The new EU GDPR
For Foreign Organisations Outside the EU
Brussels / Tel-Aviv , May 2018
The EU General Data Protection Regulation (GDPR) will enter into force in the European Union (EU) and the countries of the Economic Area (EEA) on 25 May 2018. The GDOR will also apply to a large number of businesses established outside of the EU / EEA that have either a presence in; pursue business activities within the EU / EEEA; or monitor the behaviour of individuals, for example, via “cookies” or IP addresses.
The GDPR provides for large fines of up to 4% of a company’s last financial year global turnover or € 20 million, whichever is higher, for non-compliance. Individuals (“data subjects”) that suffer damage as a result of a breach, by a company, of the GDPR provisions, may also launch claims for damages against non-compliant companies. Corporates also risk reputational damage if implicated in data breaches.
It is, therefore, indispensable for large international corporates with presence / activities in the EU / EEA to have adopted adequate GDPR compliance policies ahead of GDPR’s entry into force in May 2018.
The GDPR imposes minimum compliance standards and allows EU / EEA Member States to adopt stricter compliance / enforcement standards as they deem appropriate at a national level. It is, therefore, also important for you the Israeli entity which has presence in; pursue business activities within the EU / EEEA; or monitor the behaviour of individuals ("the Foreign Entity") to consider whether you are compliant with national data protection rules applicable in those EU / EEA Member States where your company has a presence or pursues business activities.
The GDPR Introduces New Data Protection Elements and Stricter Compliance Standards
Once the GDPR enters into force, the business appointed data controllers will be subject to substantially increased obligations. Data processors will also become subject to data protection obligations. GDPR’s strong focus on accountability will have as a consequence that both data controllers and processors will be required to keep detailed records of their activities. Business contracts with data processors; and likely also existing data privacy notices as well as existing policies for obtaining data use consent; will need to be amended / refreshed to reflect the new GDPR rules.
Finally, the GDPR introduces new definitions for personal data and will apply to practices such as “cookies” and IP addresses that render an individual ‘identifiable’ by business. The definition of ‘sensitive’ personal data now also includes genetic data.
Data Controllers / Processors
As mentioned earlier, data processors will now also be liable for limited aspects of the GDPR. It is therefore important that the relevant new mandatory data protection elements of the GDPR should be included in contracts with data processors.
The data controllers presently decide on how and why data are processed whereas data processors act only on the instructions of the data controllers. Depending on the circumstances, corporates such as THE FOREIGN ENTITY may function as data controllers or processors viz-a-viz third parties.
For example, if a business only collects and processes personal data on its own behalf, then the GDPR obligations are addressed to the data controller. If, on the other hand, a business processes personal data on behalf of its customers, the processor of the customers’ data will likely also be subject to the GDPR obligations.
Depending, therefore, on the factual analysis regarding the nature of the data processing activity, it may well be that the data controller will be responsible for some data processing whilst the data processor will be responsible for third party data processing. The data controller will in any event be responsible for the business customer data including the contact details of the individuals working for the company’s customers.
In light of the preceding comments, it would appear prudent for THE FOREIGN ENTITY to
· establish whether, pursuant to any existing or future contractual relationship with third parties, THE FOREIGN ENTITY might be assuming functions of a data controller or a data processor, or both, and keep a record of the relevant assessment; and
· ensure that THE FOREIGN ENTITY ’s correct data protection function and qualification is reflected in relevant contracts and records of commercial negotiations.
Lawful Data Processing – Customer Consent
According to the GDPR, personal data processing is prohibited unless a data controller may lawfully process such data. Lawful data processing would include instances where
• The data subject has given consent to such processing;
• The data subject is party to a contract and data processing is necessary for the execution of such a contract / entering into such a contract;
• Data processing is necessary for compliance with applicable data controller’s obligations;
• Data processing is necessary to protect the vital interests of the data subject or of one or more other natural person(s);
• Data processing is necessary for the performance of a task in the public interest or in the exercise of official authority vested with the controller; and
• Data processing is necessary for preserving the legitimate interests of the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Please kindly note that stricter data processing rules apply to personal data relating to ethnic or racial origin, religious beliefs, health or sex life/sexual orientation and criminal records. The processing of such sensitive personal data generally requires the data subject’s explicit consent unless (1) the data subject’s life or others’ lives are at risk and the data subject is unable to give consent; or (2) such data processing is necessary for public interest reasons set out in EU / EEA or EU/EEA Member State laws; or (3) for the establishment, exercise or defence of legal claims.
In such exceptional instances, it is advisable to always maintain a proper record of the occurrence of circumstances justifying data processing without the data subject’s consent. These exceptions should be interpreted in a restrictive manner and do not leave scope for arguments based on legitimate interests / expectations or contract performance.
Finally, the GDPR establishes the obligation of data controllers to always be able to demonstrate that a data subject has clearly and in an adequately informed manner consented to data processing and that the data subject maintains the right to withdraw such consent at any time.
