While some tend to portray new European Union (EU) General Data Protection Regulation (“GDPR”) as menacing Apocalypse coming from nowhere, fact is that GDPR is an “upgrade” of existing EU data protection laws. EU Data Protection Directive (Directive 95/46/EC) was adopted already in 1995. In some countries – like Germany and Sweden – data protection laws were introduced even much earlier – in 1970s and 1980s.
GDPR keeps the basic principles of Data Protection Directive and ads new “layer” to it, aiming to unify data protection in all EU countries and bring more rights and control over data use back to individuals. In fact, GDPR incorporates guidance of data protection authorities and best practice in data protection. There almost nothing in GDPR that wouldn’t already exist somewhere. For example, data protection by design and by default principle originated back in 1980s, data protection officers already are mandatory requirement in Germany, and breach notification exist in communication sector for years.
But let’s look what exactly are the changes GDPR brings us.
1. One law for whole European Union
GDPR will apply directly in all EU – without need to implement them into local laws. That means same rules in all member states.
However, there are many provisions left for EU member states to decide – for example, age of data subject’s consent. Also, other directives – as “AML directive” – that interact with GDPR will remain as directives to be implemented in local laws of member states. Member states may introduce further conditions, including limitations, with regard to the processing of genetic and biometric data or data concerning health. Likewise, member states may adopt other local legal provisions interrelated to data processing.
So, although general principles will be the same in all EU countries, there may be additional local requirements, as well as different approaches and practices of application of law.
2. Increased territorial scope
While existing EU data protection laws apply to business established in EU or processing carried out in EU territory, GDPR will apply to all processing of personal data by a business operating in the EU market, such as offering goods or services (e.g. having website in official language of member state) or monitoring of individuals, whether or not the business is physically based in the EU. It also applies to all Controllers and all Processors established in the EU, even if the processing takes place outside the EU.
Factors such as the use of a language or a currency generally used in one or more member states with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the EU, may make it apparent that the controller envisages offering goods or services to data subjects in the EU.
Controllers and Processors not established in the EU, but whose activities fall within the scope of the GDPR, will have to appoint (with some exceptions) a representative established in an EU member state. The representative is the point of contact for all Data Protection Authorities (DPAs) and individuals in the EU on all issues related to data processing. Therefore, all global businesses should be aware of and have to prepare to the new regime.
3. Increased fines
GDPR comes with big fines – what’s playing big part in the fuss about new Regulation. EU data protection authorities (“DPAs”) will be able to impose fines on an organisation which breaches the GDPR of the greater of:
- 4% of its (or its parent) annual global turnover (in preceding financial year) or EUR 20 million in case of major infringements (as failure to obtain adequate consents or to comply with cross-border rules); and
- 2% of its (or its parent) annual global turnover (in preceding financial year) or EUR 10 million in case of other infringements (as failure to appoint data protection officer (“DPO”)).
Regulation sets upper limit and criteria for sanctions and the final decision will be up to DPA.
4. New requirements for those who process data
Organisations involved in data processing – whether they decide purpose and means of processing (“Controllers”) or process data on behalf of others (“Processors”) will have to comply with more and stricter requirements than existing ones.
Accountability is one of basic principles of GDPR and means that Controllers have to ensure and be able to demonstrate compliance with GDPR. It can be done through: implementing appropriate technical and organizational measures, appointing DPO, carrying out Data Protection Impact Assessments (“DPIAs”), using Seals and Codes of Conduct.
Stricter rules for consent
Under the GDPR consent will need to be explicit and freely given. Silence, pre-ticked boxes and inactivity will not be sufficient. The GDPR clarifies cases where consent will not be freely given (e.g., no genuine choice to refuse, clear imbalance between the data subject and Controller).
The request for consent must be presented in a manner clearly distinguishable from other matters in an intelligible and easily accessible form, using clear and plain language. The data subject must be able to easily withdraw his or her consent at any time and must be informed of this right in advance.
Controller will need to prove consent was provided if challenged. Consent must be purpose-limited and will cease to be valid when the purpose is completed.
Specific requirements apply in relation to children’s consent for information society services. If an individual below 16 years wishes to use information society services, consent must be obtained from the child’s parent or the holder of parental responsibility of the child in question. However, member states may introduce domestic laws to lower this age to not less than 13 years.
Provide more information to individuals
A significantly more information must be provided to data subject than is required under Directive. That includes information on:
- legal basis for any processing, specific details regarding international data transfers,
- period for which personal data will be stored (or criteria for setting this period),
- right to data portability, right to object to data processing in certain cases,
- right to withdraw consent at any time,
- right to lodge complaints with supervisory authorities,
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract,
- whether data subjects are required to provide the data and the possible consequences for failing to provide data,
- existence of automated decision making (including profiling) as well as the logic involved and the significance and envisaged consequences of such processing for the data subject.
In case data is not collected directly from data subject, information must be provided to data subjects at the latest one month after the data was obtained.
