Professional Documents
Culture Documents
Contents
5 Introduction
6 Key Facts
7 Scope
2
WWW.DLAPIPER.COM
Introduction
On 4 May 2016, the text of the General Data Protection
Regulation (GDPR) was published in the Official Journal
of the European Union, concluding over four years
of intensive legislative work on a new data protection
legal framework for Europe.
• Scope
3
Key Facts
The General Data
Protection Regulation
– key facts:
• The previous data protection
legislation across the EU was
replaced by a new regulation
known as the General Data
Protection Regulation.
Scope
Who is affected?
• The territorial application of the • organisations from outside the List Of Tasks
GDPR covers much wider scope EU, in relation to the offering • All entities to which the GDPR
than the Directive, applying not of goods (and services) to applies should conduct an
only to organisations established data subjects in the EU or the analysis of the impact of
in the EU, but also: monitoring of their behaviour the GDPR on their business
as far as their behaviour takes activities
• EU-based entities, in relation
place within the EU.
to their activities, irrespective • • Non-EU based entities should
of whether data is processed make strategic decisions
within the EU or outside the EU; on their approach to the
and requirements of the Regulation
and designate a representative
for the EU for the purposes
ART. 3, ART. 4 POINT 17, ART. 27
of the Regulation. (For
more information see
“Representative of the
controller within the EU”)
Sector regulations
The GDPR allows EU member
Directly effective states to adopt supplementary
The GDPR takes direct legal laws in certain defined areas
effect in all Member States. (e.g. in the field of employment
Unlike the Directive there is no law). These local laws can provide
need for transposition into local further regulation to the principles
national law. of protection in the GDPR.
5
DLA PIPER – A GUIDE TO THE GENERAL DATA PROTECTION REGULATION
Codes of conduct
• Since the GDPR came into force, List Of Tasks
codes of conduct and other • Monitor emerging codes of conduct relevant to the particular sectors
supporting regulatory procedures in which your business operates
are being created to supplement
• Assess the impact of those codes of conduct on your business
basic regulatory requirements in
activities
the legislation
ART. 40-41
ART. 4
6
WWW.DLAPIPER.COM
List Of Tasks
• Analyse steps to take and bring data operations into line with the GDPR requirements
• Larger organisations should consider adopting a formal change management programme, supported by step
by step implementation plans
7
DLA PIPER – A GUIDE TO THE GENERAL DATA PROTECTION REGULATION
ART. 5, ART 12
fairness
transparency
accuracy
Basic principles
consistent purpose
time limitation
accountability
integrity
confidentiality
List Of Tasks
• Review and evaluate the data processing procedures
currently in place in the context of the revised basic
principles
8
WWW.DLAPIPER.COM
The grounds for fair • If relying on legitimate interests processing which override the
processing as the basis for fair processing, individual’s rights, or alternatively
• There are far-reaching changes note that the presumption of if the processing is needed to
to the basis on which data can legitimacy may be challenged establish, exercise or defend legal
be fairly processed if based on by an individual (or group of claims.
‘consent’ or ‘legitimate interests’. individuals), in which case the
processing must stop unless the
• Consent can only be relied
controller can show compelling
on if it is freely given, specific,
grounds to continue with the
informed and supported by an
unambiguous indication of the
will from the data subject. List Of Tasks
• Conduct a review of the grounds for data processing to determine
• Broadly drafted consents are
whether they can be relied upon under the Regulation
no longer legitimate. Nor are
situations where consent is • •Draw up consent clauses to comply with the requirements of the
directly linked to performance of Regulation
a contract, or employment status.
• •Assess the impact of the new principles concerning the processing of
And in each case, the individual
children’s data on the activity of the organisation
must be able to readily withdraw
any consent previously given.
Silence, pre-ticked boxes or inactivity is no longer recognised as basis
• Additional rules apply when
for consent.
seeking to secure consent from
a child.
Special categories of
personal data
• The GDPR expands the definition
List Of Tasks
of sensitive data to include new
• Review the legal grounds relied upon to legitimise the processing of
fields such as biometric data.
sensitive data
• The GDPR sets out new detailed
• Consider the impact of additional duties and restrictions on business
rules regarding situations where
processes and procedures, e.g. the legal grounds for the processing
data are used to undertake
of data concerning health, or using sensitive data for the purposes of
automated decisions impacting
profiling
individuals (profiling).
• Monitor legislative developments that may bring additional restrictions
Biometric data – means personal
concerning the processing of sensitive data
data resulting from specific technical
processing relating to the physical,
physiological or behavioural
Biometric data – means personal data resulting from specific technical
characteristics of a natural person,
processing relating to the physical, physiological or behavioural characteristics
which allow or confirm the unique
of a natural person, which allow or confirm the unique identification of that
identification of that natural
natural person, such as facial images or dactyloscopic data.
person, such as facial images or
dactyloscopic data.
