Israeli Chamber of Commerce GDPR The European Angle
Israeli Chamber of Commerce GDPR – The European Angle 24 June 2019 Merav Griguer Partner
Outline GDPR: main requirements GDPR sanctions GDPR compliance Data protection authorities' inspections Slide 2 © Bird & Bird AARPI 2019
GDPR: main requirements Slide 3
RGPD – Chronology Entry into force of the GDPR Coming into operation of the GDPR 24 May 2016 25 May 2018 2 years to become compliant with the GDPR Slide 4 © Bird & Bird AARPI 2019 19 October 2018 € 400. 000 First GDPR sanction The Portugese data protection authority fined a hospital for failure to comply with the confidentiality and security obligations 21 Janvier 2019 € 50. 000 Highest sanction imposed under the GDPR so far Imposed by the CNIL (failure to comply with the transparency and information requirements)
GDPR Scope Material scope of application Principle: the GDPR is applicable to the processing of personal data The GDPR does not apply to the processing of personal data carried out: (a)In the context of an activity not falling within the scope of Union law (b)By Member States in the context of specific activities (Chapter 2 of Title V of the Treaty on EU) (c)By a natural person in the course of a strictly personal or domestic activity (d)By the competent authorities for the purpose of the prevention, investigation, detection, prosecution or enforcement of criminal offences Slide 5 © Bird & Bird AARPI 2019
GDPR Scope Territorial scope of application GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: • The offering of goods or services, or • The monitoring of their behaviour as far as their behaviour takes place within the Union Slide 6 © Bird & Bird AARPI 2019
Main definitions Article 4 of the GDPR Personal data Processing of personal data Any information relating to a natural person identified or identifiable (data subject) directly or indirectly. "Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction" Concerns any natural person: employees, customers, prospects, service providers, suppliers, subcontractors, etc. Examples: surname, first name, date of birth, home address, tax address, bank identity, employment status, income, assets, connection logs, IP address, employee number, photograph etc. Slide 7 © Bird & Bird AARPI 2019 Examples: contact management, IT authorizations and resources, external communication, elections, control of the use of information systems, etc.
GDPR fundamental principles 5 principles to comply with 1. Process personal data for a specific and legitimate purpose 2. Collect strictly necessary and appropriate personal data for each purpose pursued 3. Respect data subjects' rights 4. Limit the retention period of personal data until the achievement of the intended purpose 5. Ensure physical security of premises, logical security of information systems and confidentiality of personal data Slide 8 © Bird & Bird AARPI 2019
Lawfulness of processing activities Article 6 of the GDPR Processing activities shall be lawful. Lawfulness might rely on: • • • Data subject consent Performance of a contract Compliance with a legal obligation Vital interests Public interest or exercise of official authority vested in the controller Legitimate interests pursued by the controller or by a third party ! Slide 9 © Bird & Bird AARPI 2019
GDPR new obligations 10 obligations to comply with Data breach notification Privacy Impact Assessment Keeping of processing activities records New rights for natural persons Appointment of a Data Protection Officer Slide 10 © Bird & Bird AARPI 2019 Transparency New definition of consent Sharing of responsibility between data controller and data processor Accountability & Privacy by design / by default
Data subjects' rights The GDPR provides for the following rights • Right of access • Right to rectification • Right to erasure • Right to restriction of processing • Right to data portability • Right to object • Right to define guidelines on the fate of personal data in the event of death • Right to withdraw consent • Right to file a complaint to a supervisory authority Slide 11 © Bird & Bird AARPI 2019
Legal framework of data transfers outside the EU Data transfers outside the EU are prohibited, except where the following exceptions apply: • Adequate level of protection in the recipient's country • "Appropriate guarantees" : - Privacy Shield (transfers to the USA) - Standard Contractual Clauses - Binding Corporate Rules (BCR – intercompany transfers) • Derogations provided by the GDPR (e. g. explicit consent to the envisaged transfer, processing necessary for important public interest purposes, or for the safeguard of the data subject's or other persons' vital interests) Slide 12 © Bird & Bird AARPI 2019
GDPR sanctions Slide 13
GDPR possible sanctions First category of violations: • Failure to comply with the obligation to process the data collected fairly • Processing of sensitive data • Lack of information/consent of the data subjects • Breach of data subjects rights of access/rectification/opposition, right to be forgotten, right to the portability of data to a third country • Non-compliance with a data protection authority injunction Fine of up to 4% of the annual worldwide turnover or € 20 million 2 nd category of violations: • Failure to comply with the obligation to keep a register of data processing register • Lack of notification of a security breach • Failure to comply with the obligation of security • Absence of "Privacy by design" • Absence of an impact assessment (PIA) • Failure to appoint a Data Protection Officer (DPO) Fine of up to 2% of the annual worldwide turnover or € 10 million Slide 14 © Bird & Bird AARPI 2019 Article 83 of the GDPR
Investigations started - First penalties January 21, 2019 – 50 million euros fine and publication of the penalty by the French data protection authority (CNIL) Failure to comply with transparency and information requirements and with the obligation to have a legal basis for the processing of advertising personalization Highest sanction so far to be put in perspective with Google's annual turnover in 2017 was 96 million euros. The penalty is equivalent to circa 0. 05% of Google's annual income June 12, 2019 – More than 250, 000 euros fine imposed by the Spain data protection authority (AEPD) Violation of article 5. 1 of the GDPR requiring that data be processed lawfully, fairly and in a transparent manner - Recording of the surrounding of app's users (inadequate level of notification) June 6, 2019 – 400, 000 euros fine and publication of the penalty by the French CNIL Failure to comply with the obligation to secure personal data under article 32 of the GDPR and with the data minimization principle - Rental candidates' documents freely accessible without prior authentication and stored without limitation beyond the period necessary for allocating accommodations (real estate sector) Slide 15 © Bird & Bird AARPI 2019
Investigations started - First penalties May 8, 2019 – 170, 000 euros fine imposed by the Norwegian data protection authority (Datatilsynet) Lack of appropriate security measures in the computer file systems, (violation of articles 5. 1 and 32 of the GDPR) – File with login credentials for 35, 000 students and employees found in a public storage area March 3, 2019 – 220, 000 euros fined by the Polish Personal Data Protection Office, along with an accompanying order to properly notify data subjects within 6 months Failure to comply with the obligation to issue information notifications to data subjects (article 14 of the GDPR) 2018 – 50, 000 euros fine imposed to an online bank by the Data Protection Commissioner of Berlin Violation of article 6 of the GDPR requiring a legal basis for processing – Unauthorized processing of the personal data of all former customers in order to keep a blacklist Slide 16 © Bird & Bird AARPI 2019
Effectivness of GDPR compliance
GDPR: one year on Data protection authorities' behaviour • First few months following May 25, 2018: exploratory period • Data protection authorities published recommendations and guidance to help companies comply with the GDPR • Flexibility of authorities • As of now, this phase is over: authorities are strengthening enforcement and applying sanctions less leniently • Risk of fines (e. g. fines imposed on Internet giants) • Risk of temporary or permanent suspension of processing Impact companies on Slide 18 © Bird & Bird AARPI 2019 the reputation of Influence of the GDPR on other global legislation outside the EU: • Many countries have aligned their data protection regulation with the GDPR (e. g. Switzerland, Norway, Iceland, Liechtenstein) • Regulations influenced by the GDPR (e. g. Brazil and California data protection laws coming into force in 2020) Common requirements: data subjects' rights, data breaches or accountability obligations The European Data Protection Board (EDPB) has started to publish information from national authorities on its website
GDPR: one year on Figures… European cooperation, 6 months on: One year on, across Europe: • Cooperation between data protection authorities in more than 1000 procedures • 14000 complaints to data protection authorities • 345 cross-border complaints • 89271 notifications of personal data violations in Europe • 4 plenary sessions of the EDPB and working groups meetings • 19 guidelines (e. g. codes of conduct, video surveillance, etc. ) New challenge for the coming year: building trust in digital technology • 2 nd annual review of the Privacy Shield in October 2019 • • Opinion on the e-Privacy Directive and Regulation proposal (access to electronic evidence) • 20 national lists of processing requiring the conduct of a PIA approved by the EDPB Slide 19 © Bird & Bird AARPI 2019 Goal: give credibility to the new regulation with a view to society's expectations
Compliance actions to be carried out The French CNIL advises companies to follow these steps: 1. Appoint a pilot: even though appointing a DPO is not mandatory, it is recommended to do so. The DPO will inform and advise the data controller upon request, cooperate with the data protection authorities and be a contact point for authorities and data subjects 2. Map processing operations: carrying out an audit will help map the processing operations by establishing a register, determining whether the legal basis for processing personal data and the principles relating to processing are complied with 3. Prioritize compliance actions to be carried out such as the respect of the GDPR fundamental principles, data subjects' rights, security measures, information notices and contracts between data controllers and processors 4. Manage risks: This means assessing the necessity to carry out a PIA where processing are likely to create a high risk for the rights and freedoms of the data subjects by involving the DPO 5. Organize internal processes such as confidentiality or data security policies, information notices, PIAs, complaints or security breaches management procedures, processing register, etc. 6. Accountability: Documenting compliance by implementing procedures and policies at each step of the way with the assistance of the DPO provides evidence of GDPR compliance Slide 20 © Bird & Bird AARPI 2019
Assessment of companies' compliance No 100% compliance with the GDPR Companies have mapped out their processing operations Companies have conducted a GDPR audit and a plan of action Companies have updated/implemented data protection policies Observation: no company can claim to be 100% compliant with the GDPR as of today Slide 21 © Bird & Bird AARPI 2019