Information to individuals must be provided in a concise, transparent, intelligible and easily accessible form using clear and plain language. Data controllers can provide such information to individuals in combination with standardized icons to give an easily visible, meaningful overview of the processing.
Data mapping and processing records
Controllers and Processors will be obligated to keep detailed records of processing activities and provide to DPA upon its request. On a bright side – they won’t be required to register data processing, databases or files with DPA.
Data protection by design and by default
Controllers shall take into account privacy issues when developing new processing, IT systems, products and services. Only minimum of data necessary for specific purposes should be processed and data security measures and data minimization, anonymization and pseudonymization principles implemented.
Data protection impact assessments
Controllers will have to conduct data protection impact assessments (DPIA) if their processing operations present specific risks to the rights of the data subjects. DPIA will be required in cases of
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing special categories of data on a large scale, or
- systematic monitoring of a publicly accessible area.
Businesses will be required to complete PIAs at least annually and in some instances the data protection officer (DPO) or supervisory authority (DPA) will need to be consulted.
There will be a compulsory reporting obligation on a Controller to report a breach to its DPA without undue delay and not later than 72 hours from learning about breach. If notification is submitted later than 72 hours, it shall be accompanied with proper justification. The breach must also be notified (without undue delay) to the affected individuals where the breach is likely to affect adversely their data protection rights.
Exception from notification requirement is if breach is unlikely to result in a risk for data subject’s rights and freedoms.
Data Protection Officers (DPO)
Controllers and Processors will be required to appoint a Data Protection Officer (DPO) if:
- the processing is carried out by a public body,
- the core activities of Controller or Processor consists of processing which requires regular and systematic monitoring of data subjects on a large scale,
- the core activities of processing special categories of data on a large scale, or data relating to criminal convictions and offences, or
- when required by member state law.
A group of companies can appoint a single Data Protection Officer, provided that it is easily accessible from each entity.
Processor obligations and liability
Currently, Processors are not directly liable under the Data Protection Directive and Controllers are obliged to impose contractual obligations on their Processors but there is no direct liability under the Directive. Regulation imposes compliance obligations (as security measures, keeping records of processing, appointing DPO, comply with cross-border requirements, and notifying Controller about breaches) directly on Processors. In addition, Processors will be required to:
- co-operate, on request, with DPAs in the performance of their tasks;
- assist Controllers, where necessary and upon request, in relation to data protection impact assessments and related prior consultations with DPAs; and
- return to the Controller or delete data once the processing is complete.
Those requirements will apply also to Processors established outside EU to extent their processing activities relate to offering goods and services to EU residents or monitoring their behavior. Processors will be directly liable in case of non-compliance with Regulation, which means that DPA may execute their powers directly against Processor (e.g. request information, access premises, issue fines).
Additionally, a Processor will be considered to be a data Controller, with direct liability under the GDPR, if it processes personal data other than as instructed by the Controller.
Sub-processors may only be engaged with the prior consent of the Controller and must be subject to the same contractual obligations as the initial Processor. If a sub-contractor fails to fulfill its data protection obligations, the initial Processor remains fully liable to the Controller for the performance of the other Processor’s obligations.
Agreements with Processors
Controllers must only use Processors which provide sufficient guarantees (in particular, in terms of expert knowledge, reliability and resources) to implement appropriate technical and organisational measures.
Controllers will be obliged to enter into new, more detailed processing agreements (or renegotiate existing ones).
International data transfers
Regulation retains same cross-border data transfer rules as Data Protection Directive, formally recognize binding corporate rules (“BCRs”), and also adds new ones, as: certification mechanism, codes of conduct, and also limited derogation for occasional transfer based on legitimate interest.
Authorisation of DPA for data transfers outside European Economic Area (“EEA”) won’t be needed, except if transfers are based on contractual clauses which haven’t been adopted or approved by the EU Commission.
If data transfer outside EEA is based on consent, data subject shall be informed about the risks resulting from the transfer before obtaining his/her explicit consent.
5. More and updated rights for data subjects
Data portability right
This right under the GDPR gives individuals the right to obtain a copy of any personal data held about them by an organisation in a re-useable and electronic format. This is so that individuals are able to transfer their personal data from one service provider to another quickly and efficiently.
This right only applies to personal data that an individual has provided to the controller, where the processing is based on the individual’s consent or for the performance of a contract and where the processing is carried out by automated means.
The exercise of this new right to data portability shall be without prejudice to the exercise of the right to erasure or the right of access.
“Right to be forgotten”
His is not exactly new right – right to request data deletion if not necessary for purpose they were collected for exists already under Data Protection Directive. Though, this right is supplemented. Also, it must be noted that this right is a reason for many “GDPR myths” and misunderstandings, as does not provide individual with absolute right to request full deletion of their data.
