Law made Easy

[Disclaimer: This note is for general information only. It is NOT to be substituted for legal advice or taken as legal advice. The publishers of the blog shall not be liable for any act or omission based on this note]

Note: This article aims at discussing the domestic laws in EU countries which implement GDPR and various guidelines released by data protection authorities to align with the respective country’s legal regime with GDPR.


INTRODUCTION



Due to violations of privacy attributable to the misuse of data by large and even some well-known organizations, a Data Protection Law/Data Privacy Law has become imperative. This need has been felt across the globe. Concerns over loss of privacy and misuse of data led to the enactment of the General Data Protection Regulation (“GDPR”) which came into force on May 25, 2018, as plausibly one of the toughest laws governing online privacy.  GDPR is considered to be a milestone and is an essential step to strengthen an individual’s right in the digital age. It is designed to protect the personal information of individuals and to restrict organisations using personal data of their consumers. The Regulations reflects a paradigm shift in the understanding of the personal data and collection of data by controllers.

GDPR provides number of ways to protect the data such as rectification, deletion etc in case the data subject[1] fears misuse of its data. It has a direct effect across all EU member States and covers all EU “established” entities and certain non-EU “established” entities. Under the former, if an entity is operating in the EU through one of its establishments, and is processing the information of EU data subjects, irrespective of whether the processing is occurring in the EU or not, such entity is covered under the ambit of the GDPR. Till now, around 28 countries have passed the national legislation in line with GDPR.


PRINCIPLES


GDPR provides strict data protection principles that are to be complied by the Data Controller and Processor[2], while dealing with personal data. The Controller[3] must make sure that the personal data is:

  • used fairly, lawfully and transparently;
  • used for specified, explicit purposes;
  • used in a way that is adequate, relevant and limited to only what is necessary;
  • accurate and, where necessary, kept up to date;
  • kept for no longer than is necessary; and
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

DATA PROTECTION LEGISLATION IN EU MEMBER STATES


AUSTRIA

CZECH REPUBLIC

LUXEMBOURG

Federal Act concerning the Protection of Personal Data (DSG)

 

Supervisory Authority:

Austrian Data Protection Authority

Act No. 110/2019 Coll. on the Processing of Personal Data

 

Supervisory Authority:

Office of Personal Data Protection (UOOU)

Act of 1st August on the Organization of the National Data Protection Commission and General Data Protection Framework

 Supervisory Authority

National Data Protection Commission

 

 BELGIUM

CROATIA

FRANCE

Protection of Natural Persons regarding the Processing of Personal Data

 

Supervisory Authority: Gegevensbeschermingsautoriteit

 

Law on Implementation of the General Data Protection Regulation

 

Supervisory Authority: Croatian Data Protection Personal Agency

 

 

Law n°2018-493 of June 20, 2018

 

Supervisory Authority:

CNIL (Commission nationale de l’informatique et des libertés_

GERMANY

 

IRELAND

DENMARK

 

Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)

 

Supervisory Authority: The Federal Commissioner for Data Protection and Freedom of Information

 

Data Protection Act 2018

 

Supervisory Authority: The Data Protection Commission

 

Danish Data Protection Act

 

Supervisory Authority: The Danish Data Protection Agency (Datatilsynet)

 

FINLAND

                 ITALY

NETHERLANDS

 

Data Protection Act – ‘HE 9/2018 vp

 

Supervisory Authority: Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)

 

Legislative Decree No. 101/2018

 

Supervisory Authority: Italian Data Protection Authority (Garante per la protezione dei dati personali)

 

Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming)

 

Supervisory Authority: Dutch Data Protection Authority (Autoriteit Persoonsgegevens )

 

 

POLAND

             SLOVAKIA

 

SPAIN

 

Personal Data Protection Act

 

Supervisory Authority: President of the Office for Personal Data Protection

 

Protection of Personal Data (Act No. 18 of 2018)

 

Supervisory Authority: Office of Personal Data Protection

 

Organic Law 3/2018 of December 5

 

Supervisory Authority: Spanish Data Protection Agency (Agencia Española de Protección de Datos)

 

SWEDEN

 

SWITZERLAND

 

 

UNITED KINGDOM

 

Data Protection Act (2018:218)

Supervisory Authority: Swedish Data Protection Authority

 

Swiss Federal Data Protection Act

Supervisory Authority: Information Commissioners Office

 

 

Data Protection Act 2018

 

Supervisory Authority: Information Commissioners Office

 

ROMANIA

PORTUGAL

 

 

Law no. 190/2018

Supervisory Authority: National Supervisory Authority for Personal Data Processing

 

 

Law no. 58/2019, of 08 of August

Supervisory Authority: National Data Protection Authority (CNPD)

UNITED KINGDOM (“UK”)

The Information Commissioners Office (“ICO”) is the body responsible for implementing the Data Protection Act and providing further guidance’s to create awareness regarding rights, role and responsibilities under the Act. Some of the important guidance’s released by ICO are discussed below:The Data Protection Act 2018 is the implementation of the GDPR which came into effect on May 25, 2018. The Act makes the data protection laws fit for the digital age in which an ever-increasing amount of data is being processed. It also empowers people to take control of their data and supports businesses and organisations in the United Kingdom through the change.

