GDPR

1.  What is the GDPR?

The aim of the General Data Protection Regulation is to protect all EU citizens from privacy and data breaches.

2.  Where is the GDPR applicable?

The GDPR extends the jurisdiction of the 1994 Data Protection Directive, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. GPDR will apply to the processing of personal data by controllers and processors in the EU, irrespective of whether the processing takes place in the EU or not.

The GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.

3.  What are the Penalties imposed by the GDPR in case of breach of data protection?

Under the GDPR, organizations in breach of GDPR can be fined either up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, for example not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors, which means that ‘clouds’ will not be exempt from GDPR enforcement.

4.  Has there been any change with regards consent in the GDPR?

The conditions for consent have been strengthened and simplified. Companies will no longer be able to use long illegible terms and conditions full of legal jargon, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.

Consent must be clear in plain language. It must be as easy to withdraw consent as it is to give it.

Data Subject Rights

5.  What is Breach Notification?

Under the GDPR, breach notification will become mandatory in all Member States where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

6.  What does the Right to Access signify?

Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.

7.  What does the Right to be Forgotten entail?

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.

8.  What is Data Portability?

GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.

9.  What is Privacy by Design?

Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically – ‘The controller shall… implement appropriate technical and organisational measures… in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

10.  What are Data Protection Officers?

Currently, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements. Under GDPR it will not be necessary to submit notifications / registrations to each local DPA of data processing activities, nor will it be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal record keeping requirements, as further explained below, and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.

The DPO:

  • Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
  • May be a staff member or an external service provider
  • Contact details must be provided to the relevant DPA
  • Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
  • Must report directly to the highest level of management
  • Must not carry out any other tasks that could results in a conflict of interest.

11. Which organisations must appoint a DPO?

The designation of a DPO is an obligation:

  • if the processing is carried out by a public authority or body (irrespective of what data is being processed)
  • if the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
  • if the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences

Note that Union or Member State law may require the designation of DPOs in other situations as well. Finally, even if the designation of a DPO is not mandatory, organisations may sometimes find it useful to designate a DPO on a voluntary basis. The Article 29 Data Protection Working Party (‘WP29’) encourages these voluntary efforts. When an organisation designates a DPO on a voluntary basis, the same requirements will apply to his or her designation, position and tasks as if the designation had been mandatory.

Source: Article 37(1) of the GDPR

12.  What does ‘core activities’ mean?

‘Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives. These also include all activities where the processing of data forms as inextricable part of the controller’s or processor’s activity. For example, processing health data, such as patient’s health records, should be considered as one of any hospital’s core activities and hospitals must therefore designate DPOs.

On the other hand, all organisations carry out certain supporting activities, for example, paying their employees or having standard IT support activities. These are examples of necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity.

Source: Article 37(1)(b) and (c) of the GDPR

13.  What does ‘large scale’ mean?

The GDPR does not define what constitutes large-scale processing. The WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:

  • the number of data subjects concerned – either as a specific number or as a proportion of the relevant population
  • the volume of data and/or the range of different data items being processed
  • the duration, or permanence, of the data processing activity
  • the geographical extent of the processing activity

Examples of large scale processing include:

  • processing of patient data in the regular course of business by a hospital
  • processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
  • processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities
  • processing of customer data in the regular course of business by an insurance company or a bank
  • processing of personal data for behavioural advertising by a search engine
  • processing of data (content, traffic, location) by telephone or internet service providers
  • Examples that do not constitute large-scale processing include:
  • processing of patient data by an individual physician
  • processing of personal data relating to criminal convictions and offences by an individual lawyer

Source: Article 37(1)(b) and (c) of the GDPR

14.  What does ‘regular and systematic monitoring’ mean?

The notion of regular and systematic monitoring of data subjects is not defined in the GDPR, but clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment.

Examples of activities that may constitute a regular and systematic monitoring of data subjects: operating a telecommunications network; providing telecommunications services; email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.

WP29 interprets ‘regular’ as meaning one or more of the following:

  • ongoing or occurring at particular intervals for a particular period
  • recurring or repeated at fixed times
  • constantly or periodically taking place

WP29 interprets ‘systematic’ as meaning one or more of the following:

  • occurring according to a system
  • pre-arranged, organised or methodical
  • taking place as part of a general plan for data collection
  • carried out as part of a strategy

Source: Article 37(1)(b) of the GDPR

15.  Can organisations appoint a DPO jointly? If so, under what conditions?

Yes. A group of undertakings may designate a single DPO provided that he or she is ‘easily accessible from each establishment’. The notion of accessibility refers to the tasks of the DPO as a contact point with respect to data subjects, the supervisory authority and also internally within the organisation. In order to ensure that the DPO is accessible, whether internal or external, it is important to make sure that their contact details are available. The DPO, with the help of a team if necessary, must be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential to ensure that data subjects will be able to contact the DPO.

