gdpr compliance measures legal basis of gdpr · 2 introduction 132 days with effect as of 25 may...

DÜSSELDORF – MÜNCHEN – TOKIO

GDPR Compliance MeasuresLegal Basis of GDPR

12 January 2018

ARQIS RechtsanwälteDr. Meiko Dillmann

Dr. Philipp Maier

2

Introduction

132 Days� With effect as of 25 May 2018: New EU General Data

Protection Regulation No. 2016/679 („GDPR“) replacesDirective 95/46/EC.

� GDPR will directly apply in all EU Member States without theneed of national implementation, a „national level“ of legislationis therefore no longer necessary but – to some extent – stillfeasible.

3

Agenda

The following agenda is based on the most frequently asked questions by Japanese businesses on the GDPR:

I. Principles of Data ProcessingII. The Data Protection OfficerIII. International Data TransferIV. Global Employee Databases

4

I. Principles of Data Processing

1. Lawfulness, fairness, transparency

2. Purpose limitation

3. Data minimisation

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality

7. Accountability

Obligation to comply with data protection regulations and to demonstrate compliance → Necessity of put in place and document processes

5

I. Principles of Data Processing

• Certain non-compliance with the GDPR may result in fines up to4% of the annual (worldwide) turnover or up to 20 million Euros, whichever is higher, in case of:

– e.g. breach of requirements relating to international transfers, datasubjects‘ rights or the basic principles of processing, such as conditionsfor consent.

• Other specified infringements impose fines up to 2% of the annual(worldwide) turnover or 10 million Euros, whichever is higher, in case of:

– e.g. security and data breach notification obligations.

6

II. The Data Protection Officer (DPO)

1. Appointment

a) Required?b) Where?c) Who?d) How?

2. Tasks and Involvement

3. Liability DPO

7

1. Appointment

a) Required if data processing is


Criteria Content

- “core activity” - Key operation to achieve the data controller’stasks, e.g. hospital, security company, onlineshopping platform, online travel platform.

- which requires “regularand systematic monitoring” of data subjects or consists of processing special categories of data

- All forms of constant or periodic tracking andprofiling, e.g. on the internet with mobile apps,that is pre-arranged as following a generalplan;

- All data as defined in Art. 9 GDPR, e.g. healthdata, genetic and biometric data, data onpolitical or sexual orientation, etc.

- on a “large scale” - No precise number defined; indications are ahigh number of data subjects, high volume ofdata, permanence, etc., e.g. regular processingof customer data for behavioral advertising.

8


1. Appointment

b) Where

• The DPO may be located within or outside the EU:

• Option for multinational companies to appoint the same person as DPO for several group companies (Art. 37 (2) GDPR);

– Disadvantage: (i) accessibility from all entities and data subjectsmust be ensured, including sufficient language skills, and (ii)knowledge of national data protection laws of the DPO and histeam is necessary, and (iii) national law may also require theappointment of a DPO

DPO?

9

1. Appointment

c) Who

• Data Protection Officer may be a staff member or external service provider (Art. 37 (6) GDPR);

• In Germany, the practice shows that approx. 2/3 of the data controllers have an internal DPO and 1/3 an external DPO.


External vs. Internal DPO

Internal

External2/3

1/3

10

1. Appointment

c) Who


Skills Requirements

- Level of expertise - Not defined by the GDPR; determinationdepending on data processing: the higher therisk level of data processing, the higher thelevel of the expertise must be, e.g. regulartransfer of data to Japan (higher expertisenecessary) vs. occasional transfer (lowerexpertise sufficient).

- Professional

qualities

- Expertise in national and European dataprotection laws, understanding of IT and datasecurity, knowledge of the business sectorand organization, understanding of theprocessing operations

- Personal qualities

and knowledge

- Integrity, high work ethics, initiative,organization, communication, negotiation,conflict resolution, ability to build workingrelationships, leader.

11


1. Appointment

c) Who

• Typically, most of the DPOs, if internal, are selected from the legal orcompliance department because the risk of a conflict of interest islower than in other departments and because of the available skill set.

Function of DPOLegal Compliance Risk HR IT Security

10

30

50

12

1. Appointment

d) How?


Criteria Content

- Form - Not regulated, but written appointment forthe purpose of evidence recommended (inGermany mandatory);

- Definition of the tasks of the DPO in theemployment contract or the appointmentnotice; if already employed, conclusion ofaddendum to employment to be considered.

