The European Union General Data Protection Regulation (EU GDPR - Regulation n. 679/2016) is the new EU legislation that aims at strengthening and improving the protection of personal data within the European Union (EU) borders and of individuals and subjects of the European Union. The Regulation was published in the Official Journal of the European Commission on 4 May 2016, and entered into force on 25 May of the same year going to be effective as of 25 May 2018.
One of the crucial issues ruled by the GDPR concerns the export of personal data outside the EU and the related obligation for all data handlers (including those with headquarters outside the European Union jurisdiction) to treat the European residents' data in accordance with the obligations set forth by the GDPR. The main objectives of this Regulation are twofold: empowering citizens to control their personal data; and, simplifying, unifying and harmonizing the regulatory system on EU citizens' privacy even at international level.
For more information, consult our sections related to the EU GDPR framework and the the EU – U.S. Privacy Shield.
The GDPR sets principles to enable data processing. These principles are enshrined in Article 5 of the Regulation, and consists of:
• Lawfulness, fairness and transparency: Art. 5 (1) (a) establishes that “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”.
In particular, the new GDPR has introduced the concept of transparency that will require data handlers’ strong efforts to ease data subjects’ possibility to control and participate in the processing of their data (e.g. explaining to data subjects how their information will be used).
• Purpose Limitation: Art. 5 (1) (b) establishes that data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes”.
In other words, data cannot be used for purposes different from the ones for which the organisation has been enabled to data processing activities.
• Data minimisation: Art. 5 (1) (c) establishes that data must be used in a way that is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.
This principle plays a fundamental role as a general rule aimed to limit the use of data. This rule is different from a purpose limitation because it is not linked to a specific purpose but is instead referred to every unnecessary use of data also if linked to the correct purpose. This principle will put constraints on data handlers to revise their data processing activities, maintaining only the strictly necessary ones.
• Accuracy: Art. 5 (1) (d) establishes that personal data must be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”.
This principle toughens companies’ responsibility on data accuracy to confine the risks of data breaches caused by companies’ oversights.
• Data retention: Art. 5 (1) (e) declares that data “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject”.
The rule set by under Article 5 (1) (e) could be considered as a subspecies of the “minimisation” principle. It aims to avoid the retention of data when it is not necessary in relation to the purposes for which data are processed. Additionally, this principle is strictly connected to the “right to be forgotten” a new concept introduced by the EU Jurisprudence and crystallized in the GDPR that recognises data subjects’ right to ask and obtain the cancellation of their data even before the expiry of the authorized period of retention.
• Integrity and confidentiality: Letter (f) of the abovementioned Article declares that data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
This provision enlightens the GDPR scope of strengthening data security, putting it at the centre of any data processing activity.
• Accountability: Art. 5 (2) introduces the rule which declares that “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1”.
Significantly, this principle recognises the burden of compliance on the data controllers underlying that they are the bearers of obligations and responsibilities set by the GDPR.
The GDPR has introduced a broader concept of territoriality expanding its rules not only to all the organisations established in the EU, but also to all organisations “established outside the EU if they (either as controller or processor) process the personal data of EU residents when offering them goods or services or monitor the behaviour of EU data subjects”. This means that also organisations based outside of EU are bound by GDPR compliance obligations when treating, in various forms, EU subjects’ data.
A) SUBJECTS INVOLVED:
1) Data Controller
Article 4 defines in its paragraph 7 the “Controller” as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”.
Various other Articles deal with this subject. See in particular: Art.4(17); Art.5 in its paragraph 2; Artt. from 24 to 34 ; Art. Art.82 in its paragraph 3 and 5; and Art.89.
This set of provisions imposes new important obligations on the controllers, that must now demonstrate their GDPR compliance and that are responsible for the lawfulness of data processing vis-á-vis the Regulation rules. Controllers are also obliged to provide a swift system of notification to the competent DPA in order to report data breaches within 72 hours and to notify the data subjects concerned without undue delay.