  1. Guidance on Contracts: The guidance discusses contracts and liabilities between controllers and processors. It provides the provisions in a contract which can be included in contract between controllers and processors. It also helps processors to understand their new responsibilities and liabilities under the GDPR.
  2. Guidance on Controllers and processors: The Guide provides a ready reckoner checklist that helps controllers, processors and joint controllers to easily identify their roles. Additionally, it also outlines some of the responsibilities of the controllers when using a processor. In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the GDPR and makes a processor liable in case of failure in meeting any of the obligations mentioned in the contract.
  3. Encryption: The ICO has updated its GDPR guidance in order to provide an advice on compliant use of encryption to protect personal data. This guidance helps in understanding the importance of encryption as an appropriate technical measure for protecting the personal data an organisation holds whether as a controller or a processor. Following things which are required to be taken into consideration while implementing encryption:
  • choosing the right algorithm;
  • the right key size;
  • the right software; and
  • keeping the key secure.
  1. Passwords : The ICO has updated the guidance on the use of passwords in order to protect data. The Guidance talks about the use of Passwords and the level of security which is required while choosing a password. It recommends using a suitable hashing algorithm or other mechanism offering similar protection.
  2. Exemptions: The GDPR and the Data Protection Act, 2018 (‘DPA’) sets out certain exemptions for some of the rights and obligations. Relying on exemptions depends on case-to-case basis but it cannot be routinely followed. The exemptions in the DPA relieve one from some of their obligations under the Act, such as:
  • the right to be informed;
  • the right of access;
  • dealing with other individual rights;
  • reporting personal data breaches; and
  • complying with the principles.
  1. International transfers : The guidance provides clarification regarding
  • where a transfer of personal data is considered a ‘restricted transfer’; and
  • which mechanisms can be deployed in this case to transfer personal data.
  1. Personal Data Breaches : The Guidance outlines breach notification requirements under the GDPR, including what information needs to be included in a notification, and when organizations are required to notify supervisory authorities and those affected.
BELGIUM

On September 5, 2018, the Law of 30 July 2018 on the Protection of Natural Persons regarding the Processing of Personal Data (the “Act”) entered into force and abolished the Law of 8 December 1992 on privacy protection which regulated processing personal data in Belgium. The Act applies to the processing of personal data in connection with the activities of an establishment from a controller or processor on Belgian territory, whether the processing on Belgian territory takes place or not. The Act significantly broadens the scope for data processing related to criminal offences and convictions. It determines that associations and foundations for which the processing of sensitive data is necessary for the purposes of achieving their statutory objectives can make an exception for processing of such data.

The Data Protection Authority (Gegevensbeschermingsautoriteit) is supervisory authority that monitors the protection of privacy and the use of personal data in the country.

CROATIA

The Law on Implementation of the General Data Protection Regulation (the ‘Act’) provides for the implementation of GDPR on the protection of individuals regarding the processing of personal data and on the free movement of such data. The Act is not applicable to the processing of personal data carried out by the competent authorities for preventing, investigating, detecting or prosecuting criminal offenses or carrying out criminal sanctions, including protection against public safety threats and their prevention, as well as in the area of ​​national security and defence.

As per the Act, the processing of employees’ biometric data is permitted for recording working hours and controlling access to premises where the employees have provided their consent. The Act also restricts processing of personal data of employees through a video surveillance system and provides that it may only be carried out if the conditions laid down by the regulations governing occupational safety are met, and if the employees have been adequately informed in advance of such measure.

Croatian Data Protection Personal Agency is responsible for carrying out administrative and professional tasks related to personal data protection.

DENMARK

The Danish Data Protection Act has been passed by the Danish parliament. The Act supplements and implements GDPR on the protection of individuals with respect to the processing of personal data and on the free exchange of such data. The law and GDPR is applicable to all processing of personal data made wholly or partly by automatic data processing and for other non-automated processing of personal data which is or will be contained in a register. According to the Act, the processing of personal data is permitted in the employment context if the data subject consented or the processing is necessary for certain purposes.

