Our Experience in Personal Data Protection
Vlănţoiu şi Asociaţii offers to corporate clients the legal experience accumulated during five years in the field of personal data protection. Our team includes lawyers specialized in data protection law and practice that, together with a team of cyber security specialists with a twenty year- experience, provide audit and GDPR implementation services.
With the entry into force of GDPR, our internationally certified data protection specialists have taken on several far-reaching projects to align important companies with the GDPR’s provisions. Couriers, financial services providers and Hotel and Catering Industry companies are among the customers who have chosen us given our experience and the multidisciplinary team of specialists we have prepared for GDPR consulting.
What is GDPR
After a two-year period aimed to allow organisations and public bodies to adjust to the new requirements, the General Data Protection Regulation 2016/679 became directly applicable throughout the EU starting 25 May 2018.
Implementation by EU Member States through national law is not required, as the ‘Regulation’ (unlike the former 95/46/EC Directive) is directly applicable, with immediate effect in all Member States.
However, some states, including Romania, have adopted internal GDPR enforcement laws which legislate in up to 40 areas where GDPR still allows for a certain degree of domestic tailoring. In case of conflict of rules, GDPR shall prevail.
Turnover – based Fines
GDPR brings on some of the highest fines in history for non-compliance, even higher than those provided by anti-trust laws, including turnover-based fines of up to 4% of annual worldwide turnover. This means that group revenues will be considered when calculating fines, regardless of which company of the group is in breach of the Regulation or even of the fact that some of the group companies may not fall under GDPR at all.
The highest fine, provided by Article 83 (5), of up to 20,000,000 Euro or 4% of the total worldwide turnover of the preceding year, whichever is higher, applies to the breach of general GDPR principles such as the principles for processing, including consent requirements, data subjects’ rights and international transfer rules.
The lower tier of fines, provided by Article 83 (4) of up to 10,000,000 Euro or 2% of the total worldwide turnover of the preceding year, whichever is the higher, applies to the breach of the more technical provisions of GDPR, such as controller and processor obligations and data breach notification obligations.
Supervisory authorities may also impose a temporary or definitive limitation including a ban on processing (Articolul 58 2) (f)) which means that in certain cases a business may be completely shut down.
Right to Compensation for Data Subjects
Beyond the right to lodge a complaint with a supervisory authority, provided byArticle 77, data subjects and any person who has suffered “material or non-material damage” because of a breach of GDPR have the right to receive compensation, according to Article 82 (1), from the Controller or the Processor.
To become compliant to the extent that GDPR imposes, organisations are called to completely redesign the way that they collect and process personal data. Top management awareness on the GDPR major challenge, provision of a budget that is proportionate with the challenge and appointment of a team of highly trained data protection legal and technical professionals is a must have for GDPR compliance.
Regardless of all group companies being or not under GDPR or being responsible for the infringement of its requirements, international companies need to consider their exposure in a highly diligent manner and ensure compliance even if their data processing is not large scale or core business area.
More Data is Personal Data
An identification number, location data, IP addresses, cookies or tags which may identify a natural person is Personal Data according to the newly applicable GDPR.
Defined as “any information relating to an identified or identifiable natural person”, as per Article 4, Personal Data is meant to be understood broadly, as any information that, by “all means reasonably likely to be used” (Recital 26), can lead to the identification of a person.
The notion of Personal Data is to be analysed case by case, as the same type of data may or may not be personal data depending on the circumstances: e.g., a business e-mail address like email@example.com may be considered personal data if the company employs only one CTO, that the e-mail address can directly identify. Also, as GDPR does not require identification of the person to be made by the owner of the data itself, GDPR will apply even if a third party would be able to identify the data subject using the data owned by the organisation.
The notion of “special categories” of personal data provided by Article 9 has been expanded to expressly include the processing of genetic data and biometric data, whilst the processing of special data is subject to a much more restrictive regime.
Given the extremely high compliance risks brought by GDPR, with historical sanctions likely to be imposed (see the 2017’s Truck Cartel fines for a glimpse in the EU’s readiness to lay fines of billions on private organisations), it may be most effective to minimise exposure by not processing personal data at all where not strictly necessary. As for data collected in the past, securely wiping legacy personal data or rendering it anonymous might be the solution.
Extended Territorial Scope
GDPR does not only apply to processing of personal data “in the context of the activities of an establishment” of any organization within the EU, as per Article 3 (1), but also to organizations that are not established within the EU.
If non-EU organisations process personal data of data subjects who are in the Union and the processing activities are related “to the offering of goods or services”, as per Article 3 (2) (a) – regardless of any payment being made, or “the monitoring of their behaviour”, if their behaviour takes place within the EU, as per Article 3 (2) (b), then these non-EU organisations directly fall under GDPR.
As a result, internet, telecom, online commerce companies outside EU might be forced to be GDPR compliant and also designate a representative within the EU, as per Article 27, under penalty of the second tier of fines, of up to 2% or 10 mil. Euro.
Service Suppliers are Data Processors
Data controller is the one who determines the purposes and means of the processing of personal data, whilst data processors is the person engaged by a controller to process personal data on their behalf.
Controllers must ensure that when appointing a processor, a written data processing agreement that meets the requirements of Article 28 of GDPR is in place.
Supply chains need to be audited to determine compliance with GDPR, as data controllers are directly responsible, without limitation down the line, for the lawful processing by the processors and their sub-processors.
