News & Publications

You are currently viewing Memo: General Data Protection Regulation (GDPR)

Memo: General Data Protection Regulation (GDPR)

The Regulation was adopted in April 2016 and will be directly applicable in all Member States ( without the need of each Member State implementing national legislation) on the 25th May 2018 replacing the existing Data Protection Directive. Lack of harmonisation of data protection rules amongst the Member States as well as advancements in information and communication technology and network interoperability have increased the need for a uniform framework which is designed to harmonize data privacy laws across Europe. The GDPR is designed to enhance the protections provided, empower further all EU citizens’ data privacy rights and change the way organizations gather, hold and process data. The framework is clear in the obligations it imposes, and businesses should start preparing for it as compliance with the Regulation will be crucial and preparation will take time.

Territorial Scope:

A significant change imposed by the GDPR to the regulatory landscape of data privacy is the extended jurisdiction provided under the Regulation. The extended territorial scope will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not (Art. 3(1)). This inherently means that data processors are now included within the scope of the GDPR. The Regulation however, also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where:

a. the processing activities relate to the offering goods or services to data subjects within the EU (irrespective of payment). Intention must be shown that the controller envisages offering of goods and services within the EU (Recital 23). Factors such as the use of a language or currency used in one or more Member States may indicate that the controller is offering goods and services to data subjects within the EU;

b.to the monitoring of behaviour that takes place within the EU. In order to determine whether a processing activity can be considered as monitoring of data subject’s behaviour, indications such as the fact the natural persons are tracked on the interned and such activity includes potential subsequent us of personal data processing techniques consisting of profiling for decisions to be taken concerning the natural person or for analysing or predicting the natural person’s behaviours, preferences and attitudes (Recital 24).

Therefore, businesses should determine whether they engage in the activities covered under the new regime. In cases where the Regulation applies to controllers or processors not established in the EU, a representative established within the EU (in the Member State/s that goods and services are offered or behaviour is monitored) must be designated in writing. The obligation for appointment of a representative is subject to the exceptions stated in Article 27(2): (a) occasional processing, does not include processing on a large scale of special categories of data/data relating to criminal convictions and offences/unlikely to result in a risk in freedoms and rights of natural persons, and (b) in cases of public authority or body.

Material Scope:

The GDPR applies to the processing of personal data by wholly or partly automated means and to the processing by other than automated means of personal data which form (or are intended to form) part of a filing system. The Regulation states in Recital 15 that protection should be afforded to the data subject in cases of processing by automated means as well as manual processing if the data is contained or intended to be contained in a filing system. A filing system is defined in Article 4 as “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis”. In order to avoid risks of circumvention, the protection of data subjects should be technologically neutral and should also not depend on techniques used.

Meaning of personal data and types of data:

According to the Regulation, “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”. The definition of personal data is now broader and as a result, data reasonably likely to identify a person is considered for the purposes of the Regulation as personal data. The information generated online is now covered under the new regime as the definition for personal data now includes online identifiers. Recital 30 lists a range of online identifiers including IP addresses, cookie identifiers and radio frequency identification tags which may be used in combination with other information and may identify natural persons. Personal data may include a natural person’s personal, family, education, employment, financial and contractual details.

Subject to certain exceptions, special categories of data that reveal sensitive information such as racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union memberships, genetic data, biometric data, health data and data concerning sex life or sexual orientation are prohibited from processing. The exceptions include matters such as substantial public interest, explicit consent to the processing for specified reason/s, processing where it is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent as well as processing necessary for the establishment, exercise or defence of legal claims (Article 9).

Recital 26 personal states that data which have undergone pseudonymisation and could be attributed, by the use of additional information, to a natural person will, under the Regulation, be considered information on an identifiable natural person. Pseudonymisation is a new concept introduced by the Regulation and is defined as follows “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”. This new class of personal data can minimise the risks to the personal data of data subjects as well as assist controllers and processors to comply with their obligations. However, other data protection measures are not precluded under the Regulation (Recital 28).