9
DLA PIPER – A GUIDE TO THE GENERAL DATA PROTECTION REGULATION
Profiling
List Of Tasks
• The rules allow individuals to
• Analyse business processes which involve profiling
object to decisions that directly
impact them as a result of • Ensure that adequate legal grounds support lawful profiling
their profiles being assessed
• Comply with requirements to provide information relating to the
automatically to support decisions
use of automated decision making and, where applicable, introduce
about for example that individual’s
human intervention in the decision making process
suitability for employment, or
receipt of banking or insurance
products. • Profiling – any form of automated processing of personal data
consisting of the use of personal data to evaluate certain personal
• Automated decisions are
aspects relating to a natural person, in particular to analyse or predict
allowed where necessary for the
aspects concerning that natural person’s performance at work,
conclusion or performance of a
economic situation, health, personal preferences, interests, reliability,
contract with the individual, or
behaviour, location or movements.
where permitted by law or based
on the express consent of the
individual. In other cases extra
checks and balances are needed
to protect the individual’s rights.
Principle of
List Of Tasks
transparency
• Review and, where necessary, amend privacy policies and information
• The GDPR considerably enhances
clauses to ensure their compliance with the GDPR
the obligation to provide
information to data subjects • Consider the possible use of graphics to help communicate privacy
about the manner and purposes notices more effectively
for which personal data are to be
• Ensure that if data is processed for secondary purpose(s), all necessary
used, and what rights they have
information is provided within the timescales set out in the Regulation
under the GDPR.
• Ensure business partners meet their own obligations to provide
• Privacy notices should be
information to individuals if you are relying on reuse of that data
presented in a form that is
concise, clear, easily accessible • Consider whether, under national law, any exclusions from the
and in plain language, bearing in obligation to provide information apply
mind the likely recipient.
ART. 12-14
10
WWW.DLAPIPER.COM
11
DLA PIPER – A GUIDE TO THE GENERAL DATA PROTECTION REGULATION
Accountability within
the Organisation
Principle of
accountability List Of Tasks
• The GDPR provides a new • Implement a comprehensive group wide Data Protection Compliance
principle of accountability – Programme
requiring the controller to
• Document all data processing activities
demonstrate active compliance
with its legal responsibilities. • Develop and implement an effective internal training programme
• This should be achieved by • Implement mechanisms to ensure that the principles of privacy by
integrating data protection design and privacy by default are understood and followed for new
throughout the organisation’s projects/higher risk activities
processes and culture, including
• Where a DPO is appointed, take all necessary actions in connection
by:
with such appointment (e.g. ensuring that the DPO has appropriate
• maintaining a clear written qualifications, necessary resources, etc.)
record of all data operations
which can be inspected by
the supervisory authority on A DPO MUST BE APPOINTED IF:
demand; • the organisation is processing • the core activities of the
• mechanisms and procedures personal data as a public entity; organisation consist of the
for monitoring and verifying processing of sensitive data on a
• the core activities require
compliance (e.g. regular audit); large or personal data relating to
the regular and systematic
• measures to enhance criminal convictions and offences.
monitoring of data subjects on
awareness of data protection
a large scale;
issues in the organization
(e.g. training) up to senior
managerial level;
• adoption of the principle of
privacy by design – ensuring
data protection principles
are taken into account at the
early stages of designing new
technologies, products and
systems;
• adoption of the principle of
privacy by default – ensuring
that privacy protection is
adopted as a default option;
• appointment of a Data
Protection Officer (DPO) if
required (see right hand
column).
12
WWW.DLAPIPER.COM
Risk-based approach
List Of Tasks
• Privacy Impact Assessments
• Identify the processing procedures that need to be
(PIA) should be undertaken for
assessed for their privacy impact and implement
higher risk projects.. PIAs involve
mechanisms to ensure that, where necessary, a
assessing potential privacy risks
PIA is carried out
before starting to process data on
a given project. • Implement organisational and technical measures
to protect data, taking into consideration the level
• Data controllers and processors
of risk, and periodically monitor such measures
have joint obligations to ensure
data security (including technical
safety) is appropriate at all times
– taking into consideration the
nature, scope, context, purposes
of the processing and the related
risks.
Certification
List Of Tasks
(marks and seals)
• Keep an eye out for certification marks that
• The GDPR anticipates certification
become available and assess the organisation’s
mechanisms which may
eligibility to apply for certification
grant special marks and seals
confirming proper application of • Implement procedures to ensure that the adopted
the GDPR requirements through solutions comply with the requirements of the
the organisation. GDPR
• Certification is made by
appropriate certification bodies
or by a competent supervisory
authority.