It is important to note that the GDPR foresees the possibility for “controllers” to use service providers for data processing on their behalf. Such practice requires organisations to respect certain rules: a written agreement between the controller and the processor, which must include a statement imposing on the processor to act on behalf of the controller only; the processor must also act to strengthen its personal data protection systems through specific measures in order to limit any risk to the data such as the risks of an unlawful cancellation, leaks, alteration, disclosure, or access.
2) Data Processor
Article 4 defines the “Processor” as a “natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller” in its paragraph 8.
Other provisions deal with such subject, in particular: Art. 3(1) , Artt. from 28 to 33, but also Art. 37; Art. 44; and Art.82 (1)-(2).
As explained above, the GDPR has imposed compliance obligations on both controllers and processors. In fact, these two categories of subjects risk the same type of sanctions if not compliant with the Regulation, differently from the previous EU Directive n. 95/46/EC under which only the controllers were considered responsible. The series of rules on data security upon controllers and processors include: cross-border transfers of data; the establishment of a Data Protection Officer (DPO) in certain conditions; recording the processing activities; and, the cooperation with DPAs. In this broader framework, the GDPR has also expanded the series of provisions to be inserted in the agreement between data controllers and processors. These provisions establish:
• “that the processor only cannot move out of the controller’s given instructions
• that all the data handlers must respect the principle of confidentiality
• that security measures for the processed data must be placed
• to assist the controller in the data protection compliance
• to support the controllers in obtatining DPAs authorisation
• provide to the data return or cancellation at the end of the relationship
• sustain controllers in the GDPR compliance demonstration's activities”
As we can see, processors are strictly conditioned by controllers’ instructions. For this reason, when a processor recognises a contrast between any GDPR provision it must immediately inform the concerned controller. On the contrary if the processor breaches the GDPR rules when not following the controllers’ instructions, that processor will be considered liable for breaching controller duties in that specific activity.
It is important to stress that according to the GDPR regime processors may be prosecuted and be considered liable for any violation of individuals’ privacy rights.
3) Data Protection Officer (DPO)
Article 37 establishes that:
“A controller or processor must appoint a DPO if local laws require it to do so, or if its data processing activities involve:
• regular and systematic monitoring of data subjects on a large scale; or
• processing Sensitive Personal Data on a large scale.
• A corporate group may collectively appoint a single DPO.
• Organisations that are not required to appoint a DPO are free to do so voluntarily. If a DPO is appointed, the organisation must publish the details of the DPO, and communicate those details to the relevant DPA.”
This rule does not state that the DPO needs to have specific qualifications but only requests to companies and organizations the appointment, as DPO, of a subject with enough expertise in the data protection field. However, the GDPR asks also to balance the DPO’s skills with:
• The type of personal data processed;
• The kind of processing operation conducted.
This means that data handlers are not completely free to designate any subject to such role, instead requiring choosing a DPO with an in-depth awareness of the activities it will have to monitor and certify. Article 39 settles the minimal tasks that are to be performed by a DPO:
• “informing and advising the relevant controller or processor (and any employees who process personal data) about their obligations under the GDPR
• monitor compliance with the GDPR by the controller or processor
• advise on Impact Assessments and prior consultation with DPAs; and
• cooperate with DPAs and act as a point”.
Furthermore, and in order to let a DPO carrying out its role at the best, the GDPR has recognised to it a highly independent position. This includes its capacity to access all company or organization data related to personnel, to access the figures on the processing operations, and to benefit of a direct reporting channel to the top management of the company or organisation. A DPO’s independence is highly safeguarded where for instance the Regulation protects a DPO from any disciplinary action against the tasks fulfilled under its activities falling within the DPO remit and expressly denies the organisation's possibility to give her/him any form of instruction for the performance of DPO duties.
4) Data Protection Authority (DPA)
Article 51 of the GDPR asserts that “Each Member State is required to appoint one or more DPAs to implement the Regulation and protect the rights and freedoms of individuals”.
