The new European Union (EU) General Data Protection Regulation (GDPR) replaces the Data Protection Directive on May 25, 2018 and will directly impact all companies, including vapor product retailers and businesses, that market and sell products to consumers in the EU and/or employ residents of the EU. The reforms will give European consumers new rights and control over the personal data collected from and about them, and impose new obligations on businesses within and outside of the EU that collect personal information from EU citizens, regardless of where they reside, or from individuals who reside in the EU, regardless of their nationality. Given the magnitude of potential penalties for violations of the GDPR (supervisory authorities are authorized to impose fines of up to 4% of global annual turnover for serious infringements and 2% for less serious infringements), it is imperative that vapor product retailers and others selling into the EU or handling data about Europe-based individuals ensure they are GDPR-ready.
The new rules empower individuals by, among other things, (1) providing easier access to personal data and more information on how data is processed, (2) facilitating data portability, or transfers of personal data between service providers, (3) clarifying the fundamental “right to be forgotten” for individuals who no longer wish for their data to be processed, and (4) requiring expedited notifications to the national supervisory authority by companies that experience a data breach affecting personal data.
Most companies operate with multiple streams of data, such as HR data, consumer data, vendor/supplier data, and the like. A good starting point is for businesses to assess their current data collection practices and identify gaps, and use that to map out a step-by-step compliance plan specific to their data collection practices that fully prepares them for the new GDPR world.
We provide below a summary of the key requirements in the GDPR and a compliance checklist for businesses. Please note that the summary and checklist are provided for informational purposes only, and do not constitute legal advice regarding specific facts or circumstances.
|GDPR KEY REQUIREMENTS|
|Personal Data||The term “personal data” means “any information concerning an identified or identifiable natural person.” An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.|
|Extraterritorial Effect||The Regulation applies not only to the processing of personal data by controllers and processors in the EU, but also the processing of personal data of data subjects who are in the EU by a controller or a processor not established in the EU, if the processing activities are related to offering goods or services to the data subjects or monitoring their behavior within the EU.|
|Lawfulness of Processing||To be lawful, at least one of the following must apply:
|Consent||Consent to processing must be unambiguous, specific, informed, and freely given (for example, checking a box at a website or choosing technical settings). Pre-checked boxes do not constitute consent. For sensitive data (for example, data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation), consent must be explicit. When processing has multiple purposes, consent should be given for all of them. Consent may be withdrawn.|
|Data Processing||Processing of personal data must be lawful, fair, and transparent. Individuals should be made aware of the risks, rules, safeguards and their rights in relation to the processing of personal data. The specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection. Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. Time limits should be established for erasure or periodic review. Personal data should be processed in a manner that ensures appropriate security and confidentiality.|
|Right to be Forgotten||Individuals have a right to request deletion of data, with some exceptions (for example, if retention is legally required).|
|Data Portability||Individuals have the right to easily transfer personal data between different service providers.|
|Children||Special rules apply to children’s data. Where a child is below age 16, processing is lawful only if parents or guardians consent. Member States may establish a lower age for these purposes, so long as the age is not below age 13.|
|Controller Responsibility||Personal data must be processed under the responsibility and liability of the controller, who must ensure and document compliance for each processing operation. Controllers should only use processors who provide sufficient guarantees in terms of expert knowledge, reliability and resources to implement technical and organizational measures that will meet the requirements of the Regulation. Adherence to an approved code of conduct or certification mechanism may be used to demonstrate compliance. There must be controller-processor agreements in place that describe the subject matter, duration, nature and purposes of the processing, type of personal data, and categories of data subjects. Upon completion of the processing, the processor must, at the controller’s election, return or delete the data, unless the processor is required by law to store it. Joint and several liability for controllers and processors.|
|Data Protection Impact Assessments||
Data controllers must conduct Data Protection Impact Assessments (DPIAs) for “risky” processing. DPIAs should be completed before beginning any type of processing which is “likely to result in a high risk.” This means even though the actual level of risk may not have been assessed, a DPIA may be necessary based on identifying factors that point to the potential for a widespread or serious impact on individuals. Some jurisdictions may impose DPIA requirements on specific types of processing.
If the DPIA indicates that processing involves a high risk that cannot be mitigated, controller should consult supervisory authority (DPA) prior to the processing.
|Data Protection Officer||Organizations must appoint a data protection officer (DPO) in three situations: the processing is carried out by a public authority; the core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or the core activities involve processing sensitive data or criminal convictions on a large scale.|
|Documentation||Controllers and processors must document all processing and make documentation available to DPA on request.|
|Data Breach Notification||Controllers must notify DPA within 72 hours of learning of a breach, where feasible; no notification is required if a breach is unlikely to result in risk to the rights or freedoms of individuals. Controllers must notify data subjects without undue delay, where the breach is likely to result in a high risk to their rights or freedoms. Notifications to data subjects should describe the nature of the breach and recommendations for individuals to mitigate potential adverse effects. Processors must notify controllers.|
|Streamlined Approvals||A single DPA can be designated the lead, enabling multiple DPAs to handle cases in a more streamlined manner.|
|Codes of Conduct and Certification||Codes of conduct are encouraged, and are subject to approval by the Commission, and compliance should be monitored by an appropriate expert, accredited body. Approved codes of conduct will be registered and published. Data protection certification mechanisms, seals and marks are encouraged.|
|Transfers to Other Countries||Transfers to other countries are permitted based on a determination that the country provides adequate protection of privacy; transfers are subject to adequate safeguards (for example, binding corporate rules, standard contractual clauses, an approved code of conduct, approved certification mechanisms, explicit informed consent).|
|Reduced Notifications||Supervisory notifications about data processing are no longer required, but permission is required to process certain categories of data.|
|Art 29 Working Party (WP29)||WP29 will be “upgraded” to an independent European Data Protection Board.|
|WP29 Guidance||WP29 has issued guidance on several aspects of the GDPR that provide clarification and recommendations:|
|DPA Enforcement||DPAs have enhanced enforcement powers, including expanded investigatory authority.|
|Complaints and Remedies||EU citizens can lodge complaints with local DPAs, even where data is processed extra-territorially, and have the right to a judicial remedy against supervisory authorities who fail to act and against controllers and processors.|
|Penalties||DPAs are authorized to impose fines of up to 4% of global annual turnover for certain serious infringements; 2% for less serious infringements.|