Controllers will be required to erase personal data upon request and without undue delay if one of the following grounds is met:
- the data is no longer necessary for the purpose for which it was collected or otherwise processed;
- the data subject withdraws consent on which processing is being based and no other legal processing ground can be relied on;
- the data subject validly objects to the processing;
- the data has been unlawfully processed;
- the erasure is required for compliance with a legal obligation under EU or member state law; or
- data has been collected in relation to the offering of information society services to a child.
Where Controllers have publicised personal data that they are obliged to erase, they are required to take reasonable steps (taking into account available technology and costs) to inform other Controllers who are processing the data, that the individual has requested the erasure of any links to, or copy or replication of, such data.
The right to erasure is subject to a number of exemptions, including where the data processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.
GDPR grants to data subjects wider rights and additional requirements to Controllers regarding rights to access their data:
- Controllers must put in place processes for facilitating the data subjects’ exercise of their rights, including processes for making requests electronically;
- access requests must be dealt with free of charge subject to an exception for manifestly unfounded or excessive requests;
- Controllers must respond to access requests without undue delay, and at the latest within one month, subject to a two-month extension for complex requests or large numbers of requests; and
- Controllers should use all reasonable measures to verify the identity of data subjects requesting access before granting access.
Right to restrict and object to processing
Under the GDPR, data subjects will have broader rights to object to data processing activities. Specifically, they will be able to object to processing of their personal data based on legitimate interests without having to demonstrate compelling legitimate grounds for such objection (as is required under the Directive). Rather, where the Controller wishes to continue to process such data despite an objection, it will be required to demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or to demonstrate that the processing is necessary for the establishment, exercise or defence of a legal claim.
Data subjects retain their right to object to processing of their personal data for direct marketing purposes (including the right to object to profiling related to direct marketing).
Individuals will also have an express right to ‘opt out’ of profiling and automated processing in a wide range of situations.
Organisations may act on behalf of data subjects
Member states may provide that certain non-profit organisations or associations may
- exercise certain data subjects’ rights on their behalf – such as the right to lodge complaints with DPAs or seek judicial review in case of alleged GDPR infringements,
- lodge a complaint or take legal action against DPAs, Controllers or Processors independently of a data subject’s mandate if they consider that data subjects’ rights have been infringed as a result of non-compliant processing.
6. New and updated definitions
The definition of a data subject under the current Data Protection Directive is of a person who is identified or identifiable from the data by reference to an identification number or to one or more factors specific to the person’s physical, physiological, mental, economic, cultural or social identity. This concept of indirectly identifying a person will be expanded under the GDPR to include methods of identifying an individual from his or her location data, genetic data or gender identity.
“Biometric data” and “genetic data”
Regulation defines a biometric data (“data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”) and makes it a special category (sensitive) data thus substantially limiting its use.
GDPR also defines genetic data: data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. Like biometric data, also genetic data is sensitive personal data.
GDPR introduces definition of pseudonymisation and defines it as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”.
7. Rules regarding profiling
GDPR defines profiling and sets requirements around it. Profiling which results in measures producing legal effects or significantly affecting the data subject will be only permissible if
- necessary to enter or perform a contract in circumstances where suitable measures to protect the individual’s legitimate interests are in place;
- expressly provided for by EU or member state law; or
- based on express consent of data subject.
Other profiling activity is generally permissible provided that a right to object is highlighted. Profiling based on pseudonymous data (which is defined as data that cannot be attributed to a specific individual without the use of data held separately) falls under the latter category of profiling activity that is generally permissible.
Controller must implement “suitable measures” to safeguard the rights of the individuals. In particular, the Controller must allow for a human intervention and the right for individuals to express their point of view, to obtain further information about the decision that has been reached on the basis of this automated processing, and the right to contest this decision. Controllers must also inform individuals specifically about “the existence of automated decision making including profiling and information concerning the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject”
8. One stop shop
In case of cross-border processing the DPA in the jurisdiction of the main or single establishment of the Controller or Processor will be the lead authority. Lead authority will be the contact point of the Controller/Processor in relation with the given cross-border processing and has the primary responsibility for dealing with such cases, for example the lead authority will coordinate any investigation related to the cross-border processing, involving other ‘concerned’ DPAs. However, each DPA will be competent to handle local complaints or infringements of the GDPR.
9. Codes of conduct and certifications by authority or third party (trust seals)
Regulation encourages to adopt voluntary codes of conduct and engage in privacy certifications (either by authority or third party), as well as use “privacy seals” demonstrating compliance with Regulation and data protection standards.
10. European Data Protection Board (EDPB)
The Article 29 Working Party (WP29), that was set up under Data Protection Directive will be replaced by the “European Data Protection Board” (“EDPB”). The EDPB will have a lot of tasks, but its primary role will be to contribute to the consistent application of the GDPR throughout the EU. The EDPB will have the status of an EU body with legal personality and extensive powers to settle disputes between national supervisory authorities and issue opinions on specific matters such as list of risky processing, codes of conduct and certification bodies’ accreditation criteria. Like WP29, EDPB will also be responsible for issuing guidelines, recommendations and best practices.