TOPICS: Automated individual decision-making, Profiling, Data Protection Impact Assessment, Administrative Fines, Article 29 Working Party, EU General Data Protection Regulation, European Union
The EU General Data Protection Regulation ("GDPR") enters into force in May 2018. As part of the implementation period, the EU’s Article 29 Working Party ("WP29”) has recently issued key guidelines addressing various key aspects of the GDPR. Although the WP29’s opinions and guidelines are not binding, since it is an advisory body made up of a representative from the data protection authority of each EU Member State, and includes the European Data Protection Supervisor and the European Commission, these guidelines can assist in understanding how European data protection authorities will interpret various requirements of the GDPR.
- The new guidelines include the following:
- Guidelines on Data Protection Impact Assessment ("DPIA"), which have been approved as final versions, after examining comments received during the public consultation;
- Guidelines on Data Breach Notifications (adopted and available for public consultation before their final adaption);
- Guidelines on Automated individual decision-making and Profiling (adopted and open for public consultation before their final adaptation); and
- Guidelines on the application and setting of administrative fines for the purpose of the GDPR.
- Additional GDPR-focused guidelines that were previously adopted by the WP29 are:
Key points related to the new guidelines are as follows:
Guidelines on DPIA
Article 35 of the GDPR requires the use of DPIAs, or risk assessments of the proposed processing of personal data by an organization, as part of regular business processes and the requirement to demonstrate compliance.
In order to provide a more concrete set of processing operations that require a DPIA due to their inherent high risk, the WP29 guidelines set out the following set of risk criteria:
- Evaluation and scoring - Profiling and predicting behaviors;
- Automated decision-making having a legal or similar significant effect - profiling which may lead to the exclusion of or discrimination against individuals;
- Systematic monitoring – this would include employees’ monitoring programs;
- Processing of sensitive data;
- Large scale processing - the number of individuals, the volume or range of data, the duration of the processing and its geographical extent;
- Matching or combining datasets;
- Processing data of vulnerable subjects – this would include children, employees, the mentally ill, patients or the elderly;
- Innovative use of technological or organizational solutions; and
- The processing prevents data subjects from exercising a right or using a service or a contract.
In addition, the guidelines include various examples which illustrate how the criteria should be used to assess whether a particular processing operation requires a DPIA. The guidelines emphasize the importance of continuously assessing and reviewing the processing operations as part of controllers’ general accountability obligations.
Guidelines on Data Breach Notifications
The GDPR requires data controllers to notify the competent supervisory authority no later than 72 hours after having become aware of a data breach. Under these guidelines, the WP29 explains that a controller becomes aware of a data breach when the controller has identified the incident and knows that the personal data has been or is being compromised. Data processors should also immediately notify data controllers of any breaches.
In addition, the guidelines examine cases where delayed notification may be allowed; the information that should be provided to the supervisory authority; the way to determine which supervisory authority should be notified; and additional requirements concerning communication to the affected data subjects.
Guidelines on Automated individual decision-making and Profiling
These guidelines include five sections incorporating “best practice” recommendations the aim of which is to assist controllers in meeting the GDPR requirements on profiling and automated decisionmaking. These include the following:
- Definitions of profiling and automated decision-making, and the GDPR’s approach to these concepts;
- Explanation of key provisions on automated decision-making under the GDPR (such as prohibition on fully automated individual decision-making, including profiling that leads to decisions that impact the individual in a sufficiently significant way; exceptions to the prohibition; and the right of the data subject to be informed regarding the automated decision-making);
- Explanation of other general requirements of profiling and automated decision-making (including transparency; fairness; data minimization; and storage limitation);
- Children and profiling; and
- DPIAs – the requirement to carry out DPIAs for evaluations based on profiling and automated processing, including profiling having a legal or similarly significant effect that is not entirely automated, as well as in the case where the profiling is solely automated.
Guidelines on the application and setting of administrative fines
Administrative fines are a central element in the new enforcement regime introduced by the GDPR, and the consequences of non-compliance under the new regulation may result in fines of up to €20 million or 4% of the company’s annual global turnover.
The WP29’s guidelines on this subject are directed at the supervisory authorities, to be used by them as part of their enforcement policy. According to the guidelines, data protection authorities (“DPAs”) should consider the "nature, gravity and duration of the infringement." It is to be noted that under the guidelines, "minor infringements" might only give rise to a reprimand, especially when the infringement does not pose a significant risk to the rights of the data subjects concerned and does not affect the essence of the obligation in question. In addition, if a fine would impose a "disproportionate burden" on a "natural person," then a reprimand might be appropriate.
The guidelines state that DPAs must assess each case individually in order to identify the most "effective, proportionate and dissuasive" measures. For the purpose of doing so, DPAs are instructed to consider the following factors in determining the size of a fine:
- The nature, gravity and duration of the breach;
- The number of data subjects involved; o The scope and purpose of the processing;
- The damage suffered by data subjects (and any action taken by the organization to mitigate this damage);
- The degree of responsibility of the organization including the technical and organization measures implemented by it;
- The intentional or negligent character of the breach; and
- The degree of cooperation with the DPAs in order to remedy the breach.
If the organization has taken certain actions in order to reduce the consequences of the breach, then the "responsible behavior" will be a consideration in the calculation of the sanction to be imposed.