The Danish Data Protection Agency (Datatilsynet) exercises surveillance over the processing of data to which the Act applies. The Agency primarily deals in specific cases on the basis of inquiries from public authorities or private individuals or cases taken up by the agency on its own initiative.

FRANCE

Law n°2018-493 of June 20, 2018 on the protection of personal data was promulgated on June 20, 2018 and was published in the Official Journal on June 21, 2018.

The purpose of the Law was to adapt Law n° 78-17 of January 6, 1978 on information technology, data files and liberties (‘French Data Protection Act’) following the GDPR that entered into force on May 25, 2018  and Directive  2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties that ought to be transposed into domestic law.

The CNIL is the responsible authority for informing individuals of their rights accorded to them by the French Data Protection Act. Some of the guidance’s issued by CNIL in furtherance of Data Protection Act are discussed below:

  1. CNIL Guidance on Collection and Transmission of Data to Data Brokers: Many companies collecting data directly from individuals, whether on online or paper forms, transmit this information to “commercial partners” or more generally to other organizations, so that they send out prospection through SMS or email. This transmission must comply with a series of conditions, including those posed by the RGPD, to be valid and allow people to maintain control over their personal data.

 

  1. Standards for DPO certification : In order to identify the skills and know-how of the Data Protection Officer (DPO), the CNIL adopts two standards for DPO certification.
  • a certification reference system that sets the conditions for the admissibility of applications and the list of 17 skills and know-how expected to be certified as a DPO;
  • an accreditation framework that sets out the criteria applicable to organizations wishing to be authorized by the CNIL to certify the DPO’s competencies based on the certification framework developed by the CNIL.
  1. Deliberation n ° 2018-326 of 11 October 2018: CNIL adopted guidelines on data protection impact assessments (DIPs) provided for in the GDPR.
  • The Guidelines describe three examples of processing operations requiring a DPIA provided by Article 35(3) of the GDPR. The Guidelines also list nine criteria of the Article 29 Working Party identified as useful in determining whether a processing operation requires a DPIA, if that processing does not correspond to one of the three examples provided by the GDPR;
  • The Guidelines provide that an AIPD must be conducted before the implementation of a treatment presenting a high risk for the rights and freedoms of the natural persons concerned; it must be reviewed regularly, in any case every three years, to ensure that the level of risk remains acceptable;
  • The Guidelines specify that data controllers may rely on the CNIL’s industry standards, compliance with a standard will allow to consider that there is no high residual risk while the processing is In the case of dismissal, it will be necessary to lead the controller concerned to, at least, question the level of residual risk that may require the mandatory consultation of the board.
FINLAND

On 13 November 2018 the Finnish Parliament approved the Data Protection Act – ‘HE 9/2018 vp (the ‘Act’). The Act supplements GDPR and repealed the old Finnish Personal Data Act (Henkilötietolaki 523/1999).

The Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) remains the national data protection authority under the GDPR, supervising data protection in Finland. However, in e-privacy matters, the Finnish Communications Regulatory Authority continue to act as the supervisory authority. The new legislation also introduces an internal advisory board in the Data Protection Ombudsman’s office. The board is given power to issue advisory statements on data protection legislation upon the Data Protection Ombudsman’s request.

GERMANY

Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) entered into force on May 25, 2018. The Act is applicable to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system unless such processing is conducted by natural persons during a purely personal or domestic activity.

The Federal Commissioner for Data Protection and Freedom of Information is the authority responsible for supervising Data Protection activities. Some of the guidance’s released by the Authority are discussed below:

  • Guidance on the privacy requirements of app developers and app providers: The orientation aid is aimed at developers and providers of mobile applications (apps). It reveals data protection and technical requirements and makes them understandable by means of striking examples.
  • Cryptographic methods: Based on the realization that absolute data security cannot be achieved in practice, the principles of “adequacy” and “necessity” have been enshrined in data protection laws. This means that appropriate security measures must be taken depending on the need for protection of the personal data concerned. The present guidance on the use of cryptographic procedures has been developed by a Working Group on Technical and Organizational Data Protection Issues of the Conference of Federal Data Protection Officers.
IRELAND

Data Protection Act 2018 was signed into law on 24 May 2018, to coincide with the GDPR. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework.

The Data Protection Commission is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the GDPR, and has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive.  The Commission recently released certain responsibilities for the Organisations to carry out under GDPR.

  1. Responsibilities of Organisations under the General Data Protection Regulation : The Authority provided information about organisational obligations under data protection legislation and the General Data Protection Regulation, including transparency with service users and how to respond to an individual who is exercising their data protection rights. More detailed information provided regarding:
  • your obligations under data protection;
  • how to respond to an individual exercising their rights;
  • how to make a notification to the Data Protection Commission in cases where your organisation or business has breached personal data.
ITALY

Italy adopted Legislative Decree No. 101/2018 which came into effect on September 4, 2018, concerning the provisions for the adaptation of the national legislation to the GDPR on the protection of individuals regarding the processing of personal data and rules to the free movement of such data.