Processing of Data:

Processing is defined in Article 4 of the Regulation as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means” and includes “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

Principles relating to the processing of personal data:

The regulation provides certain principles in relation to the processing of personal data which controllers and processors must adhere to when processing personal data. Compliance with these principles is essential as they will form the bases of lawful processing.

Article 5 sets out the following principles:

(a) lawfulness, fairness and transparency

Data should be processed lawfully, fairly and in a transparent manner in relation to the data subject. The Regulation states that data processing shall be lawful if it can be justified under based on one or more legal grounds as stated below:

  1. The data subject has consented to the processing of the data for one or more specific purposes;(specific consent requirements will be discussed below)
  2. Processing is necessary for the performance of a contract to which the data subject is a party or entry into a contract;
  3. Processing is necessary for the compliance with a legal obligation to which the controller is subject;
  4. The processing is necessary for the protection of the data subject’s or of another natural person’s vital interests: As stated in Recital 46 processing should be regarded as lawful in cases where its necessary for the protection of a n interest essential for the life of the data subject or of another natural person. The legal ground for processing based on the vital interests of another natural person should only be based where processing cannot manifestly be based on another legal basis. The recital also states that there might be cases where the processing can serve important grounds of public interest as well as the data subjects vital interests, such cases for instance are processing for humanitarian purposes such as monitoring epidemics;
  5. The processing is necessary for the performance of a task in the public interest or is necessary for the exercise of official authority vested in the controller;
  6. The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. Recital 47 states that in such cases determining whether the data subject’s interests and fundamental right override the legitimate interests of the controller, one must consider the reasonable expectation of the data subject based his/her relationship with the controller. In cases where the data subject does not reasonably expect further processing of his/her personal data, the data subject’s interests and fundamental rights could override the controller’s interest. The recital clearly states that the “processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned”. Additionally, processing for direct marketing purposes may also be regarded as carried out for a legitimate interest (this legal ground should not apply to the processing by public authorities).

Transparency requirements under the Regulation include the right of the data subject to receive information on the identity of the controller, the nature and purposes of that processing as well as a data breach likely to result in a high risk to the data subject’s rights and freedoms.

Therefore, specific information must be provided to the data subject in order for the transparency requirement to be met and therefore the fair and lawful principle be satisfied. The information to be provided will depend on whether the data will be collected directly from the data subject or will be obtained by a third party. Irrespective of whether data is obtained by the data subject or by a third party, the information must be in a clear and plain language, especially if it will be provided to a child and must also be in a transparent, concise, intelligent and easily accessible form. This information shall be provided in writing or by other means such as electronic means and in cases where the data subject so requests, it may be provided orally, provided that the subject’s identity is proven by other means (Article 12(1)). It has to be mentioned that the burden of proving that the information has been provided falls on the controller. The information to the data subject must be provided free of charge (Article 12(5)).

In the event that the data is collected directly from the data subject the following information must be provided:

  1. Identity/contact details of controller and representative
  2. Contact details of Data Protection Officer
  3. Intended purpose & legal basis for processing
  4. If processing under Article 6(1)(f), the legitimate interest pursued
  5. Recipients/categories of recipients
  6. Transfer of data outside the EEA or to an international organisation as well as the existence of adequate safeguards
  7. Period for which data is stored or the criteria used to determine that period
  8. The data subject’s rights (right of access, right to rectification, right to erasure, restriction of processing, right to object to processing and right to data portability)
  9. Right to withdraw consent in cases where the processing is based on consent
  10. Right to lodge a complaint with the Supervisory Authority
  11. If provision of data is a statutory or contractual requirement the data subject must be informed of the obligation to provide his/her personal data as well as the consequences of a failure to provide such information
  12. The existence of automated decision making or profiling as well as information on the logic /significance /consequences of such processing.

