GDPR third countries

 

The GDPR regulates the transfer of personal data to third countries. In order to be authorised, the transfer must be based on either an adequacy decision, an adequate level of data protection, or one of the exceptions provided for in the GDPR.


Recital 101 provides guidance on the rules for transferring personal data to a third country

  • A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.

 

Article 45 « Transfers on the basis of an adequacy decision » is invoked by the European Commission to determine whether a third country has an adequate level of protection or not.

The adoption of an adequacy decision based on Article 45 of the GDPR involves

  • A proposal from the European Commission
  • An opinion of the European Data Protection Committee
  • An approval by the representatives of the EU countries
  • Adoption of the decision by the European Commission 


At present only a limited list of third countries are considered to have adequate protection and are allowed to transfer personal data to their country.

The list of countries currently authorised by the European Commission is as follows.

  • Andorra,
  • Argentina,
  • Canada (commercial organisations),
  • Faroe Islands,
  • Guernsey,
  • Israel,
  • Isle of Man,
  • Japan,
  • Jersey,
  • New Zealand,
  • Republic of Korea,
  • Switzerland,
  • United Kingdom under the GDPR and LED.
  • Uruguay as offering adequate protection.
  • With the exception of the UK, these adequacy decisions do not cover data exchanges in the law enforcement sector which are governed by the Law Enforcement Directive (Article 36 of Directive (EU) 2016/680). »


In the absence of an adequacy decision under Article 45 of the GDPR, Article 46 « Transfers subject to appropriate safeguards » provides a list of « appropriate safeguards » on which a transfer to a third country may also be based


T
hese appropriate safeguards can be of various kinds:

  • Binding Corporate Rules (Article 47 of the RGPD): These are internal binding corporate rules relating to transfers of personal data to countries outside the European Union. They therefore constitute an internal « Code of Conduct » within a company group, defining the data transfer policy strategy for each of the entities that make up the group, including employees
  • Standard Contractual Clauses (Article 93(2)) adopted by the European Commission, which have very recently been recast as described below
  • Codes of conduct approved under Article 40
  • International agreements or administrative commitments

 

In the absence of an adequacy decision and appropriate safeguards given by Articles 45 and 46 of the GDPR, there is only one solution, and that is the exceptions provided for by Article 49 of the GDPR « Derogation for special situations ».


These exceptions are as follows

  • The data subject has given his/her explicit consent to the transfer
  • The transfer is necessary for the performance of a contract between the data subject Data subject and the RT / implementation of pre-contractual measures (or concluded In his or her interest if he or she is not party to the contract)
  • The transfer is necessary for important public interest reasons
  • The transfer is necessary for the establishment, exercise or defence of legal claims rights in a court of law
  • The transfer is necessary to protect the vital interests of the data subject
    and other persons
  • The transfer is made from a register which is intended to provide information to the public and is open to the public. information to the public and is open to consultation by the general public

Without an adequacy decision, appropriate safeguards, or derogations, the GDPR does not allow the transfer of personal data to a third country.


This article is only a short and incomplete one, but it aims to give you an idea of what the RGPD requires in certain situations. As non-compliance with the RGPD can lead to very heavy fines, I strongly advise you to ask your DPO or your RGPD consultant for advice and much more complete information
.

GDPR European Union representative

 

All companies, societies (or associations), wherever they are located in the world, whatever their size, whatever their sector of activity, whether they are public or private, must, as long as they deal with personal information of individuals located in Europe, comply with the GDPR regulation, otherwise they could be asked to pay large fines in case of control.

One of the obligations of the GDPR for companies based outside the EU, which deal with personal data of individuals located in Europe, is to appoint a GDPR representative in Europe. This is an obligation and not an option. However, there are circumstances where it is possible to be exempt from this obligation. There are therefore exemptions.

Let’s start with the definition of a GDPR representative as set out in Article 4(17).
What is a representative under the GDPR?

 

The first source I will share with you is Recital 80, which is part of the full GDPR, along with 172 other recitals and 99 articles. This recital 80/172 explains in detail the obligations regarding the appointment of a RGPD representative for a non-EU entity

The following is a brief summary of Recital 80 of the GDPR for ease of reading and understanding of what is the representative, how it will designed and what is role of the representative.The first source I will share with you is Recital 80, which is part of the full GDPR, along with 172 other recitals and 99 articles. This recital 80/172 explains in detail the obligations regarding the appointment of a RGPD representative for a non-EU entity

 

The second source I will share is Article 27 of the GDPR, which concerns the obligation to appoint a representative of the « controller » in Europe, if the company is based outside the EU and deals with personal data of individuals located in Europe. This article also explains what the exemptions are regarding the appointment of a GDPR representative in Europe.