The Decree sets the minority threshold in relation to the offer of information society services to 14 years. For children under that age, the processing of their data still requires parental consent. The Decree provides the specific conditions for the lawful processing of genetic data, biometric data or data concerning health. The Italian Supervisory Authority is tasked with such adoption, at least every two years. As per the Decree, existing practices in relation to the subject rights of deceased persons remain primarily unchanged. These rights can be exercised by those who have a proper interest or who act to protect the data subject or relevant family interests.

The Italian Data Protection Authority (Garante per la protezione dei dati personali) is an independent administrative authority established by Privacy Law. It is the supervisory authority responsible for monitoring application of the General Data Protection Regulation and the national legislation.

CODE OF CONDUCT:

Code of Ethics and Conduct in Processing Personal Data for Business Information Purposes : This Code of conduct sets out the adequate safeguards and arrangements to process personal data by protecting data subjects´ rights that must be in place in pursuing business information purposes; this is aimed to ensure, on the one hand, certainty and transparency in business relations along with adequate knowledge and circulation of business and economic information and, on the other hand, quality, relevance, accuracy and topicality of the processed personal data.

NETHERLANDS

The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) applies in the Netherlands from 25 May 2018.

Dutch Data Protection Authority [Autoriteit Persoonsgegevens (‘AP’)] is the independent administrative body that has been appointed by law as the supervisory authority for regulating the processing activities of personal data. Some of the publications of AP are discussed below:

  1. AP’s Recommendations for Register of Processing : On 28th November 2018, the Netherlands Authority for the Protection of Personal Data (AP) provided 5 concrete recommendations that organizations should consider when maintaining their registers of processing.
  • Organizations must state the duration and the purpose of processing personal data. Under European privacy legislation, it is not allowed to store personal data longer than necessary for the purpose with which they were collected. Organizations must also be able to explicitly mention the purpose why they collect this data.
  • Contact details of the controller must be included in the register.
  • Organization should provide a well-organized file of all processing activities carried out in relation to personal data, thereby enabling the users to easily navigate through it.
  • Location or the place where personal data is stored must be stated clearly in the register. This information is relevant when people submit a request for access or deletion.
  • Organizations must specify the goal of each processing activity. Only a mere enumeration of the processing activity, department wise, in combination with a summary of the various purposes of the processing is not sufficient
  1. Policy rules prioritization complaints investigation Authority Personal Data : The Dutch Data Protection Authority published policy rules regarding the prioritization of the investigation of complaints. Pursuant to the GDPR, every data subject has the right to lodge a complaint with the Dutch Data Protection Authority if it is violative of their rights provided in GDPR. It also follows from the GDPR that the Dutch Data Protection Authority must in principle investigate and respond to each complaint. The Dutch Data Protection Authority is free to make an assessment regarding the intensity of the investigation of a complaint.
POLAND

The Personal Data Protection Act entered into force on 25 May 2018 to help the implementation of the GDPR in Poland.

The President of the Office for Personal Data Protection is a competent authority for the protection of personal data on the territory of Poland, created by the Act of 10 May 2018 on the protection of personal data. Some of the guidelines adopted or released by the Authority are discussed below:

  1. Guideline 1/2018 regarding certification and determination of certification criteria in accordance with Article 42 and 43: The EU guidelines on certification have been adopted by Poland. The Guidelines explore the rationale for certification as an accountability tool; It also explains the key concepts of the certification provisions in Articles 42 and 43 and the scope of what can be certified and the purpose thereof.
  2. Protection of personal data at the workplace : The Guide indicates how to process personal data both during recruitment and during the whole period of employment. It is not limited to employment based on an employment relationship. It also treats other, more and more popular forms of employment, such as civil law contracts.
  3. Tips for data controllers – how to apply the GDPR: The Personal Data Protection Office prepared 10 tips for data controllers to help them to apply the GDPR rules on a daily basis such as:
  • Establish the proper basis for collecting and using personal data;
  • Comply with the information obligation in accordance with the new rules;
  • Communicate in a transparent way;
  • Always respect the rights of people;
  • Remember that consent can be withdrawn at any time;
  • Data breaches should be reported to the President of the Personal Data Protection Office and when necessary, to the persons whose data have been violated;
  • Do not create unnecessary documentation;
  • You have the right to profile, but remember about limitations;
  • Invest in a professional DPO;
  • Watch out for cheaters.
SLOVAKIA

The Protection of Personal Data (Act No. 18 of 2018) regulates the protection of the rights of natural persons against wrongful interference with their private data. The Act regulates the rights, duties and liabilities in connection with personal data processing and establishment, scope of powers and organization of the Office for Personal Data Protection of the Slovak Republic.

