After nearly four years of heated discussions, the European Parliament adopted on 14 April 2016 the new General Data Protection Regulation (GDPR)[1]. The GDPR will repeal and replace the current Data Protection Directive 95/46/EC and will have a significant impact on how businesses process their personal data. The GDPR aims, notably, at establishing a modern and harmonized data protection framework across the EU, reinforcing individuals’ rights, ensuring stronger enforcement of the rules and streamlining international transfers of personal data.
The GDPR will come into force on May 25th 2018 and will be directly applicable throughout the EU, with no need for further national implementation.
The newly established rules under the GDPR will have significant implications for any business that processes personal data of EU citizens. Companies must therefore start to review their existing policies and procedures and to consider implementing new policies and procedures in order to address the requirements of the GDPR in due time so as to be compliant with the new obligations as soon as they are applicable. The present note aims to provide an overview of the key changes which should be anticipated by data controllers.
What will change under the GDPR?
1. Wider territorial scope
The GDPR extends the current territorial scope of the EU privacy laws. The GDPR will apply not only to controllers established in the EU but also to controllers established outside the EU and who offer services to EU residents (whether for payment or not) or who monitor the behaviour of EU data subjects, in so far as that behaviour takes place within the EU.
In practice, this extension of the territorial scope means that any company outside the EU which is targeting, for example, consumers in the EU, must comply with the GDPR requirements.
2. Privacy by design and by default
The GDPR introduces the new concepts of “privacy by design” and “privacy by default”.
Privacy by design requires that the data controller adopts appropriate technical and organisational measures to ensure that the requirements of the GDPR are met. The data controller should be able to demonstrate compliance with the GDPR by adopting internal policies and implementing measures to improve the security of personal data. Such measures may consist in minimising the processing of personal data, pseudonymising personal data as soon as possible, enabling the data subject to monitor the data processing, etc.
Privacy by default means that the data controller shall implement appropriate technical and organisational measures to ensure that the only personal data which is processed is that strictly necessary for each specific purpose of the processing.
The introduction of both concepts will mean significant changes for the data controllers as they will be required to revisit and review their existing approach to data protection and to take into consideration the privacy and security requirements enshrined in the GDPR at the very beginning of the processing. The data controllers will have to regularly audit the data in order to assess whether the processing is still strictly necessary for the purpose sought, to minimise the period of time during which the data is stored, to anonymise the data where possible, etc.
3. Accountability
Under the GDPR, the current notification obligations will be replaced by accountability requirements. Instead of notifying the processing to the CNPD, the data controllers will have to maintain internal documentation and demonstrate, if and when necessary, the compliance of their processing activities with the GDPR, in particular with regard to the identification of the risk related to processing (so-called “impact assessment”), the identification of best practices to mitigate the risk, the designation of a data protection officer, the maintenance of an up-to-date record of data breaches, etc.
The data controller must also demonstrate the effectiveness of the implemented measures taking into account the nature, scope, context and purposes of the processing. The impact assessment is in particular required in case of processing on a large scale of special categories of data, a systematic monitoring of publicly accessible data on a large scale and any automated processing.
In practice, the data controllers must carry out regular audits to identify any potential breach of the GDPR requirements and implement corrective actions as soon as possible.
4. Compulsory notification of data breaches
Currently under Luxembourg law there is no requirement (except in the financial sector) to notify data breaches to the concerned data subjects or to the CNPD. Under the GDPR, the data controllers will be required to inform the CNPD of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, without undue delay and at the latest 72 hours after becoming aware of the breach, unless such breach is unlikely to harm the rights and freedoms of the data subjects concerned.
Except in some limited cases listed in the GDRP[2], the data subjects concerned, must also be informed of the breach, without undue delay, if that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow data subjects to take the necessary precautions.
The data controller may not simply just inform the CNPD or the data subject of the occurrence of a breach; rather, the GDPR provides a list of information which the data controller must provide in case of a breach, such as, for example, the nature of the breach, the name and contact details of the data protection officer, a description of the likely consequences of the breach, etc.
Given the short notice period to be respected by the data controller when notifying breaches and the extensive list of information to be provided to the CNPD, it is recommended for controllers to adopt internal procedures for handling data breaches swiftly and effectively. Staff training should also be anticipated.
5. Rights of the data subjects
The GDPR grants to the data subjects more extensive rights, including:
- The “right to be forgotten”: the data subjects can require the erasure of their personal data, in particular where the personal data is no longer necessary in relation to the purposes for which it is collected, where the data subject has withdrawn its consent or where he/she objects to the processing.
- Data portability: where the processing of data is carried out by automated means, the data subject should be allowed to receive personal data concerning him/her in a structured, commonly used and interoperable format and to transmit it to another controller.
