1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Data processors under the GDPR

In our monthly GDPR Updates we discuss various key issues of the General Data Protection Regulation, (EU) 2016/679 (the GDPR), which applies from 25 May 2018. With the introduction of the GDPR, the existing Directive 95/46/EC and its implementation in the local laws of the various EU Member States will be repealed. The GDPR will bring significant and substantial changes with respect to the processing of personal data. It introduces several new concepts, such as Privacy by Design, Privacy by Default and Data Portability. As the GDPR contains several onerous obligations that require significant preparation time, organisations are recommended to timely commence the implementation process.

We notice that personal data protection is becoming more and more topical within organisations, and that the first steps towards compliance with the GDPR are undertaken. Our GDPR Updates illustrate the relevant changes resulting from the GDPR and provide readers with practical recommendations on the implementation of the GDPR within their organisations.

In the August edition of our GDPR Updates we address the position of the data processor. Under the GDPR the data processor is given certain specific responsibilities, meaning that it will no longer be only the data controller who is responsible for compliance with the privacy regulations. From 25 May 2018 also the data processor can be held liable for not complying with the GDPR requirements and additional legislation relating thereto.

If the data processor falls within the territorial scope of the GDPR (data processors will be confronted with an expansion of the territorial scope of the European privacy regulations), the data processor could face the following obligations:

  • the obligation to designate a representative in the EU if the data processor is not established in the EU but its processing is related to (i) offering of goods and/or services to data subjects in the EU; or  (ii) monitoring of data subjects in the EU;
  • complying with the mandatory requirements with regard to the content of the processing agreement as set out in Article 28 GDPR;
  • the obligation to maintain a written record of processing activities. Note that this obligation is not applicable to organisations employing fewer than 250 employees, unless (i) the processing is likely to result in a risk to the rights and freedoms of data subjects, (ii) the processing is not occasional, or (iii) the processing includes special categories of data. Data processors that provide services whereby the processing of personal data is standard practice are not likely to fall within the scope of the exceptions and will therefore be obliged to maintain a written record of processing activities (e.g. SaaS, hosting and other cloud service providers);
  • the obligation to designate a data protection officer if (i) the data processor is a public authority or body; (ii) its core activities consist of processing on a large scale of special categories of personal data or data relating to criminal convictions; or (iii) its core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; and
  • the obligation to notify the data controller (without undue delay) after becoming aware of a breach of the processed personal data and assist the data controller in ensuring compliance with its subsequent obligations towards the competent supervisory authorities and (where necessary) the data subjects.

Instead of only being contractually liable on the basis of a processing agreement with a data controller, under the GDPR data processors will also be subject to administrative liability in case of non-compliance. Administrative fines can increase up to EUR 20 million or (if higher) 4% of the total worldwide annual turnover of the organisation concerned. In addition to administrative liability and contractual liability towards the data controller, a data processor can be held liable towards data subjects who have suffered damages as a result of a breach of the GDPR by the data processor.

Organisations are recommended to carefully examine their positions within the various data processing activities and to make a very clear assessment on the associated responsibilities and obligations. A careful inventory should be made of the parties involved in the various personal data processing activities within an organisation and their roles (data controller/co or joint data controller/data processor/sub-processor, et cetera). This is particularly relevant as the division of roles directly influences the responsibilities a party has in the personal data processing activity, as well as the corresponding liability.

Please click here to read the entire August GDPR Update.

, , ,

Data processors under the GDPR

Germany to audit 500 companies on data transfers

Germany to audit 500 companies

The German data protection authorities have announced today that they have chosen 500 companies throughout Germany to audit their transfer of personal data to the US and other countries (eg. India).  The targets were chosen by random and cover small, medium-size and also large companies known to transfer data of their customers or employees from Germany to the US. Cloud computing and office software applications are in their focus. The different approach towards data privacy in the US – especially made apparent by Snowden –  has made many EU authorities criticize the US use of personal data as not being adequate to the data protection level of the EU.

Context

The Safe Harbor self-certification option for commercial entities in the US, a commonly used tool agreed between the EU Commission and the US Department of Commerce to safeguard an EU data protection level at US companies, was declared void by the CJEU in its Schrems decision. The new regime known as the “EU US Privacy Shield” went live is August. Also, companies have the option to agree bilateral EU Standard Contractual Clauses or to establish binding corporate rules.