 

Here I will focus on the exemption from the appointment of a European GDPR representative, for entities based outside the EU.The second source I will share is Article 27 of the GDPR, which concerns the obligation to appoint a representative of the « controller » in Europe, if the company is based outside the EU and deals with personal data of individuals located in Europe. This article also explains what the exemptions are regarding the appointment of a GDPR representative in Europe.

According to the GDPR, the following cases allow to be exempted from the appointment of a representative in the European Union.

These exemption possibilities are not cumulative. Only one of the cases needs to be present, and the exemption is not possible. This is most often the case for non-occasional processing. This is the end of this short article about the obligation for any entity located outside the European Union to process personal data of persons located in Europe, but also about the possibility of exemption from such designation.

That being said, I strongly advise you to call on a GDPR consultant, your DPO, or a specialist lawyer. Because the fines for not respecting the GDPR can be very expensive.

 

Re-use of personal data in the context of the GDPR

 

I collected personal data a few years ago, in this case email addresses for a specific purpose. Is it possible to reuse personal data that I collected before the GDPR for another purpose?

So first of all, what is personal data in the sense of the GDPR? Because many people don’t really know what personal data is and think that it is limited to names, surnames and addresses. But don’t worry, Article 4 gives the official definition of personal data.

 

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 

The European Commission website provides a non-exhaustive list with examples of personal data.

 

  • A first and last name.
  • A personal address.
  • An e-mail address such as personalname@company.
  • An identity card number.
  • Location data (e.g. location data function on a mobile phone)*.
  • An Internet Protocol (IP) address.
  • A cookie identifier*.
  • Your phone’s advertising ID.
  • Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

 

This same site also gives a small list, also not exhaustive, of what is not personal data.

 

  • A business registration number.
  • An email address as info@company.com.
  • Anonymised data.

 

Having settled this, let‘s get back to the problem at hand: « I collected personal data a few years ago, in this case email addresses for a specific purpose. Is it possible to reuse personal data that I collected before the GDPR for another purpose?

So what elements do we have to answer:

 

  • Collection of personal data.
  • Collected before the GDPR, i.e. before May 2018
  • Collected for a specific purpose.

 

Whereas the GDPR requires a legal basis for the processing of personal data.
Whereas the GDPR requires a time limit for the retention period.
Whereas the processing has received consent for a specific purpose.

The elements of the answer obviously count for all types of personal data

Let us ask ourselves different questions:
What is the legal basis for the retention period? Is the retention period compatible with Article 5.e of the GDPR which states that personal data must be :

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

 

Is post-consent processing compatible with Article 5.b which requires that :

 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

 

And the answers to the questions we have asked ourselves will determine whether we can legally re-use the data collected.

 

  • If the retention period has been set to be compatible with Article 5.e of the GDPR, we have a first element that allows us to re-use this data. If the retention period is not compliant, we will not be able to re-use the data legally.
  • Then, if the retention period is compliant AND the purpose for re-using the personal data is respected and therefore remains the same as the initial consent, there is nothing to prevent the re-use.
  • On the other hand, if the retention period is compliant BUT the purpose for re-use of the data does not correspond to the purpose of the initial consent, then re-use is not allowed for this new purpose.

 

BUT it is a bit more complex than that, and the European Commission gives more guidance on the re-use of data for a new purpose.

 

If your company/organisation has collected data on the basis of a legitimate interest, contract or vital interests, it may be used for another purpose but only after checking that the new purpose is compatible with the original purpose.

Attention should be paid to the following points:
– the link between the original purpose and the new or future purpose
– the context in which the data were collected (What is the relationship between your company/organisation and the data subject?)
– the type and nature of the data (Are they sensitive?);
– the possible consequences of the envisaged further processing (What impact will it have on the data subject?);
– the existence of appropriate safeguards (such as encryption or pseudonymization).

If your company/organisation wishes to use the data for statistical or scientific research purposes, there is no need for a compatibility test.
If your company/organisation has collected data on the basis of consent or in compliance with a legal requirement, no further processing beyond the areas covered by the original consent or legal provision is possible. Further processing would require a new consent or legal basis.

Examples
Further processing is possible.
A bank has a contract with a customer to provide a bank account and a personal loan. At the end of the first year, the bank uses the customer’s personal data to check whether he or she is eligible for a better type of loan and a savings plan. It informs the customer of this. The bank may process the customer’s data again because the new purposes are compatible with the original purposes.

Further processing is not possible.
The same bank wants to share the customer’s data with insurance companies, based on the same contract for a bank account and a personal loan. This processing is not allowed without the explicit consent of the customer as the purpose is not compatible with the original purpose for which the data were processed.

References
– Articles 5(1)(b), 6(4), 89(1); Recitals 39, 50
– Article 29 Working Party. Opinion 03/2013 on purpose limitation, 2 April 2013 (WP 203)

 

The outcome of the questions of re-use of personal data are therefore not so simple, and you will have to ask yourself different questions before knowing whether it will be possible or not to re-use personal data for a new purpose.