ART. 24 PAR. 3, ART. 25 PAR. 3, ART. 28 PAR. 5, ART. 32 PAR. 3, ART. 42-43, ART. 46 PAR. 2
13
DLA PIPER – A GUIDE TO THE GENERAL DATA PROTECTION REGULATION
ART. 26
Data processors
• The GDPR provides much more • an obligation to assist the List Of Tasks
controller.
detail than the Directive regarding controller in any cooperation • Review and, where necessary,
the arrangements for the conduct required with the supervisory modify existing data
of data processing by data authority; processing agreements to
processors including: ensure compliance with the
• an obligation to keep an
new requirements
• a principle that the processor independent record of data
should only process data upon processing activities performed • Update related tendering
a documented request or on behalf of the controller. documents and processes (e.g.
instruction from the controller; RFP documentation, specimen
• A data processing agreement
letters and agreements to
• an obligation on the processor must be in place to regulate
be used in procurement
to maintain the confidentiality the relationship. The terms
procedures) to ensure
of processed data; of the agreement must
alignment with the position
include obligations related
• a requirement to adopt under the GDPR
to data protection breaches,
appropriate measures to
the erasure of data after the
protect the security of data
provision of services ends, and
processing;
the cooperation with the data
ART. 28-31
14
WWW.DLAPIPER.COM
List Of Tasks
Transfer of data to
• Review existing data transfer
third countries
mechanisms
• The GDPR restates principles • codes of conduct, and
in the Directive governing the • Update the data transfer
• a new certification mechanism.
prohibition on the transfer of agreements in force
data to countries outside the • At the same time, the significance
• Consider whether Binding
EEA, unless adequate levels of of binding corporate rules has
Corporate Rules should be
protection exist in the destination grown.
implemented
country.
• The existing decisions of
• Monitor developments
• In addition to the existing rules the Commission confirming
regarding data transfers to the
on adoption of model clauses and an appropriate level of data
US (under the so-called Privacy
binding corporate rules, the GDPR protection in a third country and
Shield) and to other third
anticipates other mechanisms approving model clauses remain
countries (through the use of
to support lawful transfers, in force.
model clauses)
including:
Controllers not
established in the EU List Of Tasks
• If the GDPR applies to a data • There are some exceptions to • Check whether it is necessary
controller who is not established this principle – e.g. when the to designate a representative
in the EU, they should designate processing is occasional and does in the EU
a representative in the EU who not involve the processing of
• Ensure the representative
can act on their behalf with local sensitive data.
is properly appointed and
supervisory authorities.
understands their terms of
reference/ responsibility
ART. 27
15
DLA PIPER – A GUIDE TO THE GENERAL DATA PROTECTION REGULATION
Abolition of
notification List Of Tasks
requirements • Develop mechanisms for keeping a comprehensive internal record of
• The GDPR abolishes the data processing activities across the organis ation and for disclosing
requirement to maintain a the same (or request) to a supervisory authority
registration of processing
activities with the local
supervisory authority.
ART. 30
ART. 36
16
WWW.DLAPIPER.COM
17
DLA PIPER – A GUIDE TO THE GENERAL DATA PROTECTION REGULATION
Liability
The amount of a fine in an
individual case will depend on a
The GDPR requires fines to be number of factors, such as the
“effective, proportionate and nature of the breach, the degree
dissuasive” of fault, prior breaches, etc.
• the basic principles governing • the obligations under the • the obligations of the
data processing, including the national law adopted pursuant controller and processor
requirements concerning the to chapter IX of the GDPR referred to in Art. 8, Art. 11,
obtaining of consent (Art. 5-7 Art. 25-39, Art. 42-43
• non-compliance with the order
and Art. 9)
to restrict or suspend data • the obligations of the
• the rights of data subjects (Art. processing or flow, temporarily certification body as referred
12-22) or permanently, issued by the to in Art. 42-43
supervisory authority pursuant
• transferring personal data to • the obligations of the
to Art. 58 par. 2 or the failure to
third countries (Art. 44-49) monitoring body as referred to
provide access, which results in
in Art. 41 par. 4
a breach of Art. 58 par. 1
• member states should enact • Ensure risk arising from any data processing/ data sharing
local laws providing criminal arrangements is properly managed through appropriate confidential
sanctions for a breach of the warranties, indemnities, etc.
GDPR.
18
WWW.DLAPIPER.COM
One-Stop-Shop
Mechanism
• The One-Stop-Shop concept is a • The One-Stop-Shop mechanism: • will be subject to further
fundamental reform enshrined clarification or to how the
• is intended to make it easier
in the GDPR, establishing a mechanism will work in
for controllers and processors
principle that the supervisory practice.
to conduct business across EU
authority of the controller’s (the
territories; • The One-Stop-Shop should lead
processor’s) main establishment
to more joined up action by
is competent to act as lead • requires supervisory authorities
national authorities, including
supervisory authority for the to cooperate with each other
in the pursuit and application of
cross-border processing carried cross-border for multi-country
enforcement where the controller
out by that controller (processor). matters;
is based in a number of states, or
the processing operations impact
entities in a number of states.
19
DLA PIPER – A GUIDE TO THE GENERAL DATA PROTECTION REGULATION
20
WWW.DLAPIPER.COM
21
DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be found at www.dlapiper.com.
This publication is intended as a general overview and discussion of the subjects dealt with, and does not create a lawyer-client relationship. It is not intended to
be, and should not be used as, a substitute for taking legal advice in any specific situation. DLA Piper will accept no responsibility for any actions taken or not taken
on the basis of this publication. This may qualify as “Lawyer Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
Copyright © 2019 DLA Piper. All rights reserved. | FEB19 | 3348160