Office of Personal Data Protection is the supervisory authority responsible for the implementation of the Act. Some of the guidelines released by the authority are discussed below:

  1. Methodological Guideline no. 2/2018: Office for Personal Data Protection of the Slovak Republic issued the guideline on legality of processing. The principle of legality also expresses the requirement for fair and lawful processing and must be in accordance with the law of the Union, the law of the member the State and good morals, so as not to be violative of the fundamental rights and freedoms of the persons concerned.
  2. Methodological Guideline no. 3/2018: Office for Personal Data Protection of the Slovak Republic issued the guideline on the obligations of the e-shop operator from the point of view of personal data protection. The obligations are as follows:
    • to allow the operator to legally process the customer’s personal data, it must have an appropriate legal basis;
    • customers have the right to be informed about the terms of processing, how they are processing their applications for the exercise of the rights of the persons concerned, etc.;
    • data obtained should be processed by the operator only for a specific, expressly stated and legitimate purpose, furthermore they cannot be processed in a manner which is not compatible with such a purpose;
    • operator should process only the personal data that is necessary to achieve a specific purpose of processing;
    • operator must process correct and up-to-date personal data;
    • operator must keep personal data only for the necessary time to achieve the purpose of processing;
    • operator must guarantee the adequate security of the processed personal data; and
    • operator must be able to show compliance with the previous one the principles of processing.
SPAIN

The Organic Law 3/2018 of December 5 guarantees the digital rights of citizens and employees, beyond the GDPR. The law includes some specifications about data subjects’ rights. The new rule recognises a set of “digital rights” (or rights in the context of the Internet) to every individual, starting with the net neutrality right (or the right to be granted with Internet access without being discriminated for technical and/or economic reasons) and ending with the right to a digital testament.

Spanish Data Protection Agency (Agencia Española de Protección de Datos) (AEPD) is the public law authority overseeing compliance with the legal provisions on the protection of personal data and enjoying an absolute independence from the Public Administration. The guides released or adopted by the Agency are discussed below:

  1. Practical Guide of risk analysis for the treatment of personal data: The guide is aimed at data controllers/processors for the processing of personal data and which may affect data security breaches. It provides the interpretation of the RGPD regarding the obligation to notify the competent authority through appropriate channel. It aims to cover the wide range of Spanish business, small, medium or large companies of all kinds, companies with large data treatments and companies with reduced treatments and that, in the same way, can be of help to those in charge and in charge of treatments of the Public Administrations involved in the tasks of management of the gaps of security.
  2. Guide for the Person responsible for the processing of personal data: The guide presents systematically the main issues that organizations should be considered for the application of the RGPD. It is designed to help those responsible and those in charge to adapt the new obligations during the transition period. A ready recknor Checklist is included which organizations can use to determine if they have given the necessary steps to be able to make a correct application of the RGPD.
  3. Guide for the management and notification of security breaches: The guide aims to be useful for anyone who wants or needs to familiarise themselves with the issues regarding the management and notification of security breaches. It is designed for different data controllers processing personal data who could be affected by data security breaches, with the aim of enabling understanding of the GDPR regarding its requirement to notify the competent authority and, when relevant, the data subjects, so that the competent authority is notified through the correct channel, with useful and accurate information for statistical and monitoring purposes, and the new GDPR demands are met.
SWEDEN

The Data Protection Act (2018:218) entered into force on May 25, 2018. It provides for the processing of social security numbers and processing of data pertaining to criminal offences. The Act is applicable to the processing of personal data carried out within the framework of activities carried out at the premises of the personal data controller or personal data assistants in Sweden. The law is also applicable to the processing of personal data carried out by personal data controllers who are not established in Sweden, but in a place where Swedish law applies according to international law.

The Swedish government has designated the Swedish Data Protection Authority to be the supervisory authority under the GDPR.

SWITZERLAND

The Swiss Federal Data Protection Act (‘Act’) and the Data Protection Ordinance (‘Ordinance’) regulate data processing activities across the country. The Act is applicable in any of the following circumstances:

  • The data subject has its habitual residence in Switzerland, provided that the data processor can anticipate that damage may be sustained in Switzerland.
  • The data controller or processor (as the potentially infringing party) is a Swiss resident.
  • Damage resulting from a data breach is sustained in Switzerland, provided that the data processor can anticipate that damage may be sustained in Switzerland.