That being said, I strongly advise you to call on a GDPR consultant, your DPO, or a specialist lawyer. Because the fines for not respecting the GDPR can be very expensive.

 

 

Sources :
https://gdpr-text.com/ 
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/purpose-data-processing/can-we-use-data-another-purpose_en

 

 

 

 

GDPR lawfulness of processing

 

The GDPR provides several legal bases for the lawful processing of personal data in accordance with its articles 5(1a) and 6
The CNIL, the French supervisory authority, defines the legal basis as follows:

 

The legal basis of a processing operation is what legally authorizes its implementation, which gives an organization the right to process personal data. It can also be referred to as the « legal basis » or « legal foundation » for processing.

 

Without an adequate legal basis for each processing operation, the processing of personal data is not lawful, and the controller is likely to be sanctioned by the supervisory authority in the event of an audit.

 

Article 5 – Principles relating to the processing of personal data

Personal data must be:
(a) processed lawfully, fairly and transparently with regard to the data subject (lawfulness, fairness, transparency);

 

There are 6 legal bases proposed by the GDPR
– Consent ;
– The contract ;
Legal obligation;
– Safeguarding vital interests;
– Public interest;
– Legitimate interests.

 

These 6 legal bases are the only legal bases proposed by the GDPR and there is no other possibility to make processing of personal data lawful.

Article 6 specifies the conditions of what GDPR calls lawfulness of processing, and lists in detail the different existing possibilities. The 6 legal bases are listed in its paragraph 1(a>f)

 

Article 6 Legality of processing

1. Processing shall be lawful only if and insofar as at least one of the following conditions is met
(a) the data subject has consented to the processing of his/her personal data for one or more specific purposes;
(b) the processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the request of the data subject
(c) processing is necessary for compliance with a legal obligation to which the controller is subject
(d) processing is necessary to protect the vital interests of the data subject or of another natural person
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child.
Point (f) of the first paragraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation in relation to processing for the purpose of complying with paragraph 1(c) and (e), by determining more precisely the specific requirements applicable to the processing as well as other measures to ensure lawful and fair processing, including in other specific processing situations as provided for in Chapter IX.

3. The basis for the processing referred to in paragraph 1(c) and (e) shall be defined by:
(a) Union law; or
(b) the law of the Member State to which the controller is subject.
The purposes of the processing shall be defined in that legal basis or, in the case of the processing referred to in paragraph 1(e), shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions to adapt the application of the rules of this Regulation, inter alia general conditions governing the lawfulness of processing by the controller; the types of data that are subject to processing; the data subjects; the entities to which personal data may be disclosed and the purposes for which they may be disclosed; purpose limitation; retention periods; and processing operations and procedures, including measures to ensure lawful and fair processing, such as those provided for in other specific processing situations as set forth in Chapter IX. Union or Member State law shall serve a public interest objective and be proportionate to the legitimate objective pursued.

4. Where processing for a purpose other than that for which the data were collected is not based on the consent of the data subject or on Union law or the law of a Member State which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller, in order to determine whether processing for another purpose is compatible with the purpose for which the personal data were originally collected, shall take into account, inter alia
(a) whether there is a link between the purposes for which the personal data were collected and the purposes of the intended further processing;
(b) the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller
(c) the nature of the personal data, in particular if special categories of personal data are processed pursuant to Article 9 or if personal data relating to criminal convictions and offences are processed pursuant to Article 10
(d) the possible consequences of the proposed further processing for the data subjects
(e) the existence of appropriate safeguards, which may include encryption or pseudonymization.

 

To illustrate the application of Article 6 and the different choices offered as legal bases, I will propose two simple examples.

The first example would be the case of a processing necessary for the execution of a contract, the legal basis of the consent is in this case not the most judicious choice, nor the most logical. That is why in this case the choice of the legal basis would simply be « the performance of a contract ».

The second example would be for a processing serving the subscription to a newsletter, the most logical choice would be the consent, because no other legal basis would be appropriate. The legal basis for processing for the performance of a contract, as in the first example, would obviously not be the best choice.

It is very important to check that the legal basis is adequate to the situation, because not only is it the only way to make the processing lawful, but it is also an important piece of information that must be included in various documents in your accountability file.

The lawfulness of the processing goes much further and is much more complex than the choice of the legal basis.
But it is an important point to take into account, and a carefully considered choice to make. Some processing is purely and simply forbidden, even if there are exceptions provided by the GDPR. I will surely talk about it in a future article.

I invite you to contact a GDPR consultant or a DPO for more information and help for the implementation of your compliance.

Christian

GDPR accountability

 

In this article, I will explain the different things you need to know about accountability, which roughly means that you as a data controller are obliged under the GDPR to document your compliance, in order to clearly demonstrate your compliance to a supervisory authority.

