In the next twelve months we aim to provide you with a practical overview of the most relevant changes as a result of the General Data Protection Regulation (GDPR), applicable as from 25 May 2018. This month’s issue discusses the following two important subjects:
- the applicability of the GDPR; and
- the introduction of the One-Stop-Shop supervisory mechanism.
The GDPR will have a significantly broader territorial scope than the current EU Data Protection Directive 95/46/EC (and national law implementing this Directive).
Whereas the Directive only applies to the processing of personal data by data controllers established in the EU and data controllers established outside the EU using (automated or non-automated) means located in the EU, the GDPR will also apply to the processing of personal data by data processors established in the EU. In addition, the GDPR will apply to the processing of personal data by data controllers and processors outside the EU. This is the case where the processing activities relate to the offering of goods and services to data subjects in the EU (whether against payment or for free) or to the monitoring of their behaviour on EU territory.
Example: an e-commerce company based in the US (with no EU establishments or subsidiaries) would generally not fall under the scope of the current EU legal framework regarding data processing. This will change under the GDPR, as long as such company offers its services to and/or targets EU residents.
Click here to view the table.
Currently, each EU Member State has its own public authority responsible for monitoring and enforcing compliance with local laws regarding the processing of personal data, with its own (local) investigative and effective powers and no prescribed cooperation.
In order to ensure more coherence in the application of data protection legislation throughout the EU, the GDPR introduces a One-Stop-Shop supervisory and cooperation mechanism.
This means that data controllers and processors with activities in multiple EU countries are primarily subject to the authority of one ‘lead’ DPA, supervising all cross border processing activities of this data controller or processor. The ‘lead’ DPA is the DPA of the single or main establishment (i.e. the place of its central administration) of a data controller or processor. This ‘lead’ DPA must closely involve and cooperate with other concerned DPAs in its decision making process. Other ‘concerned’ DPAs remain however fully competent to handle complaints lodged and infringements of the GDPR only relating to or affecting national citizens, unless the ‘lead’ DPA decides to take over the case.
Example: a Dutch citizen lodges a complaint with the Dutch DPA relating to the cross-border data processing activities of a Belgian company. As the Belgian DPA is considered the ‘lead’ DPA with respect to these processing activities, the Dutch DPA has to notify the Belgian DPA of the complaint. Subsequently, the Belgian DPA may decide to take over the case from the Dutch DPA. In such event, the ‘one-stop-shop’ cooperation procedures will apply. This means that decisions shall be agreed jointly between the Belgian and Dutch DPAs, following a process for sharing draft decisions and exchange of relevant information. If the Belgian DPA does not decide to take over the case, the complaint shall be further handled at local level by the Dutch DPA.
What do these changes mean for your organisation and how can you prepare for them?
- The broader scope of the GDPR may result in the GDPR being applicable to (more) processing activities taking place in your organisation, even when it is established outside the EU or generally qualifies as a data processor:
- (Re-)assess the applicability of the GDPR on your organisation’s current data processing activities
- If active in more than one EU Member State or in the event of cross-border processing activities, your organisation may be primarily subject to the authority of a ‘lead’ DPA:
- Identify this ‘lead’ DPA (country where the main establishment of your organisation is located) and the possible other ‘concerned’ DPAs (by listing in which other EU Member States your organisation is active and in which EU Member States data subjects are residing that may be affected by processing activities carried out by your organisation)
- Stay updated on developments, decisions, news and guidelines issued by the relevant DPAs