The DPAs are entrusted with many tasks provided by Article 55 and Article 57 of GDPR. The main provisions require DPAs to:
• “promote public awareness and the awareness of controllers and processors and the understanding of the risks, rules, safeguards and rights in relation to processing;
• advise, in accordance with Member State law, institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing;
• upon request, provide information to any data subject concerning the exercise of their rights under this Regulation; cooperate with the supervisory authorities in other Member States to that end;
• handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80.
• conduct investigations on the application of this Regulation;
• adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);
• establish the requirement for data protection impact assessment pursuant to Article 35(4);
• encourage the drawing up of codes of conduct and the establishment of data protection certification mechanisms and of data protection seals and marks;
• draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;
• authorise model contractual clauses and provisions referred to in Article 46(3);
• approve binding corporate rules pursuant to Article 47;
• contribute to the activities of the European Data Protection Board;
• keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2);
• fulfil any other tasks related to the protection of personal data”.
The primary competencies of DPAs have remained almost the same that were established by the previous EU Directive n. 95/46/EC. Based on the GDPR, there is now more interaction between DPAs and companies or organizations.
The real step forward determined by the GDPR consists of its provisions on the EU Member States DPAs cooperation when they deal with companies or organisations operating in more than one Member State. The Regulation has introduced two new fundamental concepts and the crucial role of the EDPB:
I. The “One-Stop-Shop”
This concept aims to create a uniform decision-making process in those cases where multiple Authorities could intervene to regulate the same activity carried out by one company or organisation operating in different Member States. The sets of Articles that treats this matter is given by Article 55, Article 56 and Article 60 of the GDPR.
The fundamental rule for this concept is in Article 55 when it stipulates that: “Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.”
Based on this rule, which is also a possibility aimed at simplifying procedures, the DPA of the country where a company or an organisation has its main establishment becomes the so-called “lead authority”. Such authority, other than controlling the activities of the company or organization in its own country of seat, will be legitimised to regulate also the organisation activities regarding cross-border data flow between different Member States.
The "One-Stop-Shop" intends to enhance the DPAs' harmonisation and, by this, create a more coherent application of the Regulation across the Union. While it will oblige companies or organisations to depend on one DPA only, practice will shed light on how these procedures will concretely operate and to which extent other DPAs will coordinate with "external" authorities’ decisions.
II. The Consistency Mechanism
Strictly interlinked with the “One-Stop-Shop”, the GDPR has also introduced the concept of “Consistency Mechanism”. This mechanism requires a DPA to consult other concerned DPAs before acting against a company or organisation that performs data processing activities across the borders of different Member States. Such an instrument is intended to play a fundamental role on the overall GDPR harmonization.
III. The European Data Protection Board (EDPB)
Another instrument aiming to strengthen the EU-level DPA coordination is the EDPB. This Board is foreseen by Articles 68 through 76 of the GDPR.
The Regulation establishes that “The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives”.
The Board has different tasks settled by Art. 70. Such Article provides the EDPB not only with an advisory role but also with an active role in the General Data Protection Regulation enforcement. In principle, the EDPB fosters DPAs representatives meeting together in order to establish a common interpretation of the GDPR. Although not having legally binding powers, the EDPB can provide opinions or general guidelines on DPAs’ positions on different issues.
5) Individuals Rights
Article 12 and the following ones oblige controllers to guarantee an effective respect of data subjects' rights. Even in the case when the identification of the data subjects appears difficult the controllers are not exempted from this obligation to render the rights exercise effective, and in fact there is a burden on companies or organizations to verify the possible identity of data subjects with all the reasonable efforts.
Controllers also have a temporal limitation to answer to the requests of data subject, which is one-month deadline. When this deadline is not respected the data subjects have a dual possibility: file a complaint in front of the competent DPA; or, move for a judicial remedy.
Only when the requests are particularly complex or the companies or organsations receive a high number of requests, they can benefit of a maximum two months extension of this deadline.