The Federal Data Protection and Information Commission is the Authority responsible for supervising the data protection activities. The Commission recently released a guide for technical and organisational measures for the introduction of data protection risks and measures which can be taken to ensure protection for personal data.

  1. Guide for technical and organizational measures – This guide is an introduction to the data protection risks that can arise in connection with modern IT systems. It intends to help the reader implementing measures and ensuring optimum and appropriate protection for personal data. The guide is primarily intended for IT systems managers and those who are directly involved in the management of personal data, whether they are technicians or not. The guide is structured around four main topics – data access, data lifecycle, data transmission and right to information.
 AUSTRIA

The Federal Act concerning the Protection of Personal Data (DSG) has considerably amended the Data Protection Act 2000 in order to implement GDPR. The Act regulates processing of personal data, appointment of data protection officers, maintaining confidentiality of data, investigation or prosecution of criminal offenses and rights of data subject in order to modify, rectify or delete.

Based on Art 8 GDPR, the Act provides that children may consent to data processing in the course of information society services starting with 14 years – instead of 16 years as stipulated by the GDPR. Art 10 GDPR generally provides that criminal data may only be processed “under the control of official authority”, unless otherwise authorised by the Member States. The Austrian legislator closed the potential gap by providing that criminal data may also be processed based on legitimate interests pursued by the controller.[4]

CZECH REPUBLIC 

Czech Republic enacted the Act No. 110/2019 Coll. on the Processing of Personal Data incorporating the provisions of GDPR. The law came into effect on April 24, 2019. It replaces the older Personal Data Protection Law (Act No. 101/2000 Coll., as amended) and regulates personal data processing within the scope of GDPR and also processing of the data by competent authorities for preventing, searching for and detecting criminal activity, ensuring safety and public order.

The Office for Personal Data Protection published various Guidance material for the implementation of the Law. Some of them are mentioned below:

  1. Data Breach Notification Guidance[5]: The Office for Personal Data Protection (‘UOOU’), published a guidance on data breach notifications. Key features of the guidance are provided below:
  2. outlines that any breach of personal data security that may result in a risk to the rights and freedoms of individuals must be reported;
  3. provides examples of such incidents, including an attack on a computer in which personal data is processed which results in the leakage of personal data, as well as the loss of paper documents containing personal data that was a part of manually kept records;
  • provides that where an infringement is unlikely to result in a high risk to the rights and freedoms of data subjects, such as if it becomes impossible to trace a paper document that was or should have been part of a manually kept record, no notification must be made;
  1. lists what should be included in the notification, as well as the exceptions to the obligation to report data breaches to affected individuals.
  2. DPIA Methodology[6]: The Office for Personal Data Protection (‘UOOU’) published a methodology for conducting Data Protection Impact Assessments (‘DPIAs’). Key points discussed in Methodology are:
  3. contains questions and answers, information on who needs to carry out a DPIA and when this is required, and outlines the four stages of a DPIA;
  4. provides that the data controller needs to ascertain whether a DPIA needs to be carried out with respect to the personal data obtained, the legal basis for processing, data retention periods, and data transfers;
  • highlights that the data controller should, when carrying out a DPIA, provide a systematic description of the intended processing activities, follow a risk assessment procedure through identifying assets, vulnerabilities, and threats related to the processing of personal data, and determine the level of risk following a DPIA;
  1. includes examples of vulnerabilities such as insufficient maintenance of supporting information and communication technologies, and insufficient physical protection of personal data.
LUXEMBOURG

 On 16 August 2018, the Luxembourg Government adopted and published the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and implementation of GDPR and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The Law repeals the law of 2 August 2002 on the protection of persons regarding the processing of personal data.

ROMANIA

The Parliament of Romania adopted Law No. 190/2018 implementing the General Data Protection Regulation. The Law regulates special rules for the processing of certain categories of personal data, derogations from the GDPR, provisions regarding data protection officers (‘DPO’) and certification bodies, as well as provisions on the applicable sanctions for public and private entities. 


Conclusion: Critique of GDPR


As is evident from the EU countries’ domestic laws, GDPR is a privacy legislation that serves as a guideline for the upcoming laws on data privacy. GDPR strengthens individual privacy rights and increases the obligations of companies towards personal data. Also, it has uncurbed power that is also to say that like most of its counterparts, it is not toothless, since it not only provides for obligations towards the organisations but also has provisions to impose heavy penalties on breach of any of the obligations of organizations.

The largest sanctions have been imposed under privacy laws by CNIL where the restricted committee imposed a heavy financial penalty of around €50 million[7] against the company GOOGLE LLC, for lack of transparency, inadequate information and lack of valid consent regarding the ads’ personalization. The decision by the CNIL came like a warning that tough enforcement actions are not just in the theory and therefore, the organizations must take the privacy laws seriously.

