Szecskay Attorneys at Law
  October 19, 2016 - Hungary

The Clock is Ticking: Tips on How to Prepare for the New Regime the EU's General Data Protection Regulation Will Bring About.

Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("Regulation") will replace Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Directive"). The Regulation will be enforced after 25 May 2018, thus, entities are required to prepare for compliance by then.

What does this mean and what main novelties will the Regulation bring about?

What should data controllers do to comply with the Regulation?

Scope

The Regulation is wider in territorial scope than the Directive as it has an extraterritorial effect.

 Basically, the Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

However, the Regulation also applies to

the processing of personal data of individuals who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

  1. a) offering goods or services to such individuals in the Union(no matter if the goods or services are free) [language and currency may be indicative of the intention to offer goods or services to individuals in the EU],
  2. b) the monitoring of individuals displayed within the Union[e.g. tracking persons on the Internet].

Conclusion:
Data controllers and processors are advised to check if their activities are covered by the Regulation.

Privacy by design / Privacy by default

New mindset required:
When establishing operations, data controllers are required to implement appropriate technical, organizational and security measures designed to implement data protection principles in an effective manner ("privacy by design"). [Such principles are: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity.]

Data controllers must implement appropriate technical and organizational measures which ensure that only personal data necessary for the specific purpose are processed ("privacy by default").

Conclusion:
The Regulation requires data controllers to design their operations from the very beginning in a way that they also take into account the data protection rules.

Data controllers are advised to check if their activities take into account such rules.

Lawfulness of processing

Processing of personal data is lawful only if and to the extent that at least one of the following applies:

(i)    the data subject has given consent to the processing;
(ii)    processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(iii)   processing is necessary for compliance with a legal obligation to which the controller is subject;
(iv)  processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(v)   processing is necessary for the performance of a task carried out in the public interest;
(vi)  processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (assessing different interests).

Conditions of consent are also regulated.

Special rules apply to the lawfulness of processing special categories of personal data (e.g. medical data).

Children enjoy a specific protection with regard to the processing of their personal data.

Conclusion:
The legal basis of data processing must be granted by data controllers.

Data controllers must be prepared to demonstrate that the data subject has consented to the processing of his or her personal data.

Records of processing activities

This obligation applies to both data controllers and data processors.

Data controllers must maintain a record of processing activities, which has to contain

Data processors must maintain a record of processing activities, which has to contain

Exemption from keeping records:

The obligation does not apply to an entity employing fewer than 250 persons unless

Conclusion:
Data controllers and data processors must examine if they are required to prepare records of processing activities and, if they are, they have to maintain such records and have to be ready to provide such records to the supervisory authority upon request.

Data protection impact assessment

This obligation applies to data controllers.

"Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data."

In particular, an impact assessment must be prepared in the case of:
(i) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person (e.g. automated credit assessment, automated performance evaluation);

(ii) processing on a large scale of special categories of data (e.g. health data), or of personal data relating to criminal convictions and offences; or

(iii) a systematic monitoring of a publicly accessible area on a large scale (e.g. operation of surveillance camera in a store).

The assessment must contain at least:

The controller has to consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risks and the controller sees no way to mitigate such risks.

Conclusion:
Data controllers are advised to check their activities and clarify if they need to prepare a data protection impact assessment.

Data breach notification

Both data controllers and data processors have certain obligations.

Data controller is required to notify the DPA of the data breach without delay but, at the latest, within 72 hours from the occurrence of the incident, if the breach is likely to result in a risk to the rights and freedoms of natural persons. (If no notification is made within 72 hours, reasons for the delay must also be submitted.)

The notification must at least

Data processor must inform the data controller of such a breach without delay.

Data controller must keep a registry of all data protection breaches including the facts and effects of the breach and the measures taken to mitigate the consequences.

Data controller is required to inform the persons affected of the breach if the breach is likely to result in a high risk to the rights and freedoms of the persons concerned. As to content, see notification to the DPA.