- Announcement &

Notification

(Art. 37(7) GDPR)

- Announcement of the contact details (e.g.email, telephone and/or postal address –name not necessary) of the DPO to companyinternally, e.g. through intranet, andexternally on website and in privacy policy toensure access;

- Notification of the contact details includingthe name to the supervisory authority.

13

1. Appointment

d) How?


Requirements Content

- Term - No limitation regulated; for compliance andtransparency reasons a maximum term forinternal DPOs is recommendable; inGermany a fixed term of 2 – 5 years iscommon.

- Part-time or Full-time - No limitation regulated; to be determinedon the extent of data processing. Conflict ofinterest must be avoided.

- Designation of

Representation

- Not regulated; internal designation of arepresentative for the case of theunavailability of the DPO is recommendedbecause the DPO must be accessible fordata subjects and authorities.

- Timing - Upon starting data processing activitiesthat require appointment.

14

2. Tasks of the Data Protection Officer include (Art. 39 GDPR):

• The DPO tasks can be performed by a team!


Tasks Content

- Inform and advise about obligations pursuant to the GDPR

- Provide internal trainings, informchanges to the law, etc.

- Monitor compliance with the GDPR

- Collect information to identify dataprocessing activities; analyze andcheck compliance of dataprocessing; inform, advise andissue recommendations, etc.

- Provide advice where requested

regarding the data protection impact assessment (DPIA) and monitor its performance;

- Advice on whether or not to carryout DPIA, whether DPIA has beencorrectly carried out and is incompliance with GDPR, whatsafeguards to take to minimizerisks, whether to carry-out DPIA in-house or whether to outsource etc.

15

2. Tasks of the Data Protection Officer include (Art. 39 GDPR):


Tasks Content

- Cooperate with the supervisory authority;

- Act as “facilitator” for the supervisoryauthority: follow and implementcompliance requests, handlecommunication in the event of dataleaks, handle investigations, consultwith supervisory authority, etc.

- Act as the contact point for data subjects.

- Act on request to delete or amenddata, investigate complaints by datasubject, etc.

- Not regulated but recommended to be included in task description:record keeping

- Create inventories, maintain a registerof processing operations and ofinquiries from data subjects, etc.

16

2. Involvement, Provision of Necessary Resources, Independence (Art. 38(1),(2),(3) GDPR):


Content

- Involvement - Company must permit attendance of senior andmiddle management meetings, must permittimely access to all information and documentsnecessary for the tasks of the DPO, the opinionof the DPO must be given due weight (it isrecommendable to record if the companyproceeds against the opinion of the DPO).

- Provision of

Necessary Resources

- Company must ensure DPO has sufficient timeto fulfill duties, sufficient personnel (supportingstaff/team), infrastructure and equipment,continuous own training, financial resources(budget),

- Independency - DPO must be able to act independently, maynot be instructed on his tasks, may not bepenalized or dismissed for performing hisduties, shall report to the highest management

17

3. Liability DPO

• No personal liability of DPO for non-compliance with the GDPRbecause the protection of personal data remains theresponsibility of the data processor or controller (Art. 24(1)GDPR);

• DPO may be liable to employer for breach of employmentcontract but the scope of damage compensation claims oftenlimited under national labor laws or claims for damagecompensation unsuccessful due to lack of assets.


18

1. Transborder Data Flow (1): Basics

• Due to the uniform level of protection provided by the nationaldata protection laws, cross border data processing within theEuropean Union is in principle possible without additionalrequirements or safeguards

• Data transfer to Recipients in Countries outside of the EU

– Two-tier evaluation by the supervising authority

1. Legitimacy under national data protection law

2. Compliance with special requirements regarding the transfer to third countries

– No intragroup exemption for multinational companies!

III. International Data Transfer

19


• Special requirements for data flow outside the EU

a) Secure country with adequate level of data protection

- At present: Andorra, Argentina, Canada (Commercialorganisations), Faeroe Islands, Guernsey, Israel, Isle of Man,Jersey, New Zealand, Switzerland, United States (EU-USPrivacy Shield), Uruguay

b) Statutory permission requirements

- e.g. consent of data subject, substantial public interest, etc.

c) Other measures securing adequate level of dataprotection, e.g.:

- EU Standard Contractual Clauses

- Binding Corporate Rules (BCRs)



• Japan is currently deemed by the EU as a “third country” interms of data protection, i.e. as having not an adequate levelof protection;

• Consequence: further measures to ensure adequate levelof data protection are required for transfer of data from theEU member states to Japan, such as e.g.

