the eu general data protection regulation (gdpr) if you cannot hear us speaking, please make sure...

The EU General Data Protection Regulation (GDPR)

If you cannot hear us speaking, please make sure you have called into the teleconference number on your invite information. UK participants: 0800 279 5994 Outside the UK: +44 (0) 1452 584 233 Event Code: 585 479 55The audio portion is available via conference call. It is not broadcast through your computer.*This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.

Tuesday, December 22, 2015

15:00pm GMT / 16:00pm CET / 10:00am EST

WELCOME TO OUR WEBINAR

2

Welcome

You are on mute

A link to a recording of the webinar will be made available

Today's speakers

December 22, 2015

Carol UmhoeferPartner, DLA PiperParis

[email protected] or

[email protected]

Giangacomo OliviPartner, DLA PiperMilano

EU General Data Protection Regulation 2

CURRENTLY SPEAKINGCURRENTLY SPEAKING

Patrick van EeckePartner, DLA PiperBrussels

The GDPR in 20 Questions

1. Why all the buzz around the EU General Data Protection Regulation?

One law, directly applicable in all 28 Member States.

Replaces the 1995 Data Protection Directive and the national laws transposing the Directive.

Will apply from 2018 – national laws apply until then.

Big picture implications: Will the EU continue to lead the way in personal data protection?

December 22, 2015EU General Data Protection Regulation 4



2. Has it been adopted now? Are these really the final rules?

Last week

17 December: EP LIBE endorsed the texts agreed in the trilogues.

18 December: COREPER confirmed the final compromise texts.

Next weeks

Early 2016: Legal-linguistic review of the texts

Early 2016: Adoption by the Council

Early 2016: Adoption by the Parliament

Spring 2016

Publication in Official Journal

20 days after publication: enter into force

2016-2017

Delegated acts/implementing acts

Spring 2018

Application of the rules




3. To whom does it apply?

Processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing itself takes place within the EU.

Processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to the offering of goods or services to data subjects in the European Union irrespective of whether a payment of the data subject is required, or related to the monitoring of the behaviour of such data subjects as far as their behaviour takes place within the EU.



Giangacomo OliviPartner, DLA PiperMilan

4. Do the principles stay the same or are we starting over?

Personal data must be processed lawfully, fairly and in a transparent manner.

Personal data must be processed for specified, explicit and legitimate purposes and not further processed in an incompatible way.

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes.

Personal data must be accurate and where necessary kept up to date.

Personal data must be kept in a form that permits identification of data subjects for no longer than necessary for the purposes.

Personal data must be processed in a way that ensures appropriate security using appropriate technical or organizational measures.

And a new principle: The controller shall be responsible for and be able to demonstrate compliance with the principles.




5. How large are the fines likely to be?

Graduated approach – up to 4% worldwide turnover maximum.

Due regard is to be given to:

the nature, gravity and duration of the infringement;

the intentional character of the infringement;

actions taken to mitigate the damage suffered;

degree of responsibility (e.g. data protection by design or by default) or any relevant previous infringements;

cooperation with the supervisory authority (and the manner in which supervisory authority learned of infringement);

categories of personal data affected;

compliance with measures ordered;

adherence to a code of conduct (or certification mechanism);

other aggravating or mitigating factors (e.g. financial benefits, etc.)



Giangiacomo OliviPartner, DLA PiperMilan

6. Will international transfer mechanisms be affected?

Same philosophy as before i.e. only under very strict conditions:

Adequacy decisions by Commission.

Appropriate safeguards, such as:

Binding corporate rules; Standard data protection clauses adopted by the

Commission or by a supervisory authority or contractual clauses authorised by a supervisory authority;

Derogations: Explicit consent/necessary for performance of the agreement/…

What about legal disclosure obligations?

"Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty."




7. Will we need to appoint a DPO or not?

Yes and No! - DPO to be designated when the core activities of the controller / processor:

require regular and systematic monitoring of data subjects on a large scale;

consists of processing on a large scale of "special categories of data" (Art. 9) or data relating to criminal convictions.

A group of undertaking may appoint a single DPO.

A DPO may be a staff member or a consultant (service contract), to report to the highest management level.

Tasks include:

inform and advise the controller / processor (and employees) of their obligations;

monitor compliance with the GDPR;

advise on data protection impact assessment;

cooperate with the supervisory authority (including acting as point of contact).




8. How will one-stop-shop change our compliance program?

One-stop-shop relevant to interactions with supervisory authorities in relation to cross-border processing.

Definition of cross-border processing could be clarified, even if the intent is clear.

With respect to its cross-border processing, the controller or processor will deal only with its lead supervisory authority.

Exceptions may apply – for example, issues arising in a single Member State; employee data processing; health-care data processing.




9. What will we need to do in case of a data breach?

Notification to the supervisory authority without undue delay and where feasible no more than 72 hours, unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.

Reasoned justification in case breach is not notified within 72 hours.

Data subjects shall be notified without undue delay if the breach is likely to result in a high risk for the rights and freedoms of individuals to allow them to take the necessary precautions.

Communication to the data subject is not required if the controller:

implemented appropriate technical and organization measures to that rendered the data affected unintelligible (e.g. encryption);

took subsequent measures to ensure that the high risks are no longer likely to materialise;

if it causes disproportionate effort.




