GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. However, as it contains some onerous obligations, many of which will take time to prepare for, it will have an immediate impact. Here’s what all firms carrying out business in Europe need to know about GDPR:
* GDPR will apply in the UK from 25 May 2018. The full text of the Regulations can be found at https://gdpr-info.eu/
* In a bid to remain recognised by the EU as a third country providing an adequate level of data protection Switzerland has published revisions to the Federal Act on Data Protection (“FADP”) that strengthen the protection of personal data and adapt the existing provisions to the digital age. The revisions should be completed in the summer of 2018 and come into force by no later than 2019.
* GDPR applies to ‘controllers’ and ‘processors’. Controllers say how and why personal data is processed and processors act on the controller’s behalf. Employers are seemingly controllers/processors of their employees’ personal data and thus GDPR applies with respect to that data too.
* GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
* GDPR applies to ‘personal data’.**
* GDPR applies to both automated personal data and to manual filing systems.
* Article 5 of the GDPR requires that personal data shall be, inter alia:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which is it processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal date is processed; and
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that the controller shall be responsible for, and be able to demonstrate, compliance with these principles (the so called ‘accountability principle’). To do so the controller must implement appropriate technical and organisational measures such as establishing internal data protection policies that include, for example, staff training, maintenance of relevant documentation on processing activities (possibly subject to internal audits), pseudonymisation of personal data and reviews of internal HR policies.
* Consent of the data subject under GDPR requires some form of clear affirmative action. It must also be separate from other terms and conditions and a simple mechanism must exist for the data subject to withdraw consent.
* It is not necessary to ‘repaper’ existing consents but if the controller/processor is purely relying on an individual’s consent (rather than another or additional legal bases), the consent must meet the GDPR standard of being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
* GDPR provides the following rights for individuals:
o The right to be informed (Articles 13 and 14)
This means the following information about processing personal data must be provided by the controller free of charge in a concise, transparent and intelligible manner using clear and plain language (particularly when dealing with children):
(i) Identity and contact details of the controller and its data protection officer.
(ii) Purpose of the processing and the lawful basis for the processing.
(iii) The legitimate interests of the controller.
(iv) Where data is not obtained from the data subject directly, the categories of personal data held.
(v) Any recipient or categories of recipients of the personal data.
(vi) Details of transfers to any third (i.e. non-EU) country and safeguards.
(vii) Retention period or criteria used to determine the retention period.
(viii) The existence of each of the data subject’s rights (as detailed here and below and which are best explicitly listed so as to be properly brought to the data subject’s attention).
(ix) The right to withdraw consent at any time, where relevant.
(x) The right to lodge a complaint with a supervisory authority.
(xi) Where data is not obtained from the data subject directly, the source of the personal data and whether it came from publicly accessible sources.
(xii) Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data.
(xiii) The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
This information must be provided to the data subject at the time the data is obtained and in any other case within a reasonable period of having obtained the data (within one month) or, if sooner, before the data is disclosed to another recipient. The notice containing this information appears to be referred to as a ‘privacy notice’.
o The right to access (Article 15)
This means under GDPR that an individual – who the controller must identify using ‘reasonable means – has the right to obtain from the controller free of charge and without delay (at the latest within one month):
· confirmation that their data is being processed;
· access to their personal data; and
· other supplementary information – this largely corresponds to items (i) to (xiii) above.
The controller is entitled to charge a reasonable fee (based on administrative cost) when a request is manifestly unfounded, excessive or repetitive. The one-month deadline for providing the data can be extended by a further two months where requests are complex or numerous and provided the controller informs the individual within one month of the receipt of the request explaining why the extension is necessary.
As an alternative to charging a reasonable fee, where a request is manifestly unfounded or excessive, in particular because of its repetitive character, the controller may refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request and must explain its refusal to act to the individual within one month (advising him or her at the same time of his or her right to complain to the controller’s supervisory authority).
o The right to rectification (Article 16)
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete within one month (with the controller entitled to extend the time frame by two months where the rectification is complex).
o The right to erasure (Article 17)
Also known as ‘the right to be forgotten’, this (qualified) right enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
In Switzerland the “right to be forgotten” has been limited under the FDAP to personal data matters concerning deceased persons.
o The right to restrict processing (Article 18)
This means a data subject has the right to block or suppress processing (but not the controller’s storage) of personal data where:
· he contests the accuracy of the personal data (but only for such period as enables the controller to verify the accuracy of the personal data);
· the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
· the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
· he has objected to the processing (but only until such time as the controller is able to demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject).
Third parties to whom data has been disclosed should be informed of the restriction on the processing of that data.
o The right to data portability (Article 20)
This right of individuals to obtain, reuse, move, copy and/or transfer their personal data without hindrance from a controller only applies to personal data provided directly by that individual to the controller on the legal basis of the individual’s consent or for performance of a contract and where the processing is carried out by automated means.
The FADP does not provide this right in Switzerland.
o The right to object (Article 20)
This right seems largely targeted at curbing direct marketing companies or those that process personal data for the performance of a task carried out in the public interest, in the exercise of official authority vested in the controller or for the purposes of the legitimate interests pursued by the controller or by a third party.
o Rights in relation to automated decision making and profiling (Article 22)
GPDR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. Subject to conditions, individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The revised FADP requires all data controllers and processors in Switzerland to keep records on their data processing activities, similar to GDPR, but does not require data controllers to document FADP compliance.
** GDPR will require controllers to report data breaches (i.e. destruction, loss, alteration or unauthorised disclosure/access) that are likely to result in a risk of rights and freedoms of individuals (e.g. financial/reputational/privacy loss) to their supervisory authority within 72 hours. Where a breach is likely to result in a high risk (note: a higher threshold), the relevant individual(s) must also be informed.
Under FDAP controllers in Switzerland are subject to less reporting and consultation obligations towards the Swiss supervisory authority, the Federal Data Protection and Information Commissioner (FDPIC), than their counterparties in the EU towards their data protection authorities.
* GDPR imposes restrictions on the transfer of personal data outside the EU:
“A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.”
What is clear is that firms will need to prepare. They will need to consider what changes they should make to achieve compliance with the GDPR, on what timetable, with what order of priority and at what cost?