– Consent of Data Subject

– Use of EU Standard Contractual Clauses

– Implementation of Binding Corporate Rules

• New Japanese Act on the Protection of PersonalInformation since 30 May 2017;

• The European Commission has launched a dialogue withJapan with the aim of reaching an "adequacy decision" (tobe expected at the earliest in Q1 2018).

20


2. Measures securing an adequate level of data protection (1)

a) Consent

• Consent as legal ground for data transfer faces higher requirements under the GDPR and must be

– voluntary; – specific;– informed; – unambigious

and based on a statement or a clear affirmative action (no “opt-out” default settings)

• Once granted, the consent can be revoked by the data subject at any time.

• A general „catch-all“ consent will not be sufficient anymore; general prohibition of „bundled“ consents.

21



b) EU Standard Contractual Clauses

• The European Commission with the assistance of theArticle 29 Working Party developed standard contractualclauses which were officially certified by a EuropeanCommission Decision as proof of adequate dataprotection.

• The Commission has so far issued two sets of standardcontractual clauses under the directive 95/46/EC fortransfers from data controllers to datacontrollers established outside the EU/EEA and one setfor the transfer to processors established outside theEU/EEA.

• Current EU Standard Contractual Clauses aregrandfathered until revoked or replaced; necessity toamend to be monitored.

22


23


b) EU Standard Contractual Clauses: Comparison

Pros Cons

• Comparatively easy and fast implementation

• No permanent and general application

• Can be in principle used for every contract regarding data transfer, regardless of recipient outside or within company group

• Increased costs to administer and maintain in the long-run


24


c) Binding Corporate Rules (BCRs)

• Internal rules (such as a Code of Conduct) adopted bymultinational group of companies which define its globalpolicy with regard to the international transfer of personal datawithin the same corporate group.

• Authorization requirement under the EU cooperation procedure

- Companies for which the BCR EU procedure is alreadyclosed: Airbus, American Express, AXA, BMW, BP, IntelCorporation, etc.

(http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/bcr_cooperation/index_en.htm /13.09.2017)


25


c) Binding Corporate Rules (BCRs): Approval process

1• Designation of lead authority (i.e. entry point)

2• Draft and submission of BCR to lead authority

3• EU co-operation procedure

4• Closing of co-operation procedure

5• Company’s request for authorization of transfers based on BCR


26


c) Binding Corporate Rules (BCRs): Comparison

Pros Cons

• Flexible Usage for all intra-group transfers of personal data.

• Not applicable for transfer ofpersonal data to third partyrecipients outside the groupof companies.

• Increased Awareness and Accountability within Company Group

• Significant time effort forsetting up BCRs

• Effective PR and Demonstration of Compliance with data protection standards within group

• Higher Upfront Costs (butless costs to administer)


27

1. General

• GDPR does not include any specific regulations concerningemployee data protection and EU member states are free to setup specific regulations concerning data protection in anemployment relationship.

• As a consequence, in addition to general requirements of theGDPR for data processing, global employee databases includingpersonal data of employees in EU member states need tocomply with respective national laws of EU member states.

• Example: In the case of Germany, statutory provisionsconcerning employee data protection are mainly included in theBDSG (Bundesdatenschutzgesetz = Federal Data ProtectionAct).

- Germany promulgated on 5 July 2017 the new BDSG (BDSGn.F.) which will become effective on 25 May 2018 (i.e. at thesame time as the GDPR).

IV. Employee Databases and GDPR

28

2. Legal Grounds for Processing of Employee Data

• General Principle: Any processing of personal data ofemployees requires a valid legal ground

• In context of global employee databases, three-tierassessment required:

1. Valid Ground for DataProcessing in Employee– Employer Relationship

2. Valid Ground forTransfer of EmployeeData to GroupCompanies

3. Compliance withSpecial Requirements forTransfer to ThirdCountries outside of EU

3. Compliance withSpecial Requirements forTransfer to ThirdCountries outside of EU


29


• Legal grounds most relevant in context of employee data:

- Data processing necessary to perform the employment relationship

- Data processing necessary to comply with legal obligations

- Data processing necessary to achieve the “legitimate interests” of the employer

- Data subject has consented


30


• Consent given by employees

- High requirements for valid consent

- Consent can be withdrawn at any time

- Due to superiority-subordination relationship betweenemployer and employee in most cases arguable whetherconsent was „freely given“

Consequence: Consent can generally not be regarded as a „safe way“ for

processing of employee data!