No notification to the persons concerned is necessary if

Conclusion:
Data controllers must keep a registry on data breaches and be ready to inform the DPA and the persons concerned of such breaches.

Data processors are advised to be ready to inform the data controllers of any data breach.

Data protection officer (DPO)

This obligation applies to both data controllers and data processors.

Data controllers and data processors must appoint a DPO if e.g.

  1. i) the core activities of the controller or the processorconsist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  2. ii) the core activities of the controller or the processorconsist of processing a large scale of special categories of data (sensitive data, personal data relating to criminal convictions and offences).

Tasks of the DPO:
(i)      informing the controller or the processor and the employees in connection with the Regulation;
(ii)      monitoring compliance with the Regulation;
(iii)     advising in connection with the data protection impact assessment;
(iv)    cooperating with the DPA;
(v)     acting as a contact person for the DPA.

Conclusion:
Data controllers and processors are advised to examine if they are required to appoint a DPO and, if they are, a DPO must be appointed prior to 25 May 2018.

Designation of representative

This obligation applies to both data controllers and data processors.

In connection with the extraterritorial effect of the Regulation, data controllers and data processors without an establishment in the EU are required to designate in writing a representative in the EU if they
(i)      offer goods or services to individuals in the Union (no matter if the goods or services are free), or
(ii)      monitor the behaviour of individuals within the EU as far as they take place within the Union.

Exemption:

The obligation to designate a representative does not apply to
(i) processing which is occasional and does not includeon a large scale, the processing of special categories of data or the processing of personal data relating to criminal convictions and offences, and which is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(ii) a public authority or body.

Conclusion:
Data controllers and processors are advised to examine if they are required to designate a representative and, if they are, a representative must be designated prior to 25 May 2018.

Transfer of personal data

This applies to both data controllers and data processors.

Legal basis for transfer:

Conclusion:
The legal basis for the transfer of personal data must be ensured by the data controller.

Administrative fine

The DPA will have the power to impose a fine on non-compliant entities.

The maximum amount of the fine may be EUR 20 million and 4% of the total worldwide turnover of the relevant entity for the preceding financial year, whichever is higher.

The amount of the fine depends on a number of factors, such as, for example,

Conclusion:
Compliance with the Regulation must be handled as a high priority.  

Cooperation and consistency mechanism

Cooperation mechanism:
National DPAs will cooperate from 25 May 2018.

The lead supervisory authority (LSA) will be the DPA of the member state where the data controller / data processor has its main establishment.

Forms of cooperation:
(i)      cooperation between LSA and other DPAs;
(ii)      mutual assistance;
(iii)     joint operations.

Consistency mechanism:
In order to contribute to the consistent application of the Regulation throughout the Union, the DPAs cooperate with each other (through the European Data Protection Board) and, where relevant, with the Commission.

The European Data Protection Board has an important role in ensuring the consistent application of the Regulation. (The Board will take over the role of the Working Party under Article 29.)

 

The consistency mechanism will be two-fold:
(i)      the Board issues opinions;
(ii)      the Board resolves disputes.

 The Board issues an opinion where a competent DPA intends to adopt certain measures (e.g. a list of activities for which a data protection assessment must be prepared, a code of conduct, BCR, standard data protection clauses.)

 In order to ensure the correct and consistent application of the Regulation in individual cases, the Board adopts a binding decision in the following cases:

 Rights of persons concerned

(a) is necessary for the entering into of, or the performance of, a contract between the data subject and the controller;
(b) is authorized by Union or member state law to which the controller is subject and which also lays down suitable measures for safeguarding the data subject's rights and freedoms and legitimate interests; or
(c) is based on the data subject's explicit consent.

 

Conclusion:
Data controllers must be prepared to be able to fulfill the lawful requests of the persons concerned (e.g. right to be forgotten, data portability).

Things to do

The contents of this handbook are intended to provide only a general overview of the subject matter. Specialist advice should be sought for specific matters. Queries relating to this guide should be addressed to the authors at:
[email protected], [email protected]