Beware Cloud and SaaS

Now, the German authorities want to audit German companies and German branches of companies from abroad to check if and how they are complying. Especially it is expected that they want to investigate if there are transfer regimes in place and if the old Safe Harbor approach is still in use. Use of the cloud and SaaS vendors will be a focus.

Once more this is a warning sign that authorities of EU Member States are using their administrative authorities to enforce EU data protection law especially of consumers but also employees. Germany is being particularly active.

What happens next?

The German data protection authorities will approach companies by sending a letter requesting information on their practice of data transfer to the US. Depending on the response, the German authorities make more requests or site inspections may follow. The authorities will also likely direct the companies’ in-house Data Protection Officers to assist them with their requests.

If companies have received such requests they should carefully draft their response. As these requests usually provide for sufficient time to react, there may still be time to establish safeguards like EU Standard Contractual Clauses.  But planning now is key.

Prepared by Christian Schefold, Christoph Zieger and Ariane Loof of Dentons Germany

Germany to audit 500 companies on data transfers

US Officially Blames Russia For DNC Hack

The United States (US) Department of Homeland Security (DHS) and Office of the Director of National Intelligence (ODNI) issued a joint statement on Friday, October 7, 2016, publicly stating for the first time that the US Intelligence Community is “confident” that the “Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.”

DNC Attack Background

Last April, after the DNC discovered malware on its computer systems, it hired third party cybersecurity firm CrowdStrike to investigate the breach.  After completing its investigation, CrowdStrike issued a report in June 2016 linking the attacks to two groups associated with Russia:

  • “Cozy Bear,” a group suspected of previously attacking networks at the White House, State Department and Joint Chiefs of Staff; and
  • “Fancy Bear,” a group suspected to have targeted public and private entities for decades.

CrowdStrike linked the attacks of Cozy Bear and Fancy Bear to Russia because their programming code sometimes matched the code used in earlier hacks by Russia, and their behavior matched that of Russia’s in its historic efforts to increase Russian sphere of influence in Eastern Europe.  Thousands of stolen e-mails from the DNC were subsequently published on a source called DC Leaks, which ThreatConnect, a separate cybersecurity firm, has linked to Fancy Bear.

A day after the report, someone calling themselves Guccifer 2.0 claimed responsibility for the hack in a blog post.

Joint Statement Blames Russia For DNC Hack

In Friday’s joint statement, the DHS and ODNI stated for the first time that the “recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guiccer 2.0 online persona are consistent with the methods and motivations of Russia-directed efforts.”  The agencies found that the “thefts and disclosures are intended to interfere with the US election process[,]” which is activity that is not “new to Moscow – the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.”  Based on the “scope and sensitivity” of such efforts, the agencies concluded that only “Russia’s senior-most officials could have authorized these activities.”

No Conclusion On Voting Machine Hacks

The joint statement stopped short of attributing the recent state election data system breaches to Russia.  These breaches, which have seen at least Illinois and Arizona experience scanning and probing of their election systems, have been tied back to servers operated by a Russian company.  The FBI is currently investigating this claim, but the DHS and ODNI said the US Intelligence Community is not “now in a position to attribute this activity to the Russian Government.”

The joint statement came on the same day as a ceasefire in Syria fell apart and the US accused Russia of war crimes in Aleppo.   A copy of the joint report can be found here.

US Officially Blames Russia For DNC Hack

Privacy Shield gets approval: certainty at last?

The European Commission yesterday issued an adequacy decision adopting the EU-US Privacy Shield, which replaces Safe Harbor as a framework for protecting European data transferred to the United States. Adoption had been expected since the European Commission announced on Friday that Member States had given their “strong support” to the new framework (although we note that Austria, Bulgaria, Croatia and Slovenia abstained from voting).

Are there any final changes?

There have been some tweaks to the Privacy Shield regime since the draft adequacy decision was issued in February. These include:

  • additional clarifications on the bulk collection of data. In particular, the Office of the Director of National Intelligence has clarified that the bulk collection of EU data can only be used under specific preconditions and must be “as targeted and focused” as possible;
  • introducing more explicit obligations on companies as regards limits on retention and collection of data. Specifically, companies now have to delete data that no longer serves the purpose for which it was collected; and
  • strengthening the Ombudsperson mechanism. In its press release, the Commission makes clear that the Ombudsperson is independent from the US intelligence services.