- In case of processing of personal data of data subjects under 16 years old, obtaining the consent of the parents will be required.
- The right of access: data subjects have the right to obtain from the data controller, without undue delay, at the latest within one month of the request and free of charge, a confirmation as to whether or not data relating to him/her is being processed, the purpose of such processing and the categories of data that are subject to the processing. The data controller must ensure to put in place adequate mechanisms that guarantee the right of access of data subjects.
- The right to object: data subjects will have a right to object to any processing based on legitimate interests. The controller must then stop the processing unless it can demonstrate that there compelling and legitimate reasons which override the interests, rights or freedoms of the data subject, or unless the processing is to establish, exercise or defend legal claims.
- The right to be informed: data subjects will have the right to obtain more extensive information regarding the processing of data, such as the period of storage of the data, the ability to withdraw the consent to processing, the existence of any automated processing and profiling, etc.
6. Data Protection Officer
Currently, under Luxembourg law, nominating a data protection officer (DPO) is not compulsory and releases the data controller from its obligation to notify the processing to the CNPD. Under the GDPR, the appointment of a DPO, i.e. a person with expert knowledge of data protection law and practices, will be mandatory under certain circumstances. The role of a DPO will be to assist the controller or processor to monitor internal compliance with the GDPR.
Data controllers and data processors will be required to verify if they are required to appoint a DPO under the GDPR. If so, the DPO may be a staff member of the controller or processor, or may fulfil the tasks pursuant to a service contract.
7. Higher penalties
Whereas under current Luxembourg law the financial fines do not exceed EUR 125,000, the GDPR introduces much heftier fines of up to EUR 20,000,000 or up to 4% of total worldwide annual turnover, whichever is higher, for violations of the data protection principles laid down in the GDPR.
The CNPD will be able to take enforcement actions not only against the data controller but also against the processor in cases of non-compliance with the new statutory requirements.
8. One stop shop
Currently, each Member State has its own local data protection authority which deals with the processing operations carried out on the national territory and imposes sanctions in case of a non-compliance with the data privacy laws. At the moment, when a business is established in one Member State only the data protection authority of that Member State is competent, even if the business is processing data across Europe. In order to ensure a more coherent and uniform application of the data privacy legislation throughout the EU, the GDPR has introduced a “one stop shop” mechanism.
In accordance with the “one stop shop” principle, where a data controller (or a processor) carries out its activities and processes personal data in several Member States, it will be subject to the authority of the data protection authority of the place of its main establishment (i.e. the place of its central administration). This local data protection authority must closely cooperate with other concerned data protection authorities, who remain fully competent to receive complaints from the local data subjects.
The one stop shop principle aims at ensuring legal certainty for businesses operating throughout the EU.
9. Specific obligations on data processors
Currently, no direct obligations are imposed on data processors (organisations that process personal data on behalf of data controllers, e.g. subcontractors, IT service providers, etc.). The GDPR introduces data processors’ liability and imposes direct obligations, such as an obligation to notify data breaches, an obligation to appoint a DPO (if required), an obligation to implement technical and organisational measures to ensure that the data is safely processed, etc.
The GDPR also lists mandatory clauses that must be included in any contract between a data controller and a data processor.
These new obligations mean that many existing agreements with service providers dealing with personal data will have to be reviewed and potentially amended to determine the respective responsibilities. Data processors will have to ensure that their organisation is compatible with the enhanced requirements of the GDPR.
10. International transfer of data
The GDPR introduces only a few changes in respect of the international transfer of data (outside the EU). Where a recipient country is considered by the European Commission as guaranteeing an adequate level of protection, no specific authorisation is required.
Transfers are also possible, with no prior authorisation, where appropriate safeguards are provided for by (i) binding corporate rules, and (ii) standard contractual clauses.
The international transfer of data may also be based on approved codes of conduct.
Key guidelines for effective and adequate data processing under the GDPR:
- Implement data protection standards and procedures within the business.
- Draw up codes of conduct to facilitate effective application of the GDPR.
- Put in place a team who will coordinate the implementation of the obligations under the GDPR.
- Review and analyse the data currently processed and examine the legal basis on which that data is processed. Stop processing any personal data that is no longer required for the purpose for which it was collected.
- Establish a culture of monitoring, reviewing and assessing the data processing procedures.
- Train your staff on the new obligations.
- Put in place procedures for assessing and notifying breaches of the requirements laid down in the GDPR
- Review and, as necessary, amend, existing contracts with data processors.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
[2] For example if the controller has implemented appropriate technical and organisational protection measures, such as rendering the data affected by the breach unintelligible to any person who is not authorised to access it, such as encryption.