In light of the preceding comments, it would appear prudent for to
• establish whether the Foreign Entity (1) maintains records of all customers’ and employees’ data processing consents received; (2) does not collect personal data unless absolutely necessary; and (3) does not maintain personal data records longer than necessary; and
• establish whether each individual person or company on the Foreign Entity’s marketing databases has either explicitly consented to receive the Foreign Entity marketing materials. Existing customers must have been given the opportunity to opt out from receiving such materials. the Foreign Entity must also confirm that such persons’ / companies’ wishes have always been complied with.
• Provide for an appropriate opt-out option in business contacts concerning (electronic) marketing.
Record Keeping and Auditing
The GDPR mandates that companies must be able to demonstrate that they have complied with their obligations under the GDPR by reference to appropriate records and evidence. Data processing controllers will no longer have to register with EU / EEA Member State Data Protection Authorities.
However, they will need to maintain appropriate records of their data processing activities regarding (1) the purposes of processing; (2) the data subjects and categories of personal data concerned; (3) details of personal data transferred outside the EU/EEA; (4) the envisaged time limits for deletion of various categories of data; and (5) a general description of the technical and organisational security measures used to ensure safe maintenance of personal data. These records must be available for inspection by the relevant EU / EEA Member State Data Protection Authorities upon request.
Data processors will need to maintain more limited data processing records relating to the type of data they process and for whom; data transferred outside the EU/EEA, and a general description of the technical and organisational security measures they use to keep personal data safe.
In light of the preceding comments, it would appear prudent for the Foreign Entity to conduct an audit on (1) the personal data the Foreign Entity is processing; (2) the purpose served by the Foreign Entity in collecting such data; (3) the use by the Foreign Entity of such data; (4) the purpose served by the Foreign Entity in using such data; (5) the manner in which the Foreign Entity uses such data; (6) the place where the Foreign Entity keeps such data; (7) whether the Foreign Entity has excessive personal data in its archives; and (8) whether the Foreign Entity still needs all such data and, if so, for what purposes.
Please kindly note that the GDPR does not provide for transitional periods regarding compliance with its provisions. Therefore, if it appears that the Foreign Entity may hold personal data that are out of date or no longer needed, it is best to delete or anonymise them.
Privacy Policies and Notices
The GDPR increases the amount of information to be provided by companies to data subjects on the processing of their personal data by way of privacy notices. In cases, for example, were data controllers rely on the concept of legitimate interests when processing personal data, the data subjects must be informed at the outset of what those legitimate interests are. Such privacy notices must also point out to data subjects their GDPR rights, including, as mentioned earlier, their right to withdraw their data processing consent at any time; and the right to lodge a complaint with a competent EU/EEA Data Protection Authority.
In cases where a company processes personal data which they have not received directly from the data subjects, they must so inform the relevant data subjects so these are made aware of such data processing. Companies must provide information to data subjects setting out the categories of personal data that are being processed; the source of such personal data; and whether such data was obtained from publicly accessible sources.
In light of the preceding comments, it would appear prudent for the Foreign Entity to
• ensure that the Foreign Entity privacy policies are updated with reference to the new requirements set out in the GDPR;
• introduce, where technically possible, instant data privacy notices for immediate consideration by data subjects, when such data subjects are invited to provide their personal / business contact details to the Foreign Entity, advising data subjects on how their data will be used; and
• inform data subjects of cases where the Foreign Entity receives their personal data from third parties. If this is not technically feasible, the Foreign Entity include clauses in contracts with the third parties which provide THE FOREIGN ENTITY with such data ensuring that data subjects are aware of such data transfers and are able to enforce their rights.
Additional and Enhanced Rights for Individuals
The GDPR enhances and increases data subject rights. For example
1. The information to be provided to a data subject upon request should under the GDPR include the right of the data subject to lodge a complaint with the competent EU/EEA Data Protection Authority; as well as data transfers outside of the EU/EEA. In addition, companies will in the future have to handle such requests ‘without delay’ or at the latest within one month of receipt of a request, as opposed to presently 40 days.
2. Regarding data deletion requests, the GDPR now strengthens the data subjects’ ‘right to be forgotten’ and sets out in detail the circumstances where the data controller must on request erase personal data without undue delay.
3. There is a new right to data portability relating to data provided directly by the data subject, where the data processing is based on consent or on the carrying out of a contract; and the processing is carried out by automated means (e.g. on computers and similar devices). The data should be provided to the requesting data subject in a structured, commonly used and machine-readable format and the requesting data subject may transmit the data to another data controller.
4. The GDPR grants data subjects the right to object to their data being processed where the processing is carried out (1) in compliance, by the controller, with a public interest obligation; or (2) pursuant to the legitimate interests of the controller or a third party. A data controller may nevertheless proceed with the data processing at issue where “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject” are shown to exist; or in cases where data processing is necessary for the establishment, exercise or defence of legal claims.
5. The GDPR grants data subjects the right to object to the processing or storage of their personal data for direct marketing purposes.