What were the criticisms?

The changes are intended to address a critique of Privacy Shield issued in April by European data protection regulators (aka the Article 29 Working Party), which concluded that Privacy  Shield – while a huge improvement on Safe Harbor – still did not meet EU privacy standards. This was largely because:

  • massive and indiscriminate data collection by American authorities was still not fully excluded;
  • the Privacy Shield lacked an explicit data retention principle; and
  • the powers and independent position of the Ombudsperson (who deals with national security-related complaints) were not made clear.

What does the future look like for Privacy Shield?

The Commission’s tweaks will address the A29WP’s concerns to some degree, but that mightn’t be enough to keep the privacy wolves at bay.

Privacy Shield may well be subject to a future challenge on the basis of “equivalence” with EU law, and it will almost certainly undergo further A29WP review. Potential issues remain, such as the fact that Privacy Shield (like Safe Harbor) is largely self-certified. Indeed, one of the main privacy advocates in the European Parliament (MEP Jan Philipp Albrecht) commented that the European Commission has “just signed a blank cheque for the transfer of personal data of EU citizens to the US, without delivering equivalent data protection rights”.  Max Schrems has said he will challenge it.

In the medium term, inconsistencies between Privacy Shield and the upcoming GDPR requirements could also limit Privacy Shield’s shelf life. Therefore, the climate seems ripe for challenge. Max Schrems has also sought to challenge model clauses in an application by the Irish DPA to the Irish High Court.

Privacy observers will also be keeping an eye on how Brexit plays out: will the UK find itself negotiating its own form of Privacy Shield to ensure EU adequacy?

Even so, Privacy Shield will be a valid solution for transfers to the US.  American companies may begin to self-certify with the US Commerce Department from 1 August, and we expect to see many large US vendors taking up this option. Microsoft has concluded on its official blog that the Privacy Shield “meets each of [the] requirements…of… European data protection law”.

Privacy Shield gets approval: certainty at last?

What does BREXIT mean for data protection?

On 23 June 2016, the UK is holding a referendum as to whether to stay in the European Union or leave it. But what does a BREXIT (a British Exit from the EU) mean for data protection?

Most of the UK law on data protection comes from the EU. The UK Data Protection Act 1998 and the Privacy and Electronic Communications Regulations both implement overarching EU law. So you might think this is like “unplugging” the source of data privacy law and therefore switching it off? But UK data protection law, in fact, pre-dates the European data protection directives. In fact, the UK was a signatory to the 1981 Convention (the forerunner of modern data protection law). Enough history!

What could happen in theory?

The UK parliament could reduce (or repeal) the Data Protection Act. The Courts could decide to no longer follow EU case law. Most importantly, the UK could choose not to implement the General Data Protection Regulation (GDPR). This, as we all know, is a wholesale upgrade to EU data protection law. GDPR includes new penalties of up to 4% of worldwide turnover, new legal duties to notify of data breaches and requirements to implement an accountability framework of policies and procedures.

What will happen in practice?

The UK could leave the EU and join the European Economic Area. In this case, it would be legally obliged to maintain data protection law on an equivalent footing to the EU. So all the current law would stay. GDPR would also be a requirement.

Theoretically, the UK could go out on its own. However this would make it a non-adequate jurisdiction for international data transfers. This means it cannot receive personal data freely from the EU. It could ask the EU for an “adequacy decision” but its anyone’s guess as to how long that would take. It could be a difficult negotiation (…think about the recent story of Snowden, Schrems and the proposed Privacy Shield, which is still being worked on).

No doubt there would be huge pressure on the UK to fall into line (dare I say it) with EU-style data protection law anyway. Otherwise, this could be a significant drag on international trade.

Finally, there is the practical argument that we actually need data protection law to underpin consumer trust in the digital economy. So let’s not trash it.

For what it’s worth, the ICO say that the UK needs clear and effective data protection law regardless of whether it remains in the EU. They don’t expect to be packing their bags.

Whatever the uncertainty on a possible UK exit, the issue will, at least, be resolved in a little over 7 days.

What does BREXIT mean for data protection?