 

The CNIL, which is the official French supervisory authority, as well as the ICO for the UK, gives the following definition for accountability.

 

Accountability refers to the obligation for companies to implement internal mechanisms and procedures to demonstrate compliance with data protection rules.

 

The principle of accountability is enshrined in Article 5(2) of the GDPR, which dictates the principles for processing personal data.

 

Article 5 – Principles for processing personal data

1. Personal data must be:
(a) Processed lawfully, fairly, and transparently with respect to the data subject (lawfulness, fairness, transparency);
(b) Collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archival purposes in the public interest, for scientific or historical research purposes, or for statistical purposes shall not be considered, in accordance with Article 89(1), as incompatible with the original purposes (purpose limitation)
(c) Adequate, relevant, and limited to what is necessary for the purposes for which they are processed (data minimization)
(d) Accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. (accuracy)
(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; personal data may be kept for longer periods insofar as they are processed exclusively for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), provided that the appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject are implemented. (limitation of storage)
(f) Processed in such a way as to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by means of appropriate technical or organizational measures (integrity and confidentiality);

2. The controller is responsible for compliance with paragraph 1 and is able to demonstrate compliance (accountability).

 

Recital 75 of the RGPD clarifies the notion of accountability in relation to its responsibility and documentation obligation

 

Recital 74 Responsibility and Liability of the Controller

The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established.
In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures.
Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

 

The GDPR indeed provides for different things that will allow the creation of a documentary folder. So what type of documents is provided for in the GDPR to be able to demonstrate its good compliance.

The CNIL in its practical sheet « documenting your compliance » lists the different things to insert in your documentary folder

 

Documenting your compliance (CNIL)

The documentation on your personal data processing

1. The register of processing operations (for data controllers) or categories of processing activities (for processors),
2. Data Protection Impact Assessments for processing operations that are likely to generate high risks for the rights and freedoms of individuals
3. The framework for data transfers outside the European Union (in particular standard contractual clauses or BCRs).

Information to individuals

1. Information statements,
2. Models for collecting the consent of the persons concerned.
3. The procedures put in place for the exercise of the rights of individuals.

Contracts that define the roles and responsibilities of the actors

1. Contracts with subcontractors
2. Internal procedures for dealing with data breaches,
3. Evidence that data subjects have given their consent when their data is processed on that basis.

 

Accountability will be complete when your documentation file contains all the elements that demonstrate that you are in compliance with your obligations regarding the GDPR.

The elements constituting your documentation file will have to be checked regularly and updated if necessary.

 

This is a brief introduction to GDPR accountabilty .
I invite you to contact a RGPD consultant or a DPO for more information and help for the implementation

Christian

 

GDPR Privacy and data protection by design & data protection by default

 

According to the European Data Supervisor, « “privacy by design” is used to designate the broad concept of technological measures for ensuring privacy as it has developed in the international debate over the last few decades. »

This concept is not new. In fact, according to Wikipedia, «Ann Cavoukian, former Information and Privacy Commissioner of Ontario, developed the »privacy by design » approach to systems engineering. This approach was formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority and the Dutch Organization for Applied Scientific Research in 1995. The Privacy by Design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. »


A
ccording to this framework, Privacy by Design is based on seven « core principles ».

1. Proactive, not reactive; preventive, not remedial.
2. Privacy as a default setting
3. Privacy built into the design
4. Full functionality – positive sum, not zero sum
5. End-to-end security – full life cycle protection
6. Visibility and transparency – stay open
7. User privacy – stay user-centric


T
he concept of « privacy by default » foresees that the application of the seven core principles put in place at the design stage are also active by default without the user having to intervene.

Still according to the European Data Protection Supervisor, «the ”data protection by design” and “data protection by default” to designate the specific legal obligations».

«Established by Article 25 of the GDPR 9. While measures taken under these obligations will
also contribute to achieve the more general objective of “privacy by design”, considering.
that a wider spectrum of approaches may be taken into account for the objective of “privacy
by design” which includes a visionary and ethical dimension, consistent with the principles
and values enshrined in the EU Charter of Fundamental Rights of the EU. »

Article 25 of the GDPR details the concepts and mandatory measures to be implemented by the data controller regarding data protection by design and data protection by default.

 

Art. 25

GDPR Data protection by design and by default

  1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
  2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
  3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

 

Recital 78 provides additional information and context for completing Article 25

 

Recital 78

Appropriate Technical and Organisational Measures

The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

 

This is a brief introduction to privacy by design, data protection by design and data protection by default.
I invite you to contact a RGPD consultant or a DPO for more information and help for the implementation.

Christian

 

 

Sources :
wikipedia privacy by design
edps preliminary opinion on privacy by design
edpb guidelines on dataprotection by design and by default
gdpr