Individual rights set forth under Article 1and following Articles are:
• Right to basic information (Art. 13 - Art. 14)
• Right of access (Art. 15)
• Right of rectification (Art.5(1)(d), Art. 16)
• Right to erasure also called “right to be forgotten” (Art. 17)
• The right to restrict processing (Art.18)
• Notifying third parties regarding rectification, erasure or restriction (Art.17(2), Art. 19)
• Right to data portability (Art. 20)
• Right to object to processing (Art. 21)
• Right to not be evaluated on the basis of automated processing (Art. 22)
B) CONDITIONS FOR DATA PROCESSING:
Under the GDPR, processing of personal data is possible only if conducted in accordance with the hereby described legal framework. The consent of the data subject is a key basis for data treatment as provided for under Article 7:
1. “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.
Differently from the previous EU framework established by the Directive n. 95/46/EC, the GDPR renders more difficult to achieve the recognition of a valid consent. To “signify” the consent (which was considered adequate under such Directive) would not be sufficient as manifestation of consent according to the GDPR. The new Regulation clarifies that consent must consist in a clear affirmative action of the data subject.
Moreover, where the processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data. To achieve this, the consent must respect some requirements:
a) Consent must be “freely given”
To demonstrate that the consent has been freely given is particularly difficult. In order to do so, companies or organisations must:
• demonstrate that the choice was genuine, namely that there was not a clear imbalance between the data subject and the controller that could have conditioned the individual
• allow separate consent to be given to different personal data processing operations
• wherever possible, avoid making to submit the conclusion of a contract upon the condition of the data subject's consent to its personal data processing.
b) Consent must be "specific"
Consent must be specifically referred to the exact purpose of the processing and limited to a specific context. This means that blanket consents are forbidden likewise a consent given to an undefined set of processing activities.
c) Consent must be "informed"
Data subjects must be provided with sufficient information, letting them understand what they are consenting to. Under this point of view, extra steps may be requested in order to ensure subjects’ proper knowledge of the purposes of the processing.
Additionally, consent withdrawal must be allowed but it does not have retroactive effects meaning that the withdrawal cannot affect the lawfulness of previous processing based on consent. Data subjects must be informed of their right to withdraw consent before giving it.
It is clear to conclude that the GDPR is extremely clear in excluding to equivalate silence or inactivity to consent.
2) Other legal basis for data processing
Every data processing activity need to have a legal basis. as said before, consent is the key basis for any data processing in the absence of which companies and organisation that have processed data risk to incur in remarkable fines.
The lawfulness of processing is established by Article 6 that recognises other lawful bases for data processing from paragraph 2 to paragraph 6:
I. Contractual Necessity admits data processing when it is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
II. Compliance with legal obligations admits data processing “when it is necessary for compliance with a legal obligation to which the controller is subject”
III. Vital interest admits data processing “when it is necessary in order to protect the vital interests of the data subject or of another natural person”
IV. Public interest admits data processing “when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
V. Legitimate interest admits data processing when “it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
The GDPR has introduced a significant change providing additional grounds for the lawful processing of sensitive personal data at Article 9.
3) Data transfer modalities
Article 44 establishes that: “Any transfers of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”.
Generally speaking, the GDPR exclude subjects the transfer of data abroad to a strict legal framework. The following Articles describe the framework:
i. Adequacy decisions, Art. 45
Adequacy decisions are those acts according to which cross-border data transfers to a specific third country do not need any additional authorisation when the EU Commission has adopted such formal decision to recognise a given Country as providing an adequate level of protection to the rights and freedoms of data subjects. The detailed and updated list of Adequate Jurisdictions can be found at the dedicated page of the EU Commission: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm (last updated in September 2017).
The EU Commission’s adequacy decisions are periodically reviewed, at least every four years, and the Commission can change its evaluation in every moment. These decisions are valid for a maximum of four years, while existing adequacy decisions adopted under the previous EU Directive n. 95/46/EC will remain in force until modified in accordance with the GDPR.
ii. Model Clauses, Art. 46
Another instrument to lawfully transfer data abroad consists in the adoption of model clauses approved by the Commission. Those models concern transfers between two controllers (one established in the EU and one outside the Union) but also between a controller based in the EU and a processor outside the EEA.