If the data is obtained from third parties the controller shall provide the same information as stated above within a reasonable time after the controller has obtained the data with a one-month deadline for the provisions of this information (unless providing this information would involve disproportionate effort – Articles 14(3) and 14(5)(b)).

(b) purpose limitation

Under Article 5(1)(b), personal data must be collected for specified, explicit and legitimate purposes and must not be further processes in any manner incompatible with those purposes. The Article clarifies that further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes. There are however, three exceptions to the purpose limitation principle. Firstly, further processing which is incompatible with the original processing will be permitted in cases where the consent of the data subject is obtained (Article 6(4)). The second exception is further processing on the basis of EU or national law. The measure should be necessary and proportionate in a democratic society so that national objective stated in Article 23 (1) (security, defence, public security etc) are safeguarded. The final exception is further processing for public interest purposes subject to certain conditions (public interest, scientific or historical research purposes or statistical purposes.

In other cases of further processing the controller shall assess whether the further processing is compatible with the purpose for which the data were initially collected. In such a case the controller shall take into account certain criteria as stated in Article 6(4). The non-exhaustive list includes matters such as a link between the purposes of the initial collection and the purposes for further processing, the nature of data in question as well as the existence of appropriate safeguards.

(c) data minimisation

Personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. This means that personal data gathered should not only be excessive but necessary. Data cannot be collected for unspecified use.

(d) accuracy

Data must be accurate and where necessary, up to date. Every reasonable step must be taken in order to ensure that inaccurate data, having regard to the purposes for which they are processed, are erased or rectified without delay.

(e) storage limitation

Data which is kept in a form which permits identification should not be held for longer than necessary in relation to the purposes for which it is processed. Storing data may be stored for longer periods, according to Article 5(1)(e), if the data is processed solely for archiving purposes in the public interest, scientific or historical research or statistical purposes, subject to implementation of the appropriate technical and organisational measures as required by the Regulation to ensure that the rights and freedoms of the data subject are safeguarded.

(f) integrity and confidentiality

Data must be processed in a manner that ensures appropriate security of the data and this includes protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical and organisational security measures (Article 5(1)(f)). The security and confidentiality of the data must be ensured.

(g) accountability

Article 5(2) clearly states that person with the responsibility of demonstrating compliance with the above (Article 5(1)), is the data controller.

Consent:

The Regulation defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

The consent should be given by a clear affirmative act and can take the form of a written statement or an oral statement. It should establish an informed and unambiguous indication that the data subject is in agreement with the processing of his/her personal data. Recital 32 clearly states that silence, pre-ticked boxes or inactivity should not constitute consent. It is of essence that in cases of processing for multiple purposes, the consent of the data subject should be given for all of them. In case the request for consent is by electronic means, the request should be “clear, concise and not unnecessarily disruptive to the use of the service for which it is provided”. If consent is not obtained as provided for in the Regulation, then the consent for processing is invalid and this will render the processing activity unlawful.

The controller should be able to demonstrate that the data subject has given consent to the processing activity. The controller should place appropriate safeguards to ensure that the data subject should be aware of the fact that and the extent to which his/her consent is given. For consent to informed and therefore valid, the data subject must be aware of at least the purposes of the processing and the identity of the controller. Consent will not be regarded as freely given where the data subject has “no genuine or free choice or is unable to refuse or withdraw consent without detriment” (recital 42).

The Regulation gives the data subject the right to withdraw his/her consent at any time. The data subject must be informed of this right prior to giving consent. Withdrawal of consent shall not affect the lawfulness or the processing occurred prior to the withdrawal. The process of withdrawal shall be as easy as the process for providing the consent.

To assess whether consent is freely given account shall be taken of “whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract” (Article 7(4)).

In cases involving children, data of children below the age of 16 can only be processed if consent is provided by the holder of parental responsibility. The Regulation provides that the controller should make reasonable efforts to verify the consent is properly given by the holder of parental responsibility whilst taking into consideration available technology.

