On 24 May 2016 the General Data Protection Regulation ('GDPR') - Regulation (EU) 2016/679 was adopted in the European Union (EU). The GDPR is sweeping legislation which includes fundamental changes to EU law in respect of protection of personal data and repeals the EU Data Protection Directive 95/46/EC. The GDPR shall be in effect from 25 May 2018 in all EU member states.
The purpose of the GDPR is to ensure the rights and freedoms of natural persons with regard to collection, processing and transfer of Personal Data.
Who should comply with the GDPR
The GDPR applies to a 'Controller'1 or a 'Processor'2 of 'Persona Data'i regardless of the location of such Controller or Processor, in the event of:
(i) 'Processing'ii of Personal Data related to the offering of goods or services to EU 'Data Subjects'iii;
(ii) Monitoring of Data Subjects behavior as far as their behavior takes place within the EU.
Therefore by receiving Personal Data from EU Data Subjects, businesses outside of the EU will be subject to the GDPR.
Whether goods or services are offered to EU Data Subjects (including on the internet) may be determined by: (i) the presence of a website or an email address or other contact details in the EU (including that of an intermediary); (ii) the use of a language or a currency: (iii) the mentioning of customers or users who are in the EU.
Monitoring of the behavior of EU Data Subjects in so far as such EU Data Subject's behavior takes place within the EU is also governed by the GDPR. Monitoring includes internet tracking and profiling of EU Data Subjects, particularly in order to make decisions concerning the EU Data Subject or for analyzing or predicting the Data Subject's personal preferences, behaviors and attitudes.
The GDPR does not apply to certain law enforcement activities, processing for (national) security purposes and processing carried out by individuals for purely personal or household activities
The definition 'Personal Data' is expended under the GDPR to include any information which relates to: (i) an identified natural person; and (ii) an identifiable natural person. Identifiable means either directly or indirectly identifiably including online identifiers and location data. The GDPR contains some protections for pseudonymous data, since it could potentially be used to identify an individual if associated with other data.
Processing of Personal Data
The GDPR requires that Personal Data shall be: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; accurate and, where necessary, kept up to date; kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed; and processed in a manner that ensures appropriate security of the Personal Data.
Privacy notices and Rights of Data Subjects
A Controller should disclose certain information (the right to be informed) and Data Subject's rights in a privacy notice, including (i) identity of the data Controller; (ii) purposes of the data processing; (iii) categories of recipients of the Personal Data (iv) retention period; (v) contact details of the data protection officer (if any); (vi) the right to access, rectification or erasure; (vii) the right to object (including profiling, processing based on legitimate interests, direct marketing, processing for purposes of scientific/historical research and statistics) and the right of portability; (viii) the right to lodge a complaint with a supervisory authority; (ix) information regarding possible data transfers to other countries or international organizations; (x) the right to restrict processing; and (xi) rights in relation to automated decision making and profiling.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication, such as by a written statement, or by electronic means, including ticking a box when visiting an internet website (which has not been pre-ticked), or an oral or other statement, or conduct which clearly indicates the Data Subject's acceptance (which should cover all processing activities carried out for the same purpose(s)). Silence or inactivity should not constitute consent. Parental consent is required for children under the age of 16, this age can be lowered by member states but may not be lower than 13. Employer-employee relationship is considered "significant imbalance" and therefore an employee's consent is usually not considered freely given to its employer. Data Subject may object at any time to processing of Personal Data for marketing activities, which must cease following such objection. Consent does not qualify as freely-given consent if performance of a contract is conditional on consent to process Personal Data not necessary for the performance of the relevant contract.
Processing of special categories of Personal Data ('Sensitive Data') which includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation is subject to a higher standard of consent of the Data Subject.
Accountability and Governance
The GDPR requires organizations to have comprehensive but proportionate governance measures in place, which aim is to minimize the risk of breaches and uphold the protection of Personal Data. This includes, where relevant, appointment of a data protection officer, record keeping, and implementation of appropriate technical and organizational measures that ensure and demonstrate that an organization is in compliance (including internal data protection and other policies and internal audits of processing activities).
Data Protection Officer
Under the GDPR, processing carried out by: (a) a public authority; and (b) in the private sector by an enterprise of: (i) 250 employees or more; or (ii) whose core activities consist of processing operation requiring regular and systematic monitoring of EU Data Subjects, require a protection officer who has expert knowledge of data protection law and practices and can perform its duties and tasks in an independent manner.
Processing activities must be recorded in organizations with more than 250 employees. Activities related to high risk processing should be recorded in all organizations, irrespective of the number of employees.
The supervisory authority should be notified by a Controller without undue delay, and where feasible, not later than 72 hours after having become aware of a Personal Data breach. When the Personal Data breach is likely to result in a high risk to the rights and freedoms of the affected person (including identity theft, fraud, physical harm, humiliation, damage to reputation), the individual should be notified by the Controller.
Transfer of Personal Data outside the EU
In order to ensure that protection of Personal Data of EU Data Subject is not undermined, the GDPR imposes restrictions on the transfer of Personal Data outside the EU. Personal Data may be transferred in accordance with a decision of the European Commission (with respect to the country or organization) or when an organization receiving the Personal Data has provided adequate safeguards in accordance with the GDPR. However, the GDPR provides for certain exceptions with regard to the general prohibition on transfer of Personal Data in specific situations.
Under the GDPR a Processor, shall be liable for the damage caused by processing not in compliance with obligations of the GDPR or where it has acted outside or contrary to lawful instructions of the Controller. Controllers should only use Processors that can provide sufficient data protection in accordance with the GDPR. Furthermore the GDPR imposes a number of requirements for contracts between Controllers and Processors. Records of processing activities should be maintained by Processor or Controller and made available to a supervisory authority on request for monitoring purposes.
A Controller or Processor not established in the EU shall designate, in writing, a representative in the EU. If processing is only occasional and does not include certain categories of data on a large scale, and the processing is not likely to result in a risk to rights and freedoms, appointment of a representative is not necessary.
Enforcement of the GDPR is the responsibility of the national data protection authorities, whose power is expended by the GDPR. In addition to a supervisory authority that can carry out investigations, obtain access to premises of Controllers and Processors and order Controllers and Processors to provide information, the GDPR provides for administrative fines for infringement of certain provisions of the GDPR (related to basic principles, certain Data Subject rights and transfer of data outside the European Economic Area) set at the higher of: up to 20 million or up to 4 % of the total worldwide annual turnover of the preceding financial year.
In light of the above, businesses receiving Personal Data from EU Data Subjects or monitoring EU Data Subject's behavior in the EU, are recommended to consider their compliance with the GDPR and amend internal policies and practices, to the extent required to comply with the terms of the GDPR by May 2018.