EU General Data Protection Regulation and

ProcessorsRobert Bond, BA, CCEP

Tel:

2

PartnerRobert Bond, CCEP

"astounding” Legal 500, 2015"absolutely exemplary" and the fact that his knowledge of data protection law is "astounding, and his application equally impressive." Chambers UK, 2016

Robert Bond has over 37 years' experience in advising national and international clients on all of their technology, data protection and cyber law requirements. He is a legal expert and author in the fields of e-commerce, computer games, media and publishing, data protection, information security and cyber risks.

He is Secretary of the Board of SCCE, Chairman of the Big Data Governance committee of Tech UK and a member of the UN Data Privacy Advisory Group to the United Nations

He is an Ambassador for Privacy by Design

rtjbond@icloud.com

1 May 20233

Current EU law Overview of GDPR Controllers and processors Contractual needs Use of sub-processors Role of DPO Trans border data flows Due diligence

Today’s topicsGDPR and Processors

1 May 20234

Term DefinitionData Controller A person who (either along or jointly in common

with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed

Data Processor Any person who (other than an employee of the data controller) who processes the data on behalf of the data controller

Personal data Data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller

Data Subject An individual who is the subject of personal data

Key definitionsQuick recap

1 May 20235

Term DefinitionSensitive personal data

Racial or ethnic origin, Political opinions, Religious beliefs

Trade Union Membership, Physical or mental health condition, Sexual life, Criminal offences

Processing Recording or holding the information or data or carrying out any operation or set of operations on the information or data

DPA/Supervisory Authority

Tasked with the protection of personal data and privacy and take enforcement action against those who do not comply with the data protection law

Privacy Impact Assessment

A tool that you can use to identify and reduce the privacy risks of your projects. A PIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help you to design more efficient and effective processes for handling personal data (DPA)

Key definitionsQuick recap

1 May 20236

8 Key principles of DP lawPersonal data must…

Be processed fairly and lawfully

Only be processed for one or more specified and lawful purposes and not further processed in a manner incompatible with those purposesBe adequate, relevant and not excessive

Be Accurate and where necessary kept up-to-date

Not be processed for longer than is necessary

In accordance with data subjects’ rights

Be protected by appropriate technical and organisational security measures

Not be transferred outside of the EEA unless that country ensures an adequate level of protection for personal data

Key principlesQuick recap

General Data Protection Regulation

Scope of regime:

Wider definition of Personal Data

All organisations

Pan-European (no local legislation)

Extra-territorial application

7

General Data Protection Regulation• Documentation• Breach notification –

Regulator & Data subject Privacy Impact Assessments

• Compulsory DPOs• Certifications and seals• International transfers• One-stop shop regulation• Cooperation and

consistency• EU Data Protection Board• Fines• Sector exemptions – e.g.

Media & Health

• Definitions of Personal data

• Consent• Children’s (Parental)

consent• Information• Data Subject rights &

access• Right to be forgotten• Data portability• Controller and Processor

responsibilities• Data protection by design

and default• Designation for non-EU

controllers 8

1 May 20239

Applies to controllers and processors established in EU

Applies to any controller and processor not located in the EU where the processing activities are related to:

The offering of goods or services to data subjects in the EU, irrespective of whether a payment is required; or

The monitoring of their behaviour as far as their behaviour takes place within the EU

Applicability – New lawPreparing for GDPR

1 May 202310

Controllers or processors not established in the EU but where Article 3(2) applies must designate in writing a representative

Representative must be established in a member state where the data subjects whose data are being processed by the controller or processor are located (or where most of them are located)

All DP issues from data subjects / data protection authority should be addressed to the representative

The designation of the representative does not affect the responsibility and liability of the controller or processor under the Regulation

Representatives of controllers / processors not

Preparing for GDPR

Controller must ensure processor will comply with GDPR

Must be an appropriate contract between controller and processor

Processor must have adequate information security Processor must not use sub-processors without

consent of the controller Processor must co-operate with the relevant DPA Processor must report data breaches to controller

without delay Processor may need to appoint a DPO Processor must keep records of processing activities Processor must comply with EU trans border transfer

rules Processor must help controller comply with data

subject rights Processors are directly liable for non-compliance

GDPR and processors - overview

Documented instructions Confidentiality Information security Control of sub-processors Measures to help controller comply

with data subject rights Co-operation with controller and

DPA Destruction or return of data at end

of contract Provide controller with evidence of

GDPR compliance

Contractual needs

No use of sub-processors without consent of controller

Any third party processing personal data for a processor is a sub-processor

Sub-processors must be contractually controlled

Controllers are likely to do considerable due diligence

Use of sub-processors

1 May 202314

Notifications abolished Applies to both controllers and processors Mandatory requirement for:

Public authorities Where the core activities…consist of

processing operations which, by virtue of their nature, scope and / or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

Where the core activities…consist of processing on a large scale of special categories of data and data relating to criminal offences

Data Protection Officers / Notifications – New Law

DPO

1 May 202315

Possible to have one DPO for a group of undertakings provided that the DPO is ‘easily accessible from each establishment’

DPO can be a member of staff or on a service contract

Contact details of DPO must be provided to the supervisory authority

DPO must have ‘expert knowledge of data protection law and practices’

Must be ‘independent’ Must report to the ‘highest

management level’

Data Protection Officers / Notifications – New Law

DPO

1 May 202316

Tasks of DPO

Inform and advise the controller or processor and the employees who are processing personal data of their obligations under the Regulation

Monitor compliance with the Regulation, including the assignment of responsibilities, awareness-raising of staff involved in processing operations and the related audits

To provide advice where requested as regard data protection impact assessments

Co-operate with the relevant data protection authority (DPA)

To act as a contact point for the DPA , in particular in relation to prior consultations referred to in Article 34

1 May 202317

Safe Harbor Privacy Shield European Commission approved

Model Contract Clauses Binding Corporate Rules Consent (although precarious to

rely on) Codes of Conduct (Article 38) Certifications / Seals (Article

39)

Data Transfers – New LawTrans border data flows

1 May 202318

Data subjects rights – New LawData Subject Rights

Data Subjec

t Rights

Information(Art 14)

Access(Art 15)

Rectification

(Art 16)

Erasure(right to be forgotten)(Art 17)Restriction

of processing (Art 17a)

Data portability(Art 18)

Object(Art 19)

Automated decision making / profiling (Art 20)

1 May 202319

Sanctions for non-compliance – two levels of fines…

Up to the greater of 2% annual worldwide turnover of preceding financial year or EUR 10 million – for matters re internal record keeping, data processor contracts, data protection officers, data protection by design and default

Up to the greater of 4% annual worldwide turnover of preceding financial year or EUR 20 million – for matters re breaching data protection principles, conditions for consent, data subjects’ rights and international data transfers

Sanctions for non-compliance – New LawEnforcements and fines

Due diligenceGDPR compliance

Data Protection audit Do they process personal data and sensitive data? What are their data flows? What are their information security policies & procedures? Have they had any breaches – notified or not? Have they been audited by a DPA? Who is their DPO?

Document data processing activities Data processing map – intra group and third parties Do they claim any ownership of personal data Retention and destruction practices Use of sub-processors

Review policies & procedures Data breach response policy and procedures Data sharing policy and procedures Vetting of staff Information security and cyber risk? Training

20

Processors should…. Carry out a compliance

assessment Rewrite their terms of business Audit their sub-processors Review their insurance Address data transfer solutions Consider if they are a

processor/and or a controller Assess their policies &

procedures Decide if a DPO is necessary Anticipate their customers’

needs Put in place staff training

Questions?