Data subject’s rights:

  1. Right to withdraw consent (mentioned above)
  2. Right of access by the data subject (Article 15): data subjects have the right to obtain a confirmation by the data controller of whether or not their personal data are being processed as well as access to the data and information such as:
    1. the purposes of processing,
    2. the categories of data processed,
    3. the recipients to whom the data will be disclosed (particularly recipients in third countries or international organisations. In cases where there will be disclosure to a third country, the controller must inform the data subject of appropriate safeguards).
    4. the period for which the data will be stored and criteria that were used to determine such period
    5. the fact that the data subject has the right to request from the controller rectification or erasure of his/her personal data or restriction of processing or objection to such processing
    6. the right to lodge a complaint with a supervisory authority
    7. if the data is not collected from the data subject, information on the source
    8. the existence of automated decision-making, including profiling as well as information on the logic, significance and probable consequences of such processing.
    9. Additionally, the controller shall provide the data subject with a copy of the data being processes which must be provided free of charge. If further copies are requested, a reasonable fee on administrative costs may be charged.
  3. Rectification and erasure (Article 16): the data subject has the right to request from the controller (without undue delay) the rectification of inaccurate personal data concerning him or her. The data subjects have the right to have incomplete personal data completed and this includes the provision of a supplementary corrective statement.
  4. Right to erasure (“right to be forgotten”) (Article 17): Data subjects have the right to request erasure of their personal data without undue delay and the controller is obliged to erase their data if one of the following applies:
    1. The data are no longer necessary for the purposes that they were collected
    2. The data subject withdraws consent and there is no legal ground for processing
    3. Objects to processing in cases of processing for public interest and the controller’s legitimate interest, on ground that relate to the data subject’s particular circumstances
    4. Objects to the processing of data for direct marketing purposes
    5. The data has been unlawfully processed
    6. The data need to be erased for compliance with a legal obligation in EU or national law
    7. The data have been collected in relation to the offer of information society services directly to a child.
    8. If the controller has made the data public and is obliged to erase the data (in any of the cases above), shall take all reasonable steps to inform the controllers which are processing the data in question of the data subject’s request for erasure.
    9. The above is subject to certain exceptions (freedom of expression and information, compliance with a legal obligation, public interest, establishment, defence of exercise of a legal claim)
  5. Right to restriction of processing (Article18): in one of the following cases:
    1. the accuracy of the personal data is contested by the data subject
    2. the processing is unlawful and the data subject opposes erasure
    3. the controller no longer needs the personal data, but they are required by the data subject for the establishment, exercise or defence of legal claims
    4. data subject has objected to processing pending verification of whether the controller’s legitimate grounds override those of the data subject
  6. Obligation to notify (Article 19): the controller shall inform each recipient to whom he has disclosed personal data in relation to any rectification, erasure or restriction (unless impossible or involves disproportionate effort). If the data subject so requests, he shall be informed of those recipients.
  7. Right to data portability (Article 20) a right of the data subject to be provided with a copy with his/her personal data where the processing is based on consent, contract or where the processing is carried out by automated means. The data subject also has the right to have the data transmitted from one controller to another.
  8. Right to object to processing (Article 21): The data subject has a right at any time to object to processing on grounds relating to his/her particular situation in cases the processing is for a task carried out in the public interest or in the event of official authority vested in the controller and in cases where processing is necessary for the legitimate interest of the controller or a third party. The data subject also has the rights to object to processing in cases of direct marking purposes (including profiling related to direct marketing). This right has to be explicitly stated to the data subject at the first communication the latest and should be presented clearly and separately from any other information. The Article provides for an exception however and states that in cases where the data is processed for scientific or historical research or statistical purposes, the data subject has the right to object unless the processing is carried out for public interest reasons.
  9. Automated individual decision-making, including profiling (Article 22): Under this Article, data subjects have the right no to be subject to a decision which is based solely on automated processing including profiling which will produce legal effects concerning or significantly affecting him/her. The data subject may be subject to an automated decision only in cases that it is necessary for the entrance or performance or a contract between him/her and the controller, this is authorised by EU or national law which states measures that safeguard the data subject’s freedoms and rights and finally in cases where the data subjects provides his/her explicit consent. In all cases the controller shall ensure that appropriate safeguards are implemented in to secure the data subjects freedoms, rights and legitimate interests. The regulation also provides that decisions based on profiling should not be based on the use of special categories of data unless the data subject explicitly consents to such use or the such processing is necessary for reasons of substantial public interest.