6. The GDPR also grants data subjects the right to request the data controller that their data should be restricted.
In light of the preceding elements, it would appear prudent for the Foreign Entity to ensure that it may adequately deal with requests from data subjects seeking to enforce their rights under the GDPR within the shorter period now mandated by the GDPR. It would also appear prudent for the Foreign Entity to establish relevant internal processes and procedures for the handling of data subject requests, including setting up a designated team in this respect.
Additional Contractual Provisions with Data Processors
Companies may consider the conclusion of additional clauses to best comply with and preserve their position under the new GDPR provisions. Such additional clauses may relate, for example, to an obligation on the data processors to (1) act only on written instructions of the data controller; (2) to impose confidentiality obligations on the staff who will be processing the data; and (3) delete or return the personal data at the end of the provision of services related to the data processing concerned.
In light of the preceding comments, it would appear prudent for THE FOREIGN ENTITY to
• assess which of the Foreign Entity service providers are acting as data processors or controllers; and
• ensure that the Foreign Entity’s contracts comply with – refer to the necessary GDPR elements.
Personal Data Breaches
The GDPR establishes an obligation on the data controllers to notify every personal data breach to the relevant EU/EEA Member State Data Protection Authority within 72 hours of becoming aware of a such a personal data security breach unless the data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”.
When the personal data breach is “likely to result in a high risk to the rights and freedoms of natural persons”, the data controller must also notify the data subject “without undue delay”. The term “without undue delay” suggests a shorter notification period in such cases than 72 hours.
Data processors are also under a direct GDPR obligation to notify the relevant data controllers “without undue delay” on becoming aware of a personal data breach. This is an important new provision in EU data protection law.
In addition to the notification requirements, data controllers will need to keep a register of any personal data breaches, including details of each data breach and action adopted to remedy their harmful effects. Such record should be available for inspection by the relevant EU/EEA Member State Data Protection Authorities.
In light of the preceding comments, it may be prudent for the Foreign Entity to
• create and maintain a register of data breaches. In addition, it would appear prudent for the Foreign Entity to update its cyber security breach procedures taking into account the short notification time limits mandated by the GDPR for data breaches;
• consider enhancing existing internal data breach handling processes and procedures as well as setting up a team to handle such matters. Indeed, in case of a security breach, the time available under the GDPR for determining any damage caused, and the extent thereof, to the relevant data subjects is very short. The same applies to the need to determine whether or not the breach requires notification to the competent EU/EEA Member State Data Protection Authority and/or the data subjects concerned; and
• consider whether THE FOREIGN ENTITY has appropriate cyber security insurance in place and maintains arrangements with public relations advisors to assist in reducing reputational damage emanating from a personal data breach.
‘Privacy by Design’
An important new concept under the GDPR is ‘privacy by design’. When companies introduce new products, services, or processes, data controllers will need to demonstrate that the impact of such products, services or processes has been considered, and that steps have been taken to minimise any negative impact on data subjects. Data should be pseudonymised where possible and should not be collected unless this is really needed.
In light of the preceding comments, it would appear prudent for THE FOREIGN ENTITY
• not to collect personal data unless THE FOREIGN ENTITY can justify the relevance of such collection for its business activities and has conducted and documented relevant privacy impact assessments.
• make sure that the Foreign Entity internal data protection policies are up to date and that data
• processing performed by the Foreign Entity is transparent.
Appointment of Data Protection Officers
According to the GDPR, there will no longer be a need to register as a data controller in an EU/EEA Member State. Data controllers and processors must however designate a ‘data protection officer’ where
• the “core activities” of the controller or the processor consist of “processing operations which require regular and systematic monitoring of data subjects on a large scale”; or
• the ‘core activities’ of the controller or the processor consist of “processing on a large scale” of “special categories of data” (i.e. ‘sensitive personal data’) and “personal data relating to criminal convictions and offences”.
A data controller or processor can also choose to appoint a data protection officer voluntarily, or an EU/EEA Member State can require such appointment under national law. Under the GDPR, data protection officers should have expertise on both national data protection law and the GDPR.
In light of the preceding comments, it would appear prudent for THE FOREIGN ENTITY to
• assess whether the Foreign Entity should appoint a data protection officer; and
• consider whether the Foreign Entity have appropriate staff for this or whether THE FOREIGN ENTITY will need to hire a new officer or outsource the role.
We do hope that you will find the preceding comments on the EU GDPR useful. Obviously, a precise assessment of the impact of the new EU GDPR on the Foreign Entity conduct of business and regulatory compliance will depend on a thorough understanding of the nature and extent of data processing activities occurred as a result of the Foreign Entity carrying out its ordinary business activities. In addition, as mentioned earlier, the Foreign Entity will need to consider compliance with EU/EEA Member State data protection legislation that may go beyond the standards set out by the GDPR.
We would of course be delighted to be given the opportunity to assist the Foreign Entity in its compliance efforts regarding the new EU GDPR in relevant EU/EEA Member States, as necessary.
Dr. Konstantinos Adamantopoulos Adv. Harel Peleg
Partner, Attorney at Law Managing Partner,
KA Legal /European Lawyers for Business HPLaw
E: firstname.lastname@example.org Harel@hplaw.co.il