General Data Protection Regulation (GDPR)

Does your company have the data processing agreements required by the EU General Data Protection Regulation (GDPR) when it engages third parties to assist with its data processing activities?

The Dutch data protection authority recently asked this question of 30 companies in the energy, media and trade sectors. The agency has also conducted similar exploratory compliance surveys covering Data Protection Officers and processing activity registers.

Under GDPR, a company may only engage processors that offer sufficient guarantees that they also comply with legal requirements. The processor agreement must specify how the protection and processing of personal data is regulated and address issues including:

  • which data will be processed and for how long
  • the nature and purpose of the processing
  • how the security of the data is guaranteed

Details from the Dutch Data Protection Authority.

A medical center contracted by an insurance company to provide examinations and studies to individuals covered by insurance may be a “data controller” under the EU General Data Protection Regulation (GDPR) says the Commission for the Protection of Personal Data of Bulgaria.

The CPPD determined that in the case before it, the medical center was a data controller and not a “data processor” because:

  1. The processing of personal data in connection with the carrying out of examinations and research cannot be carried out on behalf of the insurer (data controller) because such services are required, by law, to be carried out by an organization having the status of a “medical establishment” within the meaning of the Bulgarian Law on Medical Establishments.
  2. Special legislation in the field of healthcare provides for a number of obligations, measures, mechanisms, procedures and conditions for the protection of health information containing personal data which can not be delegated to a data processor.*

* summary based on an informal translation

View the original CPPD determination.

The IAPP: International Association of Privacy Professionals, reports on Spain’s new GDPR implementation law, which provides clarity to some gray areas.

Highlights include:

  • the data processor may address a data subject’s rights on behalf of the controller if this is provided in the contract or other legal instrument that binds controller and processor.
  • requests from a data subject are excessive, because of their repetitive character, when submitted “more than once during a period of six months, unless there is a legitimate reason.”
  • when an individual objects to its processing of his or her information for direct marketing, the controller may keep the necessary identification data of the affected person in order to prevent future processing for direct marketing purposes.
  • additional cases in which it is mandatory to designate a data protection officer (DPO) include: public and private universities; information society service providers when developing large-scale profiles of service users; and operators that develop game activity through electronic, computer, telematic and interactive channels.

More details here, via the IAPP.

Strong data encryption is a best practice, but according to new guidance from the UK’s data protection authority, it may not exempt you from General Data Protection Regulation (GDPR) notification requirements if you suffer a breach. That’s a significant departure from most U.S. federal and state data privacy rules.

Our Privacy & Data Security team explains the steps you should take now to stay in compliance with both sets of regulations in this new alert.

The UK Information Commissioner’s Office (ICO) has issued expanded guidance on “Personal Data” under the EU General Data Protection Regulation (GDPR).

Here are the highlights:

Pseudonymization does not change the status of the data as personal data. To truly anonymize under the GDPR, you must strip personal data such that the individual can no longer be identified or later re-identified using reasonably available means. If you can distinguish an individual from other individuals, then that person is “identified” or is “identifiable.”  “Online identifiers” can be personal data. This includes:

  • IP addresses
  • cookie identifiers
  • RFID tags
  • MAC addresses
  • advertising IDs
  • pixel tags
  • account handles
  • device fingerprints

To determine whether an individual is identifiable you must consider what means are reasonably likely to be used to identify the individual, taking into account all objective factors, such as: costs and amount of time required for identification; available technology at the time of the processing; and likely technological developments.

Details available here from the UK ICO.

Sharing personal data with data brokers or other businesses partners? French regulator, CNIL, has new guidelines for you to follow.

Highlights include:

  • The individual whose data is shared must give consent before any transmission to partners.
  • The individual must be able to identify the partners, recipients of the data, from the form from which the data collection is carried out.
    • You can either:
    • Present a regularly updated exhaustive list which is visible directly on the form; or if too long
    • Present a link referring to the list as well as the privacy policies of the partners.
  • The individual must be informed of changes in the list of partners and especially the arrival of new partners.
  • The consent collected by the company collecting the data on behalf of its partners is only valid for them. The partners can not send the information received to their own partners, without again collecting informed consent of the individuals.
  • Partners must indicate, at their first communication, how to exercise their rights, in particular of opposition, as well as the source from which the data used come from.

Details here from CNIL.

IF Brexit AND Privacy Shield THEN (amend privacy notice).

If you use the EU U.S. Privacy Shield mechanism to transfer Personal Data from the UK to the U.S., you will need to amend your privacy disclosure to state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield – say new FAQs on the Privacy Shield website.

In case of a “no-deal Brexit,” you will need to make the amendments by March 29, 2019.

In case of a “soft Brexit,” you will need to make the amendments by December 31, 2020 (the end of the “transition period”).

Sample language provided on the site is: “(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield… ”

Details from Privacy Shield.

The Irish Data Protection Commissioner (DPC) has launched a public consultation on children and data protection issues.

The consultation will have two streams: one aimed at adult stakeholders, and the other aimed directly at children and young people.

To do this, the DPC has created a lesson plan on personal data and data protection rights which will help teachers to teach their students about basic data protection rights and allow them to collect the opinions and views of their students.

Some questions in the public consultation are:

  • How should organizations convey information to children in a manner they easily understand?
  • At what age and under what circumstances should kids be able to file an access or erasure request?
  • When should parents be able to file an access or erasure request for their children’s information?
  • What methods should be used to verify that a child is 16 or over?
  • What methods should online service providers use to ensure that the person providing consent is actually the holder of parental responsibility over the child?
  • Should organizations be prohibited from profiling children for marketing purposes?

Read the details here.

A Data Protection Impact Assessment (DPIA) is a process, required by the EU General Data Protection Regulation (GDPR), to help identify and minimize the data protection risks of a project.

The UK Information Commissioner’s Office (ICO) has published a new guidance on DPIA’s.

Per the guidance you are required you to do a DPIA if you plan to:

  • use innovative technology (in combination with any of the criteria from the European guidelines);
  • use profiling or special category data to decide on access to services
  • profile individuals on a large scale
  • process biometric or genetic data (in combination with any of the criteria from the European guidelines)
  • match data or combine datasets from different sources
  • collect personal data from a source other than the individual without providing them with a privacy notice (“invisible processing”)
  • track individuals’ location or behavior
  • profile children or target marketing or online services at them
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

Read the full guidance.

In its second annual review, the European Commission notes that the Privacy Shield scheme provides adequate protection for personal data but improvements are still in order.

Highlights include:

  • Since the first annual review, the Department of Commerce (DOC) referred more than 50 cases to the Federal Trade Commission (FTC), to take enforcement action where necessary.
  • New tools have been adopted to ensure compliance with Privacy Shield Principles including: spot checks, monitoring public reports about Privacy Shield participants, quarterly checks of companies flagged as potentially making false claims and issuing subpoenas to request information from participants.
  • The US is to appoint a Privacy Shield Ombudsperson by not later than February 28, 2019 or the Commission will consider taking steps under GDPR.
  • The Commission is monitoring the following areas to determine if sufficient progress has been made: (i) effectiveness of DOC enforcement mechanisms; (ii) progress of FTC sweeps; and (iii) appointment and effectiveness of complaints handling by the Ombudsperson.

Read the full report