Processors themselves are required to comply with processor – specific obligations, for which they will be directly liable to sanctions, i.e. maintaining adequate documentation as per Article 30 and appropriate security standards, as per Article 32, carrying out DPIAs (data protection impact assessments), as per Article 32, appointing a data protection officer, as per Article 37, complying with international data transfers rules, provided by Chapter V, and cooperating with national supervisory authorities, as per Article 31.
Suppliers must assess their own compliance with GDPR and take the steps to provide full compliance guarantees. It is soon to be expected for public authorities to disqualify participants in public tenders that fail to provide GDPR compliance guarantees. The same goes for the private sector, as engaging the organisation in a contract with a noncompliant supplier is already a sanctionable step under GDPR. A risk that can further ripple in bad management claims and personal liability incurred by the decision maker for damages that arise from the “error in eligendo” when employing a noncompliant processor.
Organisations should clearly assess whether they are processors, controllers or joint-controllers. An incorrect controller – processor agreement, whilst both parties should carry the full burden as controllers fails short on complying with Article 28 and moreover, exposes the parties to practical chaos while dealing with data subject’s access requests.
Suppliers that will fast understand that aligning with GDPR is not an option, will tackle competition head-on at a time where noncompliant organisations will find it impossible to survive in a market where GDPR forces clients to audit suppliers for GDPR compliance.
Tougher Requirements for Lawful Processing
According to Article 5, personal data must be: processed lawfully, fairly and in a transparent manner, collected for specified, explicit and legitimate purposes (the “purpose limitation principle”), adequate, relevant and limited to what is necessary in relation to the purpose (the “data minimization principle”), accurate and kept up to date (the “accuracy principle”).
To make sure that the GDPR principles can be applied throughout the organisation, a full data processing audit is required – data mapping, a gap analysis and correction action plans will need to be undertaken and implemented.
Failure to comply with all the above principles attracts the maximum tier of fines of up to 20 million Euro or 4% of worldwide annual turnover. This means that GDPR will sanction organisation that fail to understand the transformative scope of GDPR regarding data collection and processing principles.
The requirements for valid consents have been tightened under GDPR. As per Article 4 (11) and 6 (1)a), consent is not valid unless freely given, specific, informed and unambiguous. Consent must also be as easy to withdraw as it is to give.
Consent request will need to be done in a totally different manner, making sure GDPR requirements are observed. Legacy consents need to be revalidated for further use. Relying on consent as a general practice may now become a risk factor, as valid consent is difficult to obtain, and, in any case, it can be withdrawn at any time making further processing illegal. Organisations are challenged to reanalyse their legal basis for processing in order to identify other processing grounds they can rely on, except consent.
The newly introduced accountability principle requires organisations to keep track of data processing activities, map data flows, keep records of processing, all to be able to demonstrate compliance.
Each purpose of processing must be backed up by one of the legal justifications provided by the GDPR. The former “Article 29 Working Party” advised that one legal ground should be considered for each purpose of processing, discouraging the practice of alternative legal justifications.
Data Subject’s Rights
Information requested by data subjects must be provided within one month with a limited right for the controller to extend this period for up to three months.
The ‘right to be forgotten’ provided by Article 17 following CJEU’s ruling against Google in Case C-131/12, and the right to data portability, provided by Article 20, which is an entirely new right in GDPR, add up to the rights already provided by the Directive that grant data subjects access and other privileges regarding their data.
To be able to deal with access requests, organisations must create and maintain proper internal infrastructures, where data can be quickly identified, retrieved, checked for accuracy and legal implications on other data subjects before being handed to the requesting individual.
Data Protection Officers
Public authorities, controllers or processors whose core activities involve regular and systemic monitoring of data subjects on a large scale must appoint DPOs with “expert knowledge” of data protection laws and practices. As the required competencies from a DPO are entirely of legal nature, the conclusion is that the profile of the DPO is one of a legal professional, one that is an expert in data protection law.
DPOs can be internal or external service providers, are independent in their work, report directly to the highest management level, must not be instructed what to do in the exercise of their tasks and must not be dismissed or penalized for performing their tasks, according to Article 38 (3).
The specific tasks of the DPO are set out in Article 39, including to inform and advise on compliance with GDPR, monitor compliance with the law and with the internal policies of the organization including assigning responsibilities, raise awareness and train the staff etc.
Failure to appoint a DPO where required exposes the Organisation to the fines provided by the GDPR, of up to 10 million Euro or 2% of annual worldwide turnover.
Appointing a DPO does not exempt the organisation of any responsibility, so formally appointing a DPO will fail to satisfy both the organisation and the GDPR.
Data Breach Notification
Under penalty of fines of up to 10 million Euro or 2% of annual worldwide turnover, GDPR requires the controller, without undue delay and, where feasible, not later than 72 hours after having become aware of it, to notify the breach to the supervisory authority, as per Article 33 (1), and to the data subjects (without undue delay) when the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects.
Deliberate failure to notify the breach could directly expose the organisation to the highest fine.
In order to be able to comply with the strict 72 hours term, organisations should have efficient data breach notification procedures already in place.
Containing a breach before it affects the rights and freedoms of data subjects means that trained teams of legal and tech professionals are already in place and ready to be deployed.
Technical adjustments need to be considered as GDPR requires state of the art technical measures.
As it appears more breaches can be assigned to own staff rather than cyber-criminals, staff awareness raising by regular training throughout the organisation is essential.