A single DPO may be designated for several public authorities or bodies, taking account of their organisational structure and size. The same considerations with regard to resources and communication apply. Given that the DPO is in charge of a variety of tasks, the controller or the processor must ensure that a single DPO, with the help of a team if necessary, can perform these efficiently despite being designated for several public authorities and bodies.

Source: Article 37(2) and (3) of the GDPR

16.  Where should the DPO be located?

To ensure that the DPO is accessible, the WP29 recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union. However, it cannot be excluded that, in some situations where the controller or the processor has no establishment within the European Union, a DPO may be able to carry out his or her activities more effectively if located outside the EU.

17.  Is it possible to appoint an external DPO?

Yes. The DPO may be a staff member of the controller or the processor (internal DPO) or fulfil the tasks on the basis of a service contract. This means that the DPO can be external, and in this case, his/her function can be exercised based on a service contract concluded with an individual or an organisation.

When the function of the DPO is exercised by an external service provider, a team of individuals working for that entity may effectively carry out the DPO tasks as a team, under the responsibility of a designated lead contact and ‘person in charge’ of the client. In this case, it is essential that each member of the external organisation exercising the functions of a DPO fulfils all applicable requirements of the GDPR.

For the sake of legal clarity and good organisation and to prevent conflicts of interests for the team members, the Guidelines recommend to have, in the service contract, a clear allocation of tasks within the external DPO team and to assign a single individual as a lead contact and person ‘in charge’ of the client.

Source: Article 37(6) of the GDPR

18. What are the professional qualities that the DPO should have?

The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks.

The necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. For example, where a data processing activity is particularly complex, or where a large amount of sensitive data is involved, the DPO may need a higher level of expertise and support.

Relevant skills and expertise include:

  • expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR
  • understanding of the processing operations carried out
  • understanding of information technologies and data security
  • knowledge of the business sector and the organisation
  • ability to promote a data protection culture within the organisation

Source: Article 37(5) of the GDPR

Position of the DPO

19.  What resources should be provided to the DPO by the controller or the processor?

The DPO must have the resources necessary to be able to carry out his or her tasks.

Depending on the nature of the processing operations and the activities and size of the organisation, the following resources should be provided to the DPO:

  • active support of the DPO’s function by senior management
  • sufficient time for DPOs to fulfil their tasks
  • adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate
  • official communication of the designation of the DPO to all staff
  • access to other services within the organisation so that DPOs can receive essential support, input or information from those other services
  • continuous training

Source: Article 38(2) of the GDPR

20.  What are the safeguards to enable the DPO to perform her/his tasks in an independent manner? What does ‘conflict of interests’ mean?

Several safeguards exist in order to enable the DPO to act in an independent manner:

  • no instructions by the controllers or the processors regarding the exercise of the DPO’s tasks
  • no dismissal or penalty by the controller for the performance of the DPO’s tasks
  • no conflict of interest with possible other tasks and duties

The other tasks and duties of a DPO must not result in a conflict of interests. This means, first, that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case.

As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing. In addition, a conflict of interests may also arise for example if an external DPO is asked to represent the controller or processor before the Courts in cases involving data protection issues.

Source: Article 38(3) and 38(6) of the GDPR

Tasks of the DPO

21.  What does ‘monitoring compliance’ mean?

As part of these duties to monitor compliance, DPOs may, in particular:

  • collect information to identify processing activities
  • analyse and check the compliance of processing activities
  • inform, advise and issue recommendations to the controller or the processor

Source: Article 39(1)(b) of the GDPR

22.  Is the DPO personally responsible for non-compliance with data protection requirements?

No. DPOs are not personally responsible for non-compliance with data protection requirements. It is the controller or the processor who is required to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Data protection compliance is the responsibility of the controller or the processor.

23.  What is the role of the DPO with respect to data protection impact assessments and records of processing activities?

As far as the data protection impact assessment is concerned, the controller or the processor should seek the advice of the DPO, on the following issues, amongst others:

  • whether or not to carry out a DPIA
  • what methodology to follow when carrying out a DPIA
  • whether to carry out the DPIA in-house or whether to outsource it
  • what safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects
  • whether or not the data protection impact assessment has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in compliance with data protection requirements

As far as the records of processing activities are concerned, it is the controller or the processor, not the DPO, who is required to maintain records of processing operations. However, nothing prevents the controller or the processor from assigning the DPO with the task of maintaining the records of processing operations under the responsibility of the controller or the processor. Such records should be considered as one of the tools enabling the DPO to perform its tasks of monitoring compliance, informing and advising the controller or the processor.

Source: Article 39(1)(c) and Article 30 of the GDPR