Guidance on special categories of data. The General Data Protection Regulations (“GDPR”) defines special categories of data to include personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric data, health data, sexual orientation, trade union membership, and data concerning a person’s sex life. The ICO’s guidance explains that this type of data needs to be treated with greater care because collecting and using it is more likely to interfere with the fundamental rights of individuals or open someone up to discrimination.

The ICO clarifies that a biological sample, by itself, will not be considered as genetic data, unless analyzed in a manner that allows it to be linked to a specific individual, even if that individual’s identity is unknown. Similarly, the guidance explains that facial imaging and fingerprints, by themselves, are not considered biometric data, unless “specific technical processing” (such as facial recognition or fingerprint verification) has been carried out that establishes an individual’s biometric profile. The guidance also states that special categories data includes information that is likely, even if not certain, to reveal an individual’s health, religion, political views or ethnic origin.

Processing of special categories of data is permitted only where based on one of the lawful bases for such processing under the GDPR, such as the data subject’s explicit consent, where the data subject has publicly published the data or where the processing is necessary for the provision of medical services, public health, research purposes, or a special public interest.

The guidance further explains that processing special categories of data often requires conducting a Data Protection Impact Assessment and the appointment of a Data Protection Officer.

CLICK HERE to read the full ICO guidance.

Guidelines on data protection by design and by default. The European Data Protection Board (“EDPB”) released its initial guidelines on the GDPR Article 25 requirement for data protection by design and by default. The guidelines clarify that data controllers must implement data protection by design as early as time of determining the means of processing; as well as conducting periodic reviews of their compliance with this requirement during the time of processing. Data controllers are required to consider the available technical and organizational measures and the nature, scope, context and purpose of processing, as well as the potential risk the processing imposes on the rights and freedoms of data subjects.

The guidelines emphasize that data protection by default requires controllers to ensure the default settings of the processing of personal data must be designed with data protection in mind. This means, among others, that by default, only personal data which are necessary for each specific purpose of the processing is processed, that data is retained for a minimum period of time, and is accessed by the minimum amount of people. Data controllers must be able to demonstrate their compliance with this requirement, document the reasons behind their design choices, and the effectiveness of the implemented measures.

The EDPB clarifies that technology providers are required to support the controllers’ compliance with these obligations; and encourages controllers to use technology providers that offer processing technology that implements data protection by design and by default.

CLICK HERE to read the EDPB guidelines.

Final guidelines on the territorial scope of the GDPR. The EDPB released the final version of its guidelines on the territorial scope of the GDPR, stating that pursuant to Article 3 of the GDPR, the regulations’ applicability will be determined considering two alternative factors – whether an organization has an establishment in the EU, and whether an organization is targeting individuals in the EU.

The guidelines state that the GDPR applicability on an organization is dependent on its data related activities; it is well possible that the same organization will be subject to the GDPR with relation to only certain, but not all, of its data processing activities.

The guidelines also state that a processor will be directly subject to the GDPR where it processes personal data for a controller, and the processing is related to the controller’s processing activities that are subject to the GDPR. This may subject such processors to GDPR requirements such as, a duty to appoint a Data Protection officer, to maintain a record of its processing activities, and to appoint an EU representative, and may subject the processor to the authority of the EU privacy and data protection regulators.

The guidelines also provide guidance on when an organization will not be considered as offering goods and services in the EU; stating that where an organization’s terms of service indicate that the organization does not target EU residents, and where its charges are solely in a currency of a non-EU state, then it will not be considered as targeting EU residents, and therefore, will not be subject to the GDPR.

CLICK HERE to read the EDPB guidelines.

A €47,000 penalty for violation of consent rules. The Polish Personal Data Protection Office (the “PDPO”) imposed a €47,000 fine on ClickQuickNow, a polish company, which was found to have not implemented appropriate technical and organizational measures to enable data subjects to withdraw their consent to the processing of their personal data.

The PDPO has found that the company’s mechanism of the consent withdrawal did not result in a quick withdrawal. The company intentionally imposed difficulties on individuals asking to withdraw their consent from receiving marketing communications and forced them to state the reason for withdrawing consent, which is not required by the GDPR. Furthermore, failure to indicate the reason resulted in discontinuation of the process of withdrawing consent of said individuals.

The PDPO stated that the company failed to take into account the principle that withdrawal of consent should be as simple as giving it, and intentionally applied complicated procedures in relation to the withdrawal of consent. When determining the amount of the administrative fine, the President of the PDPO did not take into account any mitigating circumstances affecting the final penalty as he found that the company intentionally provided contradictory communications to the data subject interested in withdrawing consent, which resulted in an ineffective withdrawal of consent. In this way, the company made it difficult, or even impossible, to exercise the rights of the data subjects. The company was also ordered to adjust the process of processing requests for withdrawing consent to data processing to the provisions of the GDPR, and to delete the data of data subjects who are not its customers and that have objected to processing the personal data concerning them.

CLICK HERE to read the EDPB’s press release on the matter.

This article was published in the Internet, Cyber and Copyright Group’s November 2019 Newsletter.