10 topics you should know about the privacy regulation - bart van den brande

Sirius Legal eTrade Summit 27 September 2016

2016’s Marketing buzz…

eTrade Summit 27 September 2016

New “Privacy Law” coming your way…

General Data Protec-on Regula-on 2016/679 (GDPR/AVGB) Regula-on instead of Direc-ve – 1 law for 28 states Agreement reached last December 2015 Enters into force on 1 May 2018 (without grace period!) New rules are MUCH stricter than current law and impact EVERYONE present here today


General Data Protection Regulation

Heavily influenced by consumer protec-on ac-vists in EP Result: Consumer friendly, but serious restraints for direct marke-ng sector, e-‐commerce sector and especially personalisa-on, profiling, real -me marke-ng and (big) data processing Applicable on ALL data processing, except personal (private) contact lists (e.g. private Outlook account)


Don’t be this guy, be prepared…


All e-‐commerce and online marke-ng run on personal data GDPR applies to ALL databases (marke-ng, sales, HR, purchasing, accoun-ng, …) In the words of the European Commission: “data has become a currency” (cfr. Dra_ Direc-ve 2015/0287 on digital content delivery contracts) Fines up to 4% of annual turnover or 20 mio euro

Security & internal processes

1. Working with subcontractors that process data Obliga-on to work only with subcontractors that guarantee sufficient data security Obliga-on to have wrieen contracts wth all subcontractors List of mandatory clauses in such contracts = Need to audit/map all exis-ng subcontrac-ng/service contracts eTrade Summit 27 September 2016


2. Record of processing ac-vi-es Obliga-on to maintain a “record of processing ac-vi-es” Holding ID of processor, processed data, categories, transfers, -me limits, security measures In wri-ng at the seat of your company



3. Data security measures “Processor shall implement appropriate technical and organiza-onal measures, to ensure an appropriate level of security” Pseudonymisa-on where possible, confiden-ality, security, back ups in place, security tes-ng protocols, … = Need to audit/map data within company



4. Data Protec-on Impact Assessment If possible high impact on data subject privacy rights Obliga-on to run prior (documented) impact assessment Advice of DPO required if DPO is present in the organiza-on Should be used as basis to ensure adequate security levels Privacy Commission to specify when DPIA is required If DPIA shows high risk: obtain Prior Assessment from Privacy Commission



5. Data breach no-fica-on Obliga-on to no-fy any data security breach to the Privacy Commission Asap or at least within 72 hours Nature of breach, possible consequences, measures taken, etc… (= obliga-on to document data breach) = Need to have data breach procedure in place If possible consequences for data subjects: obliga-on to no-fy them in person!



5. Data Protec-on Officer If core ac-vity of processor Requires large scale data monitoring Consists of large scale data monitoring Series of requirements and condi-ons Details to be specified Inform & advise, monitor compliance, SPOC for authori-es


Informa-on obliga-ons & rights of data subjects

1. Lawfulness of processing (“on which grounds can I proces data?”) (art. 6 GDPR) Prior opt-‐in remains the basic rule (+ proof required) “Processing is required for the execu-on of a contract” “Legi-mate grounds” DM “may be considered” legi-mate, but “Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means” If exis-ng client rela-onship: OK, otherwise not so evidently OK eTrade Summit 27 September 2016


2. Processing of data belonging to minor (-‐13 Y/O, -‐16 Y/O) (art. 8 GDPR) Always requires explicit authorisa-on by parents! “Reasonable efforts” to check age and obtain authorisa-on eID?, Facebook login?, credit card data?, live chat, …?



3. Informa-on obliga-ons Obliga-on to no-fy data subject of the fact that his data is being / has been collected (or transferred) without his explicit consent (art. 14 GDPR) Within 30 days or upon first contact = Data obtained from data brokers, partner organisa-ons, online collec-on…



3. Informa-on obliga-ons (art. 14 GDPR) Obliga-on falls if Data subject already knows or Informa-on provision requires dispropor-onate effort (= open door to crea-vity…)


Informa-on obliga-ons & rights of data subjects 4. Right not to be submieed to profiling (art. 21 GDPR) If the person has a legi-mate interest to do so, he has a right to object against Processing/profiling based on public interest / official authority or legi-mate interest Objec-on against processing/profiling for direct marke-ng purposes is always possible


Informa-on obliga-ons & rights of data subjects 5. Right to object to automa-c decision taking (art. 22 GDPR) Right Not to be subject to a decision (or profiling) – Excep-ons (e.g. contracts) Producing legal effects / significantly affects Solely based on automated processing of data Intended to evaluate certain personal aspects Examples Performance of work, creditworthiness reliability and conduct Also applies to DM “decisions” (e.g. send offer or not)



6. Right to be forgoeen (art. 17) Upon request by data subject, processor has to take all reasonable measures to permantently delete data + to ensure that third par-es that have copies of or links to data are warned of the request and are asked to do the same



7. “Pseudonymous data” 8. “Privacy by design” 9. “privacy by default” (cfr. recent Telenet “personalized adver-sing…”) 10. …


Helping hand Code of Conduct = “ethical code” of associa-ons Contain rules on how to handle data for their members Can be approved by authori-es Associa-on has to provide control/supervision Advantage: once approved can create presump-on of compliance with series of obliga-ons for associa-on members SafeShops is currently inves-ga-ng possibility to dra_ code and apply for approval


Be prepared…

Follow up on discussion (e.g. through our website www.siriuslegal.be) Start audit om data use within your organisa-on Start review vendor contracts (in view of data security obliga-on) Start to prepare for full update of policies, contracts, business processes Put in place data breach no-fica-on procedure Appoint (temporary) data security officer Put in place impact assessment and/or risk analyses policy Create compliance statements for annual business reports Train staff Sit back and wait for final text of regula-on for final details…


Be prepared…

Those who are not prepared face trouble… Provisions of highest importance (cfr. profiling = high risk processing) Fines up to 20 million euro Fines up to 4% of worldwide annual turnover (for undertakings) Reform of Privacy Commission will lead to actual enforcement… + Remedies for data subject


Sirius Legal Media & advertisement law IP law Internet & e-commerce Privacy & cookies Gambling law Travel & consumer protection Commercial contracts Corporate tax labour real estate [email protected] www.siriuslegal.be @BartVdBrande Linkedin.com/in/bartvdb