Controllers:

The Regulation provides a much stricter regime as far as the obligation of a data controller as well as compliance with its provisions. The GDPR defines controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”. In cases of joint controllers Article 26 provides that the controllers should by means of an arrangement between them determine the purposes and means of processing and shall determine their responsibilities necessary for compliance with the provisions of the Regulation, in a transparent manner. They will communicate this arrangement to and designate a contact point for the data subject.

The controller subject to Article 28 shall only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures in such a way in order to ensure compliance with the Regulation and protection of data subject’s rights. The Regulation also clearly states that the processor cannot engage another processor without the written authorisation of the controller.

The controller and processor shall enter into contract or other legal act binding on the processor which set out the subject matter, duration, nature, purpose of the processing, the type of personal data, the categories of data subjects as well as the obligation and rights of the controller. The contract/legal act must include the following obligations of the processor:

  1. data shall be processed only following documented instructions of the controller
  2. people authorised to process the personal data have committed themselves to confidentiality or are under a statutory obligation of confidentiality
  3. assists the controller by appropriate technical and organisational measures
  4. appointment of sub-processors can only be made following the written authorisation of the controller
  5. assist the controller in ensuring compliance with his obligations under the regulation as stated in Articles 32-36
  6. according to the instructions of the controller to delete or return the personal data to the controller (deletes existing copies unless otherwise provided under EU or national law)
  7. makes all information necessary to demonstrate compliance with the obligations available to the controller and allows for and contributes to audits, inspections, conducted by the controller or another auditor appointed by the controller
  • (The controller and processor may choose to use standard contractual clauses as these are adopted by the European Commission or the relevant supervisory authority)

Emphasis is given to data security with the Regulation imposing an obligation to the data controllers and processors to implement appropriate technical and organisational measures in order to ensure an appropriate level of security is implemented taking into consideration the risks represented by the processing and the nature of the personal data to be protected. The requirement goes a step further and obliges the controller and the processor to carry out risk assessments in relation to the security requirements in respect of the types of data they hold. In assessing the level of security, the controller and processor shall take into considerations accidental or unlawful destruction or loss, alteration or unauthorised disclosure or access. Security measures according to Article 32 include but are not limited to; pseudonymisation and encryption, ensure confidentiality, integrity, availability and resilience of the processing systems and services, in the event of a physical or technical incident be able to restore the availability and access to data in a timely manner and apply a process to regularly test, assess and evaluate the effectiveness of their technical and organisational measures to ensure secure processing.

The controller (and where applicable its representative) are under an obligation to maintain a record of processing obligations as provided for under Article 30. This record shall contain the following information:

  1. name and contact details of the controller/s, representative and data protection officer
  2. purposes of processing
  3. categories of data subjects and personal data
  4. categories of recipients of personal data (including recipients in third countries or international organisations)
  5. transfers of personal data to third countries or international organisations as well as suitable safeguards
  6. time limits for erasure of data
  7. description of the technical and organisational security measures adopted

(Note: The documentation requirements do not apply to controllers or processors that employee less than 250 employees unless; (a) the processing is likely to result in a risk to the rights and freedoms of data subjects, (b) the processing is not occasional and (c) they process special categories of data or personal data relating to criminal convictions and offences).