10. Can we still process personal data on the basis of consent?

Yes, but:

consent should be freely given, specific, informed and unambiguous;

by a statement or clear affirmative action;

Controller has burden of proof.

In practice:

ticking a box, choosing technical settings, or conduct clearly indicating acceptance of proposed processing.

Silence, pre-ticked boxes or inactivity should not constitute consent.

Contract performance cannot be made conditional to consent, if processing is not necessary.




11. Can we still process personal data on the basis of legitimate interests?

Yes – with some changes:

Obligation to specifically inform data subjects.

Data subject entitled to require restriction of processing of his/her data while verifying if fundamental rights don't override legitimate interests.

Reasonable expectations of data subjects should be given consideration, such as when a data subject is a client or in the service of the controller.

Examples: Preventing fraud; ensuring network and information security.

Direct marketing purposes may be regarded as carried out for a legitimate interest?




12. Will data collection from kids become illegal?

No - General principles of lawfulness of processing (Art. 6) shall apply.

Processing of personal data of a child below the age of 16 years requires the consent (given or authorized) by the parent (or other holder of parental responsibility).

Member States can lower the age threshold (but not below 13 years).

The controller shall make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the child.

Rules to consider available technology and not to affect general contract law.




13. Will individuals get new rights?

Yes – several new and expanded rights.

Data portability.

Restriction of processing.

Expanded right of erasure - the Right To Be Forgotten.

Rights regarding profiling: using data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interest, reliability, behaviour, location or movements.




14. Will we get new types of sensitive data?

General rule - prohibition to process personal data, revealing:

racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data in order to uniquely identify a person or data concerning health or sex life and sexual orientation.

But 10 exceptions apply:

explicit consent

vital interest

assessment of the working capacity of the employee

public health, …

Pay attention!

Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or health data.




15. Does the Regulation still apply if we de-identify our data?

Information that does not relate to an identified or identifiable natural person, or data rendered anonymous in such a way that the data subject is not or no longer identifiable, will not be subject to the Regulation.

Data that has undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, is personal data subject to the Regulation.

To determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used, looking at all objective factors, such as the costs and amount of time required, available technology at the time of the processing, and technological developments.




16. When will we need to conduct a privacy impact assessment?

When using new technologies and likely to result in a risk for the rights and freedoms of individuals. In particular:

systematic and extensive evaluation of personal aspects based on automated processing (including profiling) and on which decisions are made, significantly affecting the individual.

large scale processing of "special categories of data" or criminal data.

systematic monitoring of a publicly accessible area on a large scale.

A single assessment may address a set of similar processing operations with similar risks.

Supervisory authority to publish a list of operations subject (and not subject) to data protection impact assessment.

Assessment review when risk changes.




17. We've always acted as a processor – what will our liability be?

Direct claims: data subject can lodge a complaint directly against a P (administrative as well as judicial).

Qualified liability: A P shall be liable for the damage caused by the processing only where it has not complied with obligations of this Regulation specifically directed to Ps or acted outside or contrary to lawful instructions of the C.

Burden of proof: A C or P shall be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Joint and several liability: Where more than one C or P are involved in the same processing and, where they are responsible for any damage caused by the processing, each shall be held liable for the entire damage, in order to ensure effective compensation of the data subject.

Liable for sub-processors: Where that other P fails to fulfil its data protection obligations, the initial P shall remain fully liable to the C for the performance of that other processor's obligations.




18. Is it true the G29 will be dissolved?

An independent body of the Union with legal personality – the European Data Protection Board – will be established.

Will replace the Article 29 Working Party.

Composed of the head of a supervisory authority in each Member State and the European Data Protection Supervisor or their respective representatives.

Contribute to the consistent application of the GDPR.

Empowered to issue binding decisions.

Decisions subject to action for annulment before the Court of Justice of the European Union.




19. Will the regulators be issuing guidelines or recommendations?

The Commission will be granted implementing powers.

Implementing acts:

approved codes of conduct; technical standards for certification mechanisms and

data protection seals and marks; third country adequacy decisions; format and procedures for the exchange of

information between stakeholders for BCRs.

Delegated acts:

information to be presented by the icons; procedures for providing standardised icons; requirements for the data protection certification

mechanisms.




20. How far does harmonization really go?

Member State law should reconcile rules governing freedom of expression and information with the protection of personal data.

Member State law or collective agreements may provide for specific rules on employee personal data processing, for example, conditions under which data can be processed on the basis of employee consent.

Member States may adopt specific rules if necessary to reconcile the right to the protection of personal data with an obligation of professional secrecy.

Member States may maintain or introduce more specific requirements for processing pursuant to legal obligations under Member State's law.




Stay Informed

24December 22, 2015EU General Data Protection Regulation

Subscribe to our Privacy Matters blog for

regular updates

http://blogs.dlapiper.com/privacymatters/

Access our

Data Protection Laws of the World

Handbook at

www.dlapiperdataprotection.com

New edition to be released Q1 2016

http://www.dlapiperdataprotection.com/

QUESTIONS


[email protected] www.dlapiperdataprotection.com

Enjoy your holidays!

the eu general data protection regulation (gdpr) if you cannot hear us speaking, please make sure...

Documents

personal data protection

data protection directive

personal data mus

processing activities

european union

national laws

informational purposes

legitimate purposes