulatory body Implemented July 2016
29
Investigate current technical and organizational safeguards Determine whether to appoint Data Protection Officer Check contracts regarding data processing Conduct PIAs Update policies / create record of processing Introduce system for managing new/enhanced data subject rights
30
31