Recently, some of the major fines were imposed in the year 2020, such as:

  • In April 2020, the Dutch Data Protection Authority imposed its largest fine €725,000 (US$ 821,600 million) to date to an unknown company for illegally using employees’ fingerprint scans for its attendance records over the period of 10 months. As per the GDPR, biometric data is classified as sensitive information and subjected to stringent protections.[8]
  • On December 07, 2020, the French Data Protection Authority issued two fines totalling €100 million against Google LLC, Google Ireland Limited and Amazon for cookie violations. In an audit, it was revealed that cookies, many of which were used for marketing purposes, were automatically placed on user equipment without affirmative action.[9]
  • On December 07, 2020, the Norwegian Data Protection Authority (‘Datatilsynet’) sent a notice of an infringement to the Norwegian Sports Confederation (‘NIF’) and imposed fine amounting to NOK 2.5 million (approx. €236,000) following the disclosure of the personal data of 3.2 million Norwegians after an error that took place when testing a cloud solution.[10]

Also, since the digital environment across the world has granted access of private data on a single click, privacy laws have become the talk of the town and its breach could mean heavy penalty for the data controller and processors. The borderless nature of the Internet raises several jurisdictional issues in data protection, therefore, gradually, even non-EU members are bringing in the supplementing laws in line with GDPR to protect the personal data of consumers. India and China have introduced Data Privacy Bills and on the other hand, China has also included data privacy principles in China Civil Code.

The emergent necessity of all the organizations to review their privacy policies and make them in compliance with the national legislation of their respective countries and GDPR, only reflects on the growing acceptance of GDPR, transcending beyond the EU.


† Consultant at Ernst and Young | Data Privacy and Occupational Health and Safety Compliance Professional

[1] Data subjects as “identified or identifiable natural person[s].” In other words, data subjects are just people—human beings from whom or about whom you collect information in connection with your business and its operations.

[2] Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

[3] According to Article 4 of the EU GDPR, a data controller is the entity (person, organization, etc.) that determines the why and the how for processing personal data. A data processor, on the other hand, is the entity that actually performs the data processing on the controller’s behalf.

[4] https://www.dorda.at/en/publications/new-austrian-data-protection-act-implementing-gdpr-passed-austrian-parliament Last accessed on December 11, 2020.

[5] https://www.uoou.cz/vismo/zobraz_dok.asp?id_org=200144&id_ktg=5020&n=poruseni-zabezpeceni

[6] https://www.uoou.cz/vismo/dokumenty2.asp?id_org=200144&id=46497

[7]Deliberation of the restricted formation n ° SAN – 2019-001 of January 21st, 2019 pronouncing a financial penalty against the company GOOGLE LLC

[8] https://cisomag.eccouncil.org/four-biggest-gdpr-fines-of-2020/ Last accessed on December 11, 2020.

[9] https://www.cnil.fr/en/cookies-financial-penalties-60-million-euros-against-company-google-llc-and-40-million-euros-google-ireland Last accessed at December 14, 2020

[10]https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-overtredelsesgebyr-til-norges-idrettsforbund/

Case BriefsInternational Courts

European Court of Justice (Grand Chamber): Striking a blow on companies dependent upon the transfer of data between Europe and the US via the Privacy Shield Decision, the Court held that Privacy Shield Decision does not provide adequate data protection of European citizens from US surveillance activities. It was further observed that the Privacy Shield Decision is incompatible with Art. 45(1) of the General Data Protection Regulation (GDPR) read in the light of Arts. 7, 8 and 47 of the Charter of Fundamental Rights of the European Union and is therefore invalid. Further examining the European Commission Decision 2010/87/EU dated 05-02-2010 on ‘standard contractual clauses’ (SCCs) for the transfer of personal data to processors established in third countries, the Court agreed with the Opinion delivered on the instant matter by the CJEU Advocate General on 19-12-2019 wherein it was stated that the SCCs offer adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights as required by Art. 26(2) of Directive 95/46/EC of the European Parliament and the Council. 

As per the facts, any person residing in the European Union, who wishes to use Facebook is required to conclude, (at the time of registration) a contract with Facebook Ireland, a subsidiary of Facebook Inc., established in the United States. Some or all of the personal data of Facebook Ireland’s users residing in the European Union is transferred to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing.  Max Schrems, an Austrian Facebook user since 2008, filed a complaint with the Commissioner whereby he requested that Facebook Ireland be prohibited from transferring his personal data to the United States, on the ground that the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory against the surveillance activities in which the public authorities were engaged. Mr Schrems claimed, inter alia, that United States law requires Facebook Inc. to make the personal data transferred to it available to certain United States authorities, such as the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).

