GDPR and the Privacy Shield

Similar documents
This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

GDPR Compliance. Clauses

General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of

The Role of the Data Protection Officer

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Technical Requirements of the GDPR

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

PS Mailing Services Ltd Data Protection Policy May 2018

Creative Funding Solutions Limited Data Protection Policy

Element Finance Solutions Ltd Data Protection Policy

Islam21c.com Data Protection and Privacy Policy

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

How the GDPR will impact your software delivery processes

GDPR is coming in less than 2 months Are you ready?

Haaga-Helia University of Applied Sciences Privacy Notice for the Laura Recruitment Service

the processing of personal data relating to him or her.

Data subject ( Customer or Data subject ): individual to whom personal data relates.

GDPR: A QUICK OVERVIEW

Haaga-Helia University of Applied Sciences Privacy Notice for Urkund Plagiarism Detection Software

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

General Data Protection Regulation (GDPR)

Privacy Policy CARGOWAYS Logistik & Transport GmbH

Five Ways that Privacy Shield is Different from Safe Harbor and Five Simple Steps Companies Can Take to Prepare for Certification

Part B of this Policy sets out the rights that all individuals have in relation to the collection and use of your personal information

ARTICLE 29 DATA PROTECTION WORKING PARTY

CEM Benchmarking Privacy Policy

Data Protection Policy

Requirements for a Managed System

EU General Data Protection Regulation (GDPR) Achieving compliance

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

SCHOOL SUPPLIERS. What schools should be asking!

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Emsi Privacy Shield Policy

This article will explain how your club can lawfully process personal data and show steps you can take to ensure that your club is GDPR compliant.

Haaga-Helia University of Applied Sciences Privacy Notice for JUSTUS publication data storage service

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Wonde may collect personal information directly from You when You:

DISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018

General Data Protection Regulation for ecommerce. Reach Digital - 18 december 2017

In compliance with the requirements of the EU General Data Protection Regulation (GDPR, Articles 13, 14 and 30)

Preparing for the GDPR

GENERAL DATA PROTECTION REGULATION (GDPR)

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Motorola Mobility Binding Corporate Rules (BCRs)

It is the policy of DMNS Networks PTE LTD (the Company ) to protect the privacy of the users of our Website and Services.

Privacy Policy Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH 1. Definitions

A practical guide to using ScheduleOnce in a GDPR compliant manner

Privacy Notice For Ghana International Bank Plc customers

Privacy Shield Policy

EIT Health UK-Ireland Privacy Policy

Contract Services Europe

Data Processing Agreement

PRIVACY POLICY. 1. Introduction

Latest version, please translate and adapt accordingly!

PREPARING FOR THE GDPR AT THE UNIVERSITY OF HELSINKI

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

CommuniGator. Your GDPR. Compliance Checklist

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Haaga-Helia University of Applied Sciences Privacy Notice for Student Welfare Services

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Magento GDPR Frequently Asked Questions

ICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability

Rights of Individuals under the General Data Protection Regulation

Data Protection Policy

EXAM PREPARATION GUIDE

In this data protection declaration, we use, inter alia, the following terms:

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Privacy Policy November 30th, 2017

GDPR compliance: some basics & practical to do list

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

Data Privacy & Protection in the EU-U.S.

WEBSITE PRIVACY POLICY

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Website privacy policy

Privacy policy SIdP website EU 2016/679

Privacy Policy. 1. Definitions

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

Implementing the new GDPR: what does it mean for Universities?

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

Cybersecurity Considerations for GDPR

POLICY. Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

When you submit material to the Lest We Forget project you are accepting and consenting to the practices described in this policy.

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

INNOVENT LEASING LIMITED. Privacy Notice

DATA PROTECTION POLICY THE HOLST GROUP

Transcription:

GDPR and the Privacy Shield Mark Prinsley Partner +44 20 3130 3900 mprinsley@mayerbrown.com Kendall Burman Counsel + 202 263 3210 kburman@mayerbrown.com

Speakers Kendall Burman Counsel Washington DC Mark Prinsley Partner - London

LATEST GUIDANCE ON NEW OBLIGATIONS IN THE GDPR 183

The General Data Protection Regulation Go live in May 2018 Harmonised position across the member states Guidance on interpretation of the regulation emerging from advisory bodies Key areas: additional compliance obligations on data controllers additional rights of data subjects 184

The General Data Protection Regulation Specific topics: Data Protection Officers (DPOs) Data Privacy Impact Assessments (DPIAs) Data Portability Right Consent 185

Do We Need to Appoint a Data Protection Officer? Applies to both controllers and processors Public authorities required to appoint DPOs For private-sector entities, the test is: Does the core activity of the entity involve regular and systematic monitoring of data subjects on a large scale? Does the core activity consist of large-scale processing of sensitive personal data? Article 29 Working Party Guidance on meaning of: core activities large-scale Possibility of voluntarily appointing a DPO 186

Location and Qualifications of the DPO Location: Guidance that the DPO should be located within the EU, even if the controller or processor is located outside the EU Qualifications: No minimum standard of qualifications required related to the nature of the processing operations being carried out, but must have a deep understanding of the regulatory framework (the GDPR) Other duties must not give rise to a conflict of interest 187

The Role of the DPO Involvement in all issues relating to data privacy in the business and monitor compliance with the GDPR Part of privacy by design The opinions of the DPO must be given due weight Involvement in all data breach incidents Responsible for liaising with the Supervisory Authority 188