Model clauses represent a valid instrument for data transfers considering that once approved by the Commission, there is no need for any further authorization by otherwise competent national DPAs. The model clauses elaborated before the adoption of the GDPR will be valid until amended, replaced or repealed.
Model clauses may be modified or updated by the Commission, but at present it is now known how these modifications could impact the companies and organisations that have implemented them.
Article 46(2) also admits a kind of “national” model clauses provided by National DPAs, that have been questioned because of the possibility they offer as forum-shopping instrument.
iii. Binding Corporate Rules (BCRs), Art. 47
BCRs are a new interesting mechanism to operationalize international transfers of data under the GDPR framework. Although limited to data transfers among Corporate Groups they represent a really flexible system compared to the others provided by the Regulation. In fact, BCRs' need to be approved by the competent DPA but once authorized they do not need any other approval and they are valid for all the members of the Groups involved no matter if they are established outside the EU. Additionally, the fact that BCRs are directly recognised by the GDPR will ease their approval by competent DPAs'. For such rules to be binding on every corporate member, they must confer enforceable rights to data subjects on the processing of their personal data and they also have to satisfy the requirements set forth by Art. 47(2).
The GDPR has elaborated very specific provisions on BCRs, indicating expressly the list of criteria that they must respect. This mechanism will increase certainty on the steps that Corporate Groups have to take in order to respect GDP compliance and, in doing so, be easily approved by the competent DPAs.
iv. Derogations, Art. 49
The GDPR admits some very specific derogations from the general prohibition on data transfers outside the EU, that are listed in the Article 49. These possibilities are basically the same provided by the previous Directive n. 95/46/EC. Interestingly, GDPR derogations allow a high level of flexibility but at the same time require a consistent set of documentation. The derogations are allowed under the reassurance that the transfer “is not repetitive, is for a limited number of interested parties, it is necessary for the purposes of legitimate interest by the controller to be non-reputable exceeded the interests or rights and freedoms of the person concerned and the controller has assessed all the circumstances surrounding the data transmission and based on that assessment provide adequate safeguards on the protection of personal data”.
Being so widely formulated, the derogations allowed by this Article are to be properly interpreted with practices developed with the proactive collaboration of data protection managers and supervisors. Authorities’ decisions will be helped by such collaboration.
v. Codes of Conduct (Art. 40 – 41) and Certification Mechanisms (Art. 42)
Codes of conduct are similar to a self-regulatory program adopted to demonstrate that a company or organization adheres to certain privacy standards. They can be redacted and promoted by associations or other representatives of controllers or processors according to Art. 40. Art. 41 of the Regulation deals with the supervision of the implementation of the codes of conduct and the general compliance with their provisions.
Based on Art. 42 data protection certifications, seals and marks have the same purposes of the codes of conduct providing a certification to controllers and processors who demonstrate, through legally binding instruments, their willingness to respect the data protection safeguards provided by the GDPR. This certification mechanism foresees the involvement of the European Data Protection Board which should develop a common European Data Protection Seal and publish information about certification registries.
ACTIVITIES TO CARRY OUT:
1) Data Protection Impact Assessment (DPIA)
The GDPR has introduced the concept of “Privacy by default and Privacy by design”. The concepts of protection by design and by default establish that an organisation aiming at adopting a new technology, product or service must ensure their compliance with the GDPR. Privacy by Design requires companies or organisations to overview the complex of relevant activities related to new technologies and to plan the modalities to use such technologies without violating data protection rights.
Privacy by Default requires that any technical product or service must automatically apply the strictest privacy settings and no manual change to the privacy settings should be asked to the user. Based on Privacy by Default principles, personal data acquired in the use of the technical product or service can be retained only for the amount of time necessary to provide such product or service.
Article 35 regulates DPIAs establishing that:
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
1. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
2. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
2. processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
3. a systematic monitoring of a publicly accessible area on a large scale.
3. The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.
4. The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the Board.
5. Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.
6. The assessment shall contain at least:
1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
3. an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
7. Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.
8. Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
9. Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities.
10. Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.”
Essentially, the Impact Assessment consists on a step-by-step revision of all the stages characterising the data processing activities. It aims to help companies or organisations to ensure the identification of possible risks to the privacy of data they treat and adopt all necessary measures to prevent endangering such data security.
This obligation represents a particularly heavy burden on controllers and processors, where the preventive identification and removal of dangerous risks to data security represents a necessary process to avoid data breaches punished with high fines according to the GDPR framework.
2) Data Security
It is clear that data security is a broad concept that requires data controllers to provide a series of activities with the purpose of enhancing and maintaining the highest level of protection for the data subjects.
Furthermore, data protection rules are rapidly changing, and the security required today increases tomorrow as fast as technology develops.
In this perspective Article 32 affirms that:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.”
The GDPR has completely replaced the significant discretion that the Directive n. 95/46/EC was leaving to companies or organisations with significantly more prescriptive provisions. As a consequence, companies or organizations will have stricter conditions to respect in order to ensure an adequate level of security of the data they process. A clear example of this change can be observed in the relevant case of the duty of Data Breach Notification.
3) Data Breach Notification
Article 33 of the GDPR stipulates that:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
1. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
2. The notification referred to in paragraph 1 shall at least:
1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
3. describe the likely consequences of the personal data breach;
4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
3. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
4. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.”
The obligation to data breach notification represents one of the core differences between the GDPR and the previous Directive n. 95/46/EC. The more specific information to provide in the notification and the short time to submit the notification, which is 72 hours, render the one of the notification a particularly intricate duty obliging organisations to identify, review and report a breach in a very short time and in a very precise manner.
A well-established system of data treatment and storage must be put in place also considering that, in any case, records of all data breaches must be immediately disclosed to competent DPAs and subjects. For Telecommunications providers in particular, this provision implies a double notification duty under the framework of the GDPR and the notification obligations foreseen by the e-Privacy Directive n. 2002/58/EC and related modifications.
It must be remembered that when the breach represents a high risk to the rights and freedoms of individuals, the notification duty requires companies or organizations acting towards each affected individuals. In this case, the company or organisation must proceed without undue delay. Besides the huge burden of all these notifications, the potential massive fines or settlement agreements, what is at stake is the risk of reputational damages to the involved companies or organisations and the consequent decrease in stock and commercial value.
Articles 33 and 34 offer some limited exemptions to the described data breach notifications regime, when they offer the possibility not to notify a breach when it has been timely and effectively resolved.
Article 83 establishes that:
“Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
1. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
1. the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
2. the intentional or negligent character of the infringement;
3. any action taken by the controller or processor to mitigate the damage suffered by data subjects;
4. the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
5. any relevant previous infringements by the controller or processor;
6. the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
7. the categories of personal data affected by the infringement;
8. the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
9. where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
10. adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
11. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
2. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
3. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
1. the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
2. the obligations of the certification body pursuant to Articles 42 and 43;
3. the obligations of the monitoring body pursuant to Article 41(4).
4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
1. the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
2. the data subjects’ rights pursuant to Articles 12 to 22;
3. the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
4. any obligations pursuant to Member State law adopted under Chapter IX;
5. non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
5. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
6. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
7. The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
8. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them”.
The new set of fines provided by the GDPR is probably one of the most vibrant changes of the Regulation.
Companies or organisations are now called to plan and implement GDPR compliance policies as a fundamental element of their business policies, and then to harmonise their practices with the overall EU data protection system.
Along with this, national DPAs have an enhanced role and a pivotal responsibility in monitoring and, when needed, imposing fines and measures that can have a sensitive impact in the competitiveness of the operations of those companies or organizations.
The investigative activities carried out by Authorities will be also relevant under a criminal law perspective considering that any violation that does not have administrative law relevance Member States can foresee additional criminal law penalties. To this extent, Art. 84 of the GDPR attributes to the Member States the possibility to impose own criminal sanctions against Regulation infringements.
End of the PrivacyRules® EU GDPR explanatory guideline
All rights reserved 2017 / 2018