Identification of other legal grounds required!


31


1.To perform employment

relationship

2.To comply with legal

obligations

3.To achieve the “legitimate Interest” of the employer

- Only applicable inlimited cases with closerelation to theemployment contract

- Example: information ofsocial security numberfor salary payment

- „Legal obligations“ onlyrefer to EU or MemberState law obligations, noforeign law obligations(e.g. J-Sox)

- Example: information ofpersonal data due to taxor insider tradingobligations

- Balance between rightsof employee andinterests of employer

- Employee can object oncompelling legitimategrounds

- Example: provision ofcertain non-sensitivepersonal data for groupinternal e-learningprogram, businesstravel arrangements


32

3. Further Review of Employee Databases in Compliance with GDPR

• Ensure Compliance with Employees Rights concerning their personal data, such as:

- Right of Access

- Right of Correction

- Right of Erasure

- Right of Objection

• Ensure Compliance with New Breach Notification Requirement

• Review employee databases with regard to general GDPR principles, such as:

- Transparency

- Proportionality

- Data Minimization


33

4. Compliance with National Labor Laws

• Monitoring and Identification of Valid Grounds andLimitations for Data Processing on National Level withinEU member states required.

• Example Germany:

- A Works Council, if established, has various rights inthe context of IT implementation and processing ofpersonal data in employee data bases, e.g.

� Sect. 87 para. 1 Nr. 6 BetrVG: Co-determination rightregarding the implementation and use of technical facilities,which are designed to monitor the behavior or performance ofthe employees

� Sect. 90 BetrVG: Consultation right regarding planning oftechnical facilities, work procedures and work processes.

- Works Council Agreements can provide for a valid legalground for employee data processing.

This document is provided for information purposes only and does not constitute legal advice.Professional legal advice should be obtained before taking or refraining from any action as a result ofthe contents of this document.


Contact Details

34

Ulrich Kirchhoff, LL.M.

Rechtsanwalt (Attorney-at-Law)ARQIS Foreign Law OfficeForeign Law Joint Enterprise withTMI AssociatesRoppongi Hills Mori Tower 23F6-10-1 Roppongi, Minato-kuTokyo 106-6123Japan

T +81 3 6438-2779 (direct)T +81 3 6438-2770F +81 3 6438-2777E [email protected]

Dr. Philipp Maier

Rechtsanwalt (Attorney-at-Law)Managing AssociateARQIS RechtsanwältePrinzregentenplatz 781675 München Germany

Tel.: +49 89 309055-6155Fax: +49 89 [email protected]

ディルマン明子

Dr. Meiko Dillmann

Rechtsanwältin (Attorney-at-Law)PartnerARQIS RechtsanwältePrinzregentenplatz 781675 MünchenGermany

Tel.: +49 89 309055-600Fax: +49 89 [email protected]

Tokyo Contact

35

Ulrich Kirchhoff, LL.M.



Dr. Tobias Schiebe, LL.M.



36

ARQIS Rechtsanwälte Düsseldorf

Hammer Straße 1940219 DüsseldorfGermany

Tel.: +49 211 13069-000Fax: +49 211 13069-099E-Mail: [email protected]

ARQIS Rechtsanwälte München

Prinzregentenplatz 781675 MünchenGermany

Tel.: +49 89 309055-600 Fax: +49 89 309055-699 E-Mail: [email protected]

www.arqis.com

ARQIS Foreign Law OfficeForeign Law Joint Enterprise with TMI Associates Roppongi Hills Mori Tower 23F6-10-1 Roppongi, Minato-kuTokyo 106-6123Japan

Tel.: +81 3 6438 2770Fax: +81 3 6438 2777E-Mail: [email protected]

DüsseldorfDüsseldorf

MünchenMünchen

TokyoTokyo

Locations - ARQIS

gdpr compliance measures legal basis of gdpr · 2 introduction 132 days with effect as of 25 may...

Documents