Data Privacy Impact Assessments Where processing involves high risk to the rights and freedoms of individuals, the data controller should conduct an assessment of the impact of the processing operations on the protection of personal data (Article 35 GDPR) National Supervisory Authorities required to publish lists of types of processing activities that are subject to requirement for DPIA, GDPR targets: systematic and extensive evaluation of personal data large-scale processing of special-category personal data systematic monitoring of a publicly accessible area on a large scale Fines of up to 10 million / 2 percent of revenue for not carrying out a DPIA where appropriate If the DPIA indicates a high risk in the absence of steps to mitigate risks by the data controller, the National Supervisory Authority must be consulted 189

Article 29 Working Party Guidance on High Risk Processing Factors for National Supervisory Authorities to consider: Evaluation or scoring/processing Automated decision-making with legal significant effect Systematic monitoring Data processed on a large scale Data concerning vulnerable data subjects Data transfers out of the EU Use of sensitive data Datasets that are matched Innovative use or applying technological or organisational solutions Processing that prevents individuals from exercising a right or using a service or a contract Rule of thumb if two or more of the above factors are present, a DPIA should be conducted 190

Article 29 Working Party Examples Examples of Processing Possible Relevant Criteria DPIA Required? A hospital processing its patients genetic and health data (hospital information system). The use of a camera system to monitor driving behaviour on highways. The controller envisages to use an intelligent video analysis system to single out cars and automatically recognise licence plates. A company monitoring its employees activities, including the monitoring of the employees work station, Internet activity, etc. The gathering of public social media profile data to be used by private companies generating profiles for contact directories. An online magazine using a mailing list to send a generic daily digest to its subscribers. An e-commerce website displaying adverts for vintage car parts that involve limiting profiling based on past purchasing behaviour on certain parts of its website. - Sensitive data - Data concerning vulnerable data subjects - Systematic monitoring - Innovative use or applying technological or organisational solutions - Systematic monitoring - Data concerning vulnerable data subjects - Evaluation or scoring - Data processed on a large scale - (none) - Evaluation or scoring, but not systematic or extensive Yes Not necessarily 191

Article 29 Working Party Guidance on Generic Steps in a DPIA It should be underlined that the process depicted here is iterative: in practice, it is likely that each of the stages is revisited multiple times before the DPIA can be completed. Monitoring and review Documentation Description of the envisaged processing Assessment of the necessity and proportionality Measures envisaged to demonstrate compliance Measures envisaged to address the risks Assessment of the risks to the rights and freedoms 192

What Should You Do Now? Article 29 Working Party s strong recommendation to start conducting DPIAs prior to May 2018 Consider common processing activities for which one DPIA may be sufficient Producers of new technologies should consider producing generic DPIAs for the technology to provide to users of their technology/products 193

Data Subject s Right to Data Portability The data subject has the right to receive personal data concerning him or her that he or she has provided to the data controller in a structured, commonly used format and shall have the right to transmit the data to another controller where the processing is based on consent or a contract and is automated means (Article 20 GDPR) Article 29 Working Party guidance on: Scope of data provided to the data controller Data provided includes observed data Status of derived data and inferred data Importance of the basis on which the data is being processed (e.g., collection of KYC data) 194

What Should data controllers be Doing about the Data Portability Right? The Disclosing Data Controller Review terms of business to ensure clarity as to the scope of personal data subject to the data portability right Establish technical measures for providing the data in an appropriate form Be clear about the basis upon which personal data will be processed Establish procedures for dealing with requests to port data within one month of the request The Recipient Data Controller Clarity as to whether the data is received as a controller or as a processer Establish appropriate controls on how the data is used take care not to enrich other data without first obtaining consent 195

Consent as a Basis for Processing Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject s wishes by which he or she, by statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4 GDPR) New features to consent must be unambiguous requires statement or clear affirmative action 196

What should Data Controllers be Doing Now? Guidance from the UK Information Commissioner s Office: no need to repaper existing consents (provided the existing consent meets the GDPR standards) consents should be unbundled from other terms and conditions relating to the service or offering use active opt ins, not opt outs make the withdrawal of consent process straightforward Balance the benefits of relying on consent as the basis for processing relying on consent means the data subject definitely has rights to erasure and data portability 197

PRIVACY SHIELD 198

What to Expect for Privacy Shield and Model Clauses GDPR, like the EU directive, permits data transfers to countries with adequate protection OR use of approved means: EU Model Clauses Privacy Shield Certification Binding Corporate Rules Derogations Being Privacy Shield certified and entering into EU Model Clauses with the data controller are the two most common mechanisms used to transfer personal data from the EU to the US 199

What are Privacy Shield and Model Clauses? Privacy Shield Self-certification of US companies to the Department of Commerce Must be subject to jurisdiction of FTC or DOT who enforces commitments Privacy Shield Principles: Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse Enforcement and Liability Requires policy and operational changes Model Clauses Different contractual clauses to be used by EU companies for transfers of data to non-eu companies (data controller to data controller/data controller to data processor) Clauses cannot be revised or changed Creates liability giving data subject the direct right of action 200

Privacy Shield Onward Transfer Principle The onward transfer principle addresses how Privacy Shield certified companies must protect personal information that they transfer onto other data controllers or to third-party agents. How does the onward transfer principle function under Privacy Shield? Different requirements for data processors and agents (No recourse mechanism for processors) Transfers must be pursuant to contract and must offer equivalent protections to Privacy Shield 201

Crystal Ball: What Does the Future Hold for Privacy Shield and Model Clauses? Various forms of EU review: Litigation in the EU around Privacy Shield and Model Clauses Annual review of Privacy Shield framework Status of US privacy protections: Acting ombudsperson within State Department Changes in Privacy Act protections for EU citizens Presidential Policy Directive 28 limiting surveillance on non-us persons 202

QUESTIONS? Mark Prinsley Partner +44 20 3130 3900 mprinsley@mayerbrown.com Kendall Burman Counsel + 202 263 3210 kburman@mayerbrown.com 203

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback