Guest post by Helmut Liebel*
In only a few months, the new General Data Protection Regulation (GDPR) will be directly applicable in all EU member states. The GDPR replaces the 1995 EU Data Protection Directive. For the first time, a uniform, directly applicable EU data protection law is introduced.
The GDPR protects personal data of natural persons, such as employees, customers and suppliers. Regardless whether companies (as controllers) process the data of such data subjects in the EU themselves or task processors with this job, in each case they must comply with the GDPR.
THE MAIN NOVELTIES
Strengthening of the rights of data subjects
The GDPR massively strengthens the rights of data subjects:
a) Information requirements
The information requirements towards data subjects are extended significantly: controllers must actively inform them, inter alia, about the purpose and legal basis of the data processing, the legitimate interests in the data processing, the recipients of the data, the storage duration as well as their rights as data subjects. All this information must be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.
Strict rules also apply to declarations of consent for data processing. If required, the controller must be able to demonstrate that consent was given by the data subject. The GDPR also clarifies that silence, pre-ticked boxes or inactivity do not constitute consent.
c) Access, rectification, erasure, objection, and data portability
Existing rights, such as the rights to information, rectification, erasure (“right to be forgotten”), and objection, are strengthened in the GDPR.
Moreover, the right to data portability is introduced, whereby data subjects may request the controller to transmit certain data back to them in a commonly used, machine-readable format or to transmit it to a third party (e.g. another social network).
Expansion of obligations of controllers and processors
a) Data protection “by design” and “by default”
The GDPR elaborates on data protection through technology/design and privacy-friendly default settings. Under these rules, data applications need to include technical measures designed to implement effective data protection (“privacy by design“). Further, it must be ensured that, by default, only data necessary for the specific purpose of a processing are actually processed. This means, for instance, that presets (e.g. text boxes for declarations of consent) have to be privacy-friendly (e.g. not pre-checked) (“privacy by default“).
b) Internal records of processing activities
Controllers and, to a lesser extent, processors, will have to maintain an up-to-date overview of all their data processing activities. In rare cases, companies with less than 250 employees are exempt from this requirement. However, it is advisable to always keep such internal records in order to be able to comply with all other GDPR obligations.
c) Data protection impact assessments
A controller must carry out a so-called data protection impact assessment where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. Where such risk is indicated by the assessment, the supervisory authority (e.g. in Austria: the Data Protection Authority) must be consulted prior to processing, if the risk cannot be mitigated by protective measures.
d) Appointment of a data protection officer
In various cases, the GDPR stipulates the appointment of a data protection officer, who can either be employed or be tasked as an external consultant on the basis of a service contract. Regarding the exercise of his tasks, the data protection officer must not be bound by any instructions and may not be dismissed for performing his duties.
In the future, controllers will not only be responsible for complying with all data processing principles (e.g. lawfulness, purpose limitation, data minimization, accuracy, storage minimization, and confidentiality), but they must also be able to prove such compliance to the supervisory authority at all times. Thus, implementing appropriate data protection measures is crucial.
In this context, the GDPR provides for the creation of certification procedures as well as data protection seals and marks. Once established, these can serve as proof for compliance with the GDPR.
f) Notification of attacks on data processing systems
As a rule, any data breach must be reported to the supervisory authority immediately (and no later than 72 hours) (“Data Breach Notification Duty“). Such notification may only be omitted if the data breach is unlikely to result in a risk to the rights and freedoms of data subjects. Conversely, if there is a high probability of such a risk, controllers must additionally inform the data subjects.
g) Data transfer to third countries
The GDPR allows for a transfer of data to non-EU countries under certain conditions. These include, e.g., the use of the EU standard contractual clauses or a decision of the European Commission certifying an adequate level of data protection in a specific country.
SANCTIONS AND LAW ENFORCEMENT
A major new feature of the GDPR is inspired by EU antitrust law and concerns the massive increase in administrative fines: Certain infringements of the GDPR can be subject to fines of up to EUR 20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever amount is higher.
In addition to the aforementioned fines, the GDPR provides for judicial remedies: Data subjects have the right to lodge a complaint with a supervisory authority as well as the possibility to sue for compensation of damages. In the future, the parties involved in a data processing (controllers and processors) will – as a rule – be jointly liable for any damages resulting from it.
Although the GDPR is directly applicable, it also contains numerous so-called “opening clauses”, which require or allow EU member states to introduce or maintain additional national rules. So far, according to the European Commission, only Germany and Austria have passed the legislation necessary to bring national laws into line with the GDPR.
There is not much time left to adjust to the GDPR, taking into account its 99 articles and 173 recitals. It is therefore advisable to prepare for the new legal situation and inter alia
- gather and carefully examine your processing activities (analysis of status quo);
- create and maintain records of your processing activities;
- review all relevant contracts (especially those with data processors) as well as international data transfers;
- define internal responsibilities (possibly appoint a data protection officer);
- set up internal processes in order to satisfy data subject rights and comply with obligations to notify;
- carry out data protection impact assessments;
- implement data security measures.
This post is for information purposes only and cannot replace individual legal advice.
Helmut Liebel is a partner of the Austrian law firm Eisenberger & Herzog at the Vienna office (www.ehlaw.at). He regularly advises national and international clients in the areas of intellectual property rights (copyright, trademarks, designs and patents), unfair competition law, as well as on IT- and data protection law. Helmut holds law degrees (Mag iur, Dr iur) from the University of Vienna and studied at the Santa Clara Law School, USA.