Bird & Bird Guide to the General Data Protection Regulation

Bird & Bird Guide to the General Data Protection Regulation

Guide to the General Data Protection Regulation May 2020 The General Data Protection Regulation (GDPR) is the latest version of Europe’s cornerstone data protection law. It took effect in May 2018, a marathon six and a half years after the European Commission’s original first draft was published following an unprecedented period of debate, negotiation and lobbying. This guide summarises that Regulation - a law which has significantly overhauled Europe’s data protection rules at a time when information systems and digital business underpin human life. As with the legislation which the GDPR replaced, many jurisdictions outside the European Union (EU) have followed concepts which it introduced. So understanding the GDPR and how it is enforced is important for businesses around the world. The changes which were ushered in by the GDPR on European regulators sitting as the EDPB (and it predecessor 25 May 2018 were both substantial and ambitious. The the Article 29 Working Party) as at the date shown on the Regulation is one of the most wide ranging pieces of front of this guide. We recommend that these materials be legislation passed by the EU and concepts such as the ‘right studied for more detail as to how supervisory authorities to be forgotten’, data portability, data breach notification interpret the GDPR. and accountability (to call out only a few) were significant developments. Even its legal medium - a regulation not a European data protection law has always been written using directive - made the GDPR an unusual piece of legislation a certain amount of jargon and bespoke definitions, and the for data protection lawyers to analyse. Since the Regulation GDPR is no different. To help those new to this language we allows EU Member States to introduce their own derogations have also included a glossary of terms which can be found at from those which are set out in the GDPR, for instance in the back of this guide. relation to HR data processing, data protection law remains multi layered in Europe. As further guidance on the GDPR and implementing provisions emerge from law makers, regulators and the This guide seeks to summarise key aspects of the GDPR and courts, we will continue to update this guide. If you would to highlight the most important actions which organisations like to receive updates from us, please let us know. In the should take in seeking to comply with it. meantime, we hope that you will find this guide useful. We have divided our summary into sections which broadly follow those used by the Regulation, but with each sub- divided into themes. Each sub-section starts with a speed read summary, a list of suggested priority action points and our assessment of the degree of change which the analysed section of the GDPR brought as compared to its predecessor legislation in the form of a pressure dial - ranging from green, indicating a small change, to red, indicating a significant change. We have also included a signpost in each sub-section to guide you to where you can find relevant source material within the Regulation. Also included are Ruth Boardman James Mullock Ariane Mole details of some of the key guidance materials published by Partner, UK Partner, UK Partner, FR 4 - © 2020 Bird & Bird All Rights Reserved Table of contents Scope, timetable and new concepts Data transfers » Material and territorial scope » Transfers of personal data » New and significantly changed concepts Regulators Principles » Appointment of supervisory authorities » Data protection principles » Competence, tasks and powers » Lawfulness of processing and further processing » Co-operation and consistency between » Legitimate interests supervisory authorities » » Consent European Data Protection Board » Children » Special categories of data and lawful processing Enforcement » Remedies and liabilities » Administrative fines Individual rights » Information notices » Subject access, rectification and portability Special cases » Rights to object » Derogations and special conditions » Right to erasure and right to restriction of processing » Profiling and automated decision-taking Delegated acts and implementing act » Delegated acts, implementing Accountability, security and breach notification acts and final provisions » Data governance obligations » Personal data breaches and notification Glossary » Codes of conduct and certifications The information given in this document concerning technical legal or professional subject matter is for guidance only and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter. Bird & Bird assumes no responsibility for such information contained in this document and disclaims all liability in respect of such information. Bird & Bird is, unless otherwise stated, the owner of copyright of this document and its contents. No part of this document may be published, distributed, extracted, re-utilised, or reproduced in any material form, except with our express prior written approval. © 2020 Bird & Bird All Rights Reserved - 5 Scope, timetable and new concepts | Material and territorial scope Material and territorial scope At a glance To do list • As compared to Directive 95/46/EC (the “Data Organisations (i) with an EU Protection Directive”) which it replaces, the GDPR establishment or (ii) without an EU seeks to extend the reach of EU data protection law. presence but who target with goods/ services or monitor EU individuals, − An EU based data controller and processor falls should: into its scope where personal data is processed • understand the impact of the GDPR; “in the context of its activities” a broadly and interpreted test. • determine an approach to compliance. − Where no EU presence exists, the GDPR will still apply whenever: (1) an EU resident’s Organisations working in areas personal data is processed in connection where “special”/sectoral rules are with goods/services offered to him/her; or (2) common, should: the behaviour of individuals within the EU is “monitored”. • assess if they require specific Member State laws and advocate these if • Despite being a Regulation, the GDPR allows necessary (where this is still possible); Member States to legislate in many areas. This will and challenge the GDPR’s aim of consistency, in areas • keep a watching brief on such laws such as employee data processing. being promulgated in ways which may be unhelpful for them. • The GDPR does not apply to certain activities – including processing covered by the Law Enforcement Agencies (“LEA”) Directive, for national security purposes and processing carried out by individuals purely for personal/ household activities. • The GDPR came into effect on 25 May 2018. 1 - © 2020 Bird & Bird All Rights Reserved Scope, timetable and new concepts | Material and territorial scope Territorial scope For this update, we have factored in the final EDPB previously found that a website is not an establishment. The guidelines on territorial scope published in November 2019. EDPB provides the example of a hotel chain that targets EU consumers but has no presence in the EU. The correct EU “established” controllers or processors analysis would be under Article 3(2) (the extraterritorial provisions), not Article 3(1). The EDPB Guidelines also Pursuant to Article 3(1), the GDPR will apply to organisations confirm that just because an organization may be considered which have EU “establishments”, where personal data “established” for one activity will not render all its activities are processed “in the context of the activities” of such subject to GDPR. an establishment. If this test is met, the GDPR applies irrespective of whether Non-EU “established” organisations who the actual data processing takes place in the EU or not. target or monitor EU data subjects “Establishment” was considered by the Court of Justice of Pursuant to Article 3(2), non-EU established organisations will the European Union (“CJEU”) in the 2015 case of Weltimmo be subject to the GDPR where they process personal data v NAIH (C-230/14). This confirmed that establishment is about EU data subjects in connection with: a “broad” and “flexible” phrase that should not depend on legal form. An organisation may be “established” where it • the “offering of goods or services” (payment is not required); exercises “any real and effective activity – even a minimal or one” – through “stable arrangements” in the EU. The presence of a single representative may be sufficient. In that • “monitoring” their behaviour within the EU. case, Weltimmo was considered to be established in Hungary notwithstanding that it was incorporated in Slovakia. A/ For offering of goods and services (but not monitoring), mere accessibility of a site from within the EU is not sufficient. The EDPB guidelines align with the above case law, finding that “the threshold for ‘stable arrangement’ can be quite low It must be apparent that the organisation “envisages” that when the centre of activities of a controller concerns the activities will be directed to EU data subjects. In other words, provision of services online”. In some cases, “the presence it should be looked for signs of intent. As listed in the EDPB of a single employee or agent acts with a sufficient degree guidelines, relevant factors include: of stability” will suffice. However the EDPB does clarify that the mere presence of an employee in the EEA may not be • references to the EU or a Member State in promotional sufficient; the processing must also be carried out in the

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    82 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us