Data Protection Impact Assessment (“DPIA”):

The controllers should under the new framework conduct an impact assessment, prior to undertaking any processing, in cases the processing presents a specific privacy risk. The Regulation recommends that the advice of the data protection officer should be taken. Article 35 provides three cases where a DPIA will be required: (a) systematic and extensive evaluation or personal aspects of natural persons based on automated processing on which decisions that produce legal effects or significantly affect the natural person are based, (b) processing on a large scale of special categories of data or data relating to criminal convictions and offences and (c) systematic monitoring (i.e. CCTV) on a large scale of a publicly accessible area.

The DPIA should include at least a systematic description of processing, purposes, legitimate interest, an assessment of necessity and proportionality, an assessment of risks to rights and freedoms and measures taken to address the risks.

Processors

The GDPR regime, in contrast with the Data Protection Directive, provides a significantly expanded scope for compliance by imposing strict obligations not only on the data controller but also on the data processor, obligations that are new in the landscape of data protection.

The GDPR defines processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Some examples of data processing activities are data storage, data retrieval, data security, marketing and human resources functions (i.e. payroll).

The Regulation imposes direct obligations on processors and clearly states that processors should enter into a contract or a legal act which is binding as stated above and processors are now subject to administrative fines as well. The enhanced contractual obligations the GDPR provides are mentioned above and include; processing personal data only following the controller’s instructions, obligation to notify in cases of breach, obligation to implement appropriate technical and organisational security measures, appoint an EU representative where applicable etc). Therefore, processors should revise their existing contracts in order to ensure that they comply with the new enhanced obligations provided under the Regulation.

Since the GDPR gives such emphasis on security of processing of personal data, processors should evaluate how they secure such data for instance through their IT systems. They also should evaluate their processes such as their disaster recovery procedure or review and update their policies on matters such as collection and use of data, processing by automated means or secure destruction of personal data. Regular assessments and evaluations of security measures will ensure that processors comply with the security requirement newly imposed upon them.

There are certain restrictions on the processor engaging a sub-processor as a sub-processor cannot be appointed without the written general or specific written authorisation of the controller. If the controller provides a general written authorisation, the processor shall inform the controller in case of changes to sub-processors and provide the controller the opportunity to object to any such changes. It is important to note that in case of appointment of sub-processor the processor shall ensure that the sub-processor has the same contractual obligations as he/she has with the controller and processor is liable for the performance of the sub-processor’s obligations.

Processors should also keep a record of processing activities. The record shall include the following information; (a) Name and contact details of controller/DPO/processor, (b) categories of processing, (c) any transfers of personal data to third countries or international organisations and (d) description of data security measures adopted. (please see Note on page 9 above)

Supervisory Authorities:

Under the new Regulation each member state shall have national supervisory authority. Supervisory authorities shall consult one another in cross-border cases and where necessary refer issues to the European Data Protection Board. Supervisory authorities are given wide investigative and corrective powers in order to ensure that controllers and processors comply with the Regulation.

Breach Notification (Article 33):

With the new Regulation breach notification becomes mandatory. Controllers are obliged to notify the relevant supervisory authority and in specific circumstances the data subjects (high risk to the rights and freedoms of persons). The notification of the breach must be made without undue delay and within 72 hours of the controller becoming aware of the breach. The processors also have an obligation to inform the controllers without undue delay once they become aware of the breach. The notification shall include at least a description of the nature of the breach, the categories and approximate number of data subjects and data records concerned, the possible consequences, the measures taken or proposed to be taken to address the breach as well as the name of the data protection officer or a contact point in case further information is required. In order to prove compliance, the controller must document data breaches, its effects and the remedial action taken.

In cases where the data breach is likely to cause a high risk in the rights and freedoms of natural persons, the controller is under an obligation to notify the data subject without undue delay. The notice must in clear and plain language describe the nature of the breach and include at least the following; the identity and contact details of the data protection officer/contact person, the likely consequences and the measures taken or proposed to be taken to address the breach. If, however, appropriate technical and organisational measures have been implemented (such as encryption), subsequent measures have been taken to ensure that the high risk to the freedoms and rights of the data subject is not likely to materialise or that notification would involve disproportionate effort the controller is not obliged to notify the data subject. In case notification would involve disproportionate efforts, the controller should inform the data subject in an equally effective manner.

