Summary of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, enters into force tomorrow.
This Regulation applies :
- to the processing of personal data if the controller is located in the Union, regardless of whether the processing takes place in the Union or not;
- to the processing of personal data of data subjects who are in the Union, even though the controller or processor is not established in the Union.
I. Principles relating to processing of personal data
A. General principles
Personal data shall be:
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
- accurate and, where necessary, kept up to date (“accuracy”);
- kept for no longer than is necessary for the purposes for which the personal data are processed.
B. Lawfulness of processing
Processing is lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
The controller shall take appropriate measures to provide the data subject with information relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Information to be provided are detailed in article 13 of GDPR.
D. Rights of data subjects
The Controller must accept and make efficient the rights of data subjects:
- the right to request from the controller access to personal data and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability
- the right to withdraw consent at any time
- the right to object to processing of personal data concerning him or her
- the right not to be subject to a decision based solely on automated processing
II. Obligations of the controller
A. Data protection by design and by default
Before implementing a processing, the controller shall (i) take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons, (ii) implement appropriate technical and organizational measures, designed to implement data-protection principles, such as data minimization, and (iii) to integrate the necessary safeguards into the processing.
The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
The data controller must carry out “Data protection impact assessment” for each type of processing
which is likely to result in a high risk to the rights and freedoms of natural persons (ex : in particular using new technologies, profiling, automated decision, processing on a large scale of special categories of data, data relating to criminal convictions and offences).
B. Data Protection Officer – Records of processing activities
In some circumstances, the controller will be obliged to appoint a DPO (avocatspi.com/2018/04/13/dpo-data-protection-officer/).
Each controller and each processor shall maintain a record of processing activities (https://www.cnil.fr/fr/rgpd-et-tpepme-un-nouveau-modele-de-registre-plus-simple-et-plus-didactique).
C. International Transfers
Transfers of personal data outside the European Economic Area are authorized only if :
- the European Commission has decided that the third country ensures an adequate level of protection;
- the entity to which the data is transferred enter into a model clauses data transfer agreement in the form approved by the European Commission.
The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
This includes technical measures such as (but not limited to) firewalls and use of anti-virus software, password protection and appropriate access controls as well as organizational measures (i.e. processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational cyber security controls). Data masking and anonymization/pseudonymisation may also be used.
All of the employees who handle personal data will received training in data protection legislation. They must also be bound by an enforceable duty of confidentiality.
E. Violation/Data breach
GDPR introduces a new requirement for personal data breaches to be notified to the relevant supervisory authority (i.e. the data protection authority in France is the CNIL) without undue delay and where feasible no later than 72 hours after the data controller becoming aware of it.
A personal data breach includes “any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed”. (Article 4(12) GDPR).
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Where processing is to be carried out on behalf of a controller by a processor, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Processing by a processor shall be governed by a contract that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
Under GDPR, the processor has to obtain the controller’s prior written approval before appointing a sub-processor.
Examples of an action plan
- Make a list of and collect the documentation sent to data subjects when collecting or discussing personal data
- Check the wording of any documentation sent to data subjects is intelligible, concise and easy to understand and access
- Work with the legal team to create or implement any changes to policy documentation or fair processing notices to be supplied when collecting personal data from a data subject
- Draft a consent process document
- Ensure that all personal data is able to be completed or updated within 30 days of the receipt of a rectification request and highlight any areas where it may not be possible to rectify inaccurate personal data within 30 days of the receipt of a request
- Draft a portability process document
- Draft a breach process document
- Draft a “data privacy” clause in employees’ contract
- Provide employees with GDPR guidelines and framework (intranet or training)
- Check any applications used to process personal data have individual user accounts and ensure that access is not shared between users
- Verify if the people/branches that access personal data actually require the information (limitation of access). For example, US has not necessarily a legitimate interest for accessing details
- Verify if the people who receive personal data actually require the information being sent to them and if they require any personal identifiers contained in the communication
- Where personal data is being shared externally, ensure any attachments are password protected where possible
- Make a list of and collect the reports that are produced and that contain personal data
- Review reports to ensure that all of the personal data contained in the report is indeed required
- Review whether accounts payable and finance need to receive the sensitive personal data that is provided to them
- Prepare a list of existing suppliers that handle personal data and identify suppliers that have been hired without a contract
- Draft a “data privacy” clause for third-party contract
- Draft a retention process document
- Review paper archiving process. Ensure that cartons are being labelled with an accurate retention date and owner
- Draft a local version of the Register of Processing as required by the law