Assessment of companies'compliance Blocking points and unfinished actions - Retention period and databases management • CRM tools predating the GDPR and practical difficulty to manage data retention period - Difficulties: The challenge is not to achieve 100% compliance short-term - It is necessary to prioritize: § Data security; § Governance optimization – upstream compliance of the solutions (bring the legal, marketing, commercial (etc. ) fields together) § Data transfers management (appropriate guarantees: standard contractual clauses, supervising transfers towards Brexit) Slide 22 © Bird & Bird AARPI 2019
Data protection authorities inspections
Typology of inspections The different forms of inspections apply to both data controllers and data processors (e. g. IT providers) The following inspections are performed by the French CNIL and are likely to be performed by other data protection authorities, although it is not necessarily the case. • Online inspection ü Carried out from the premises of the CNIL ü Without the presence of the data controller/processor ü Informing the person in charge by means of an online report of findings • Inspection of documents ü Disclosure of documents upon written request by the CNIL • Hearing ü Convocation of the data controller at the CNIL's premises • On-site inspection ü By CNIL agents, at the data controller's premises Ø Duty to collaborate Slide 24 © Bird & Bird AARPI 2019
On-site inspection Purpose of the missions • Verify that the applicable data protection requirements are complied with • Look for potential unlawful processing activities • Make sure, in particular, that: Ø The necessary formalities are carried out (records of processing activities, PIA preparing, etc. ) Ø The processing operations carried out correspond to those entered in the record (search for concordance or discrepancy) Ø The IT and physical security measures are appropriate Slide 25 © Bird & Bird AARPI 2019
Powers of persons authorized to carry out inspections Inspection perimeter • Request access to all documents necessary to fulfil their mission: Ø Regardless of the medium Ø And take a copy of them • Collect, on the spot or upon convocation, any useful information or justification • Access software programs and data and request their transmission by any appropriate processing in the documents directly useable for the purposes of the inspection Slide 26 © Bird & Bird AARPI 2019
Duty to cooperate • Data controllers cannot object to the authority's or its agents' action • They must: Ø Take all useful measures to facilitate the work of the authority Ø Provide information requested by the authority for the exercise of its missions • Exceptions: Ø Professional secrecy Ø Right of the person in charge to object to the visit of the authority The objection must not constitue an offence of obstruction Slide 27 © Bird & Bird AARPI 2019
Potential follow-ups of the inspection Request for additional information Closing of the case with potential recommendations Denunciation to the public prosecutor Following the inspection New on-site inspection Formal notice to cease breaches Online inspection Slide 28 © Bird & Bird AARPI 2019
Inspection control European cooperation and increased severity European cooperation Increased severity In order to ensure homogeneous and consistent protection of personal data throughout the EU, all European data protection authorities continue to cooperate. Particular attention will be paid to the compliance of major groups and Internet giants. Refusal of the "name and shame" principle Example: collaboration on cross-border processing via joint control operations Sanctions made public must not have the effect of disparaging companies, but rather for them to draw lessons on the protection of personal data. Slide 29 © Bird & Bird AARPI 2019
Examples of supervisory authorities' inspection powers in Europe Country Power to make onsite inspections and dawn raids Power to take copies of documents during the raid Power to seize documents and equipment Power to carry out forensic investigation Power to carry out other types of investigations Highest fine for breach of GDPR/data protection laws France Yes (and raids have occurred) Yes No Yes: -Request for a hearing -Online inspection -Inspections of documents € 50 million (Google fine) Germany Yes (no raids have occurred yet) Yes No Unlikely Ireland Yes Yes Unclear Yes: -Request for a hearing -Inspection of documents € 45, 000 UK In very limited circumstances (no raids have occurred yet) In very limited circumstances Yes: -Inspection of documents -Request for a hearing No GDPR fine yet Slide 30 © Bird & Bird AARPI 2019 € 20, 000 (Knuddels. de)
Thank you Merav Griguer Partner merav. giguer@twobirds. com Abu Dhabi & Amsterdam & Beijing & Bratislava & Brussels & Budapest & Copenhagen & Dubai & Dusseldorf & Frankfurt & The Hague & Hamburg & Helsinki & Hong Kong & London & Luxembourg & Lyon & Madrid & Milan & Munich & Paris & Prague & Rome & San Francisco & Shanghai & Singapore & Stockholm & Sydney & Warsaw The information given in this document concerning technical legal or professional subject matter is for guidance only and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter. Bird & Bird assumes no responsibility for such information contained in this document and disclaims all liability in respect of such information. This document is confidential. Bird & Bird is, unless otherwise stated, the owner of copyright of this document and its contents. No part of this document may be published, distributed, extracted, re-utilised, or reproduced in any material form. Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England Wales with registered number OC 340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC 4 A 1 JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.
- Slides: 31