EU representatives

Controllers or processors shall designate in writing a representative in the EU unless the processing is occasional and does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences and is unlikely to result in a risk to the rights and freedoms of natural persons.

Data Protection Officer “DPO”

According to Article 37, data controllers and processors are now under an obligation to appoint a DPO in the following circumstances: (a) the processing is carried out by a public authority or body, (b) the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale and (c) the core activities of the controller or the processor consist of processing of special categories of data and data relating to criminal convictions and offences on a large scale. In cases where controllers or processors decide to designate a DPO without being compelled by the Regulation to do so, they should still abide by the GDPR requirements as if the designation was mandatory. The assigned DPO of the controller or processor will be the contact person for the Supervisory Authority.

DPOs shall be involved on all issues relating to the protection of personal data and must have expertise and skills on matters of sensitivity and complexity of data and must also have professional qualities such as expertise in EU and national data protection Laws as well as in depth knowledge of the Regulation. The DPO shall be bound by secrecy or confidentiality and will directly report to the highest management level or the controller or processor. DPOs cannot hold positions within the organisation that determine the purposes and means of processing. The controller and processor must support the DPO in the performing of his/her tasks and shall ensure that he/she has the appropriate resources to effectively carry out his/her tasks. Additionally, the DPO must act independently and the controller and processor must make sure that other tasks of the DPO are not conflicting with his tasks as a DPO, he/she is not receiving any instructions as to the performance of his/her tasks and that he/she shall not be penalised or dismissed for performing his/her tasks.

It is important that the details of the DPO are published to the supervisory authority as he/she will be the contact person and the authority as well as the data subjects should be able to easily contact the DPO.

Design by default

Article 25 imposes an obligation to the controller to implement technical and organisational measures (such as pseudonymisation), designed to implement principles for data protection, such as data minimisation, in an effective manner and to implement the necessary safeguards in order to protect the rights of data subjects and comply with the requirements of the Regulation. The controllers must take into account the “nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing”.

The controller should take proper measures to ensure that only data necessary for the specific processing purpose are processed. The obligation extends to the level of processing, the amount of data collected, the time period for their storage and accessibility. Approved certification mechanisms as stated in Article 42 may be used to demonstrate compliance with this obligation.

Transfers to third countries

As with the Data Protection Directive, the Regulation also restricts transfers of data in countries outside the European Union. The Regulation aims that the level of protection afforded by the framework ensures that any transfer to third countries are made under specific conditions that safeguard the rights of the data subjects. Transfers may be made to a country that the European Commission made an adequacy decision (which may be amended, repealed or replaced) in relation to the third country. In the absence of an adequacy decision the data controller or processor receiving the data should take appropriate measures and provide adequate safeguards such as the use of standard contractual clauses adopted or approved by the Commission, binding corporate rules and approved certification mechanism to compensate for the lack of protection in that third country. Transfers can also be made under the EU-US Privacy Shield which imposes several obligations on US companies to protect personal data.

Administrative fines

There has been considerable increase in fines provided under the Regulation. Fines can be up to €10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year whichever is higher for breaches including but not limited to matters concerning a child’s consent or breach in the obligations of a controller in relation to DPO’s duties. Additionally, fines may reach €20,000,000 or 4% of the worldwide annual turnover of the preceding financial year whichever is higher for breaches in relation to the basic principles for processing or breaches to the data subjects rights.

Verita Legal

March 2018

Disclaimer: This document is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the information contained in this document.

The analysis provided in the document is not intended to be comprehensive of all legal developments.

Key Contact

Karolina Argyridou | Managing Partner | [email protected]