Perusing the background of the case, the Court compared the legal mechanism of data protection vis-à-vis surveillance as prevalent in US and European Union. It was found that the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States, as assessed in the Privacy Shield Decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required, under EU law under Art. 52(1) of the Charter of Fundamental Rights of the European Union. It was further observed that US Government accepted that Presidential Policy Directive-28 (which imposes a number of limitations for “signals intelligence” operations and has binding force for U.S. intelligence authorities, and if particular relevance for EU data subjects) does not grant data subjects actionable rights before the courts against the US authorities. Therefore, the Privacy Shield Decision cannot ensure a level of protection essentially equivalent to that arising from the Charter of Fundamental Rights of the European Union, contrary to the requirement in Art. 45(2)(a) of the GDPR that a finding of equivalence depends, inter alia, on whether data subjects whose personal data are being transferred to the third country in question have effective and enforceable rights. [Data Protection Commissioner v. Facebook, Ireland Ltd., C-311/18, decided on 16-07-2020]

Op EdsOP. ED.

The European Union (EU) continues to be a significant market for the IT/BPO industry in India[1]. Currently, India’s Data Protection Bill, 2019[2] (“the Bill”) is still not enacted into a law, there are many challenges that India is facing while entering into data processing agreements with EU. EU has been one of the biggest markets for the Indian outsourcing sector and India’s relatively weak data protection laws make us less competitive than other outsourcing markets in this space. Further, Article 3 (Territorial scope) of the General Data Protection Regulation (GDPR) makes it clear that the regulation will be applicable regardless of whether or not the processing takes place in the EU. This means no business for Indian companies that do not comply with the GDPR or increased compliance costs for those who do and the risk of huge penalties on failing to do so[3]. The focus of this article is on transfer of data outside EU to India and India’s approach in dealing with such data transfer with respect to its obligation and extent of its liability.

Data transfer and GDPR

Legitimacy of data transfer regarding personal data of data subjects under GDPR involves two stages[4]:

  1. Data transfer itself must be legal.
  2. Whether transfer to third country is permitted.
  • DATA TRANSFER ITSELF MUST BE LEGAL

Where a processor is situated in a third country, there must be separate mention that allocates the obligations of the controller and processor in every data processing agreement.The reason being that Article 82 of GDPR clearly states that a person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. A controller involved in processing shall be liable for the damage caused by processing which infringes the regulations given under GDPR. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller[5].

Obligations of the Controller

Consent

Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing[6]. The obligation is on the controller to show that consent of the data subject has been obtained as required under Article 7 of GDPR. Article 82 read with Article 7 of GDPR mandates the controller to be held liable for damages to the data subject in case of infringement of Article 7 of GDPR.

Lawfulness and means of processing

Article 4(7) of GDPR defines controller as one who ascertains the purposes and means of the processing of personal data. The obligations of the controller as stated under Article 24 of GDPR are to be read with Article 5 of GDPR. Thus apart from lawfulness of processing and obtaining consent of the data subjects extended responsibilities which are imposed on the controller, for which the controller shall be held accountable, shall be fair and transparent processing, data collected must be for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Also, personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed and accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate. Such data must have regard to the purposes for which they are processed, are erased or rectified without delay, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures[7]. The controller must ensure, in selecting the processor, that it has implemented sufficient technical and organisational measures to ensure that processing meets the requirements of the Regulation[8].

Obligations of the Processor

What are the obligations and liability of the Processor is the next question

It is the responsibility of both the controller and processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk[9]. Further, the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law[10]. If a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing[11].

In a controller-processor relationship, the latter is only allowed to process personal data based on the documented instructions from the controller. The processor cannot engage another processor to help fulfil a specific contract, without the prior specific or general written authorisation of the respective controller[12]. Thus the carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject[13].

Further, it is the responsibility of both the controller and the processor to maintain records of processing activities under their responsibility[14].

  • WHETHER TRANSFER TO THIRD COUNTRY IS PERMITTED?

If the intended data transfer meets the general requirements, one must check in a second step whether transfer to the third country is permitted. There is a differentiation between secure and unsecure third countries[15].

GDPR allows transfer of personal data of data subjects situated in EU to countries outside EU for the purpose of processing and does not prohibit such transfer per se, whether it is a secure third country that has attained ‘adequacy’ status or an unsecure third country with no data protection law at all as in case of India. The principles embodied under the GDPR recognises the importance of international trade and cooperation in order to achieve economic growth. The Regulation tries to balance economic growth with individual privacy and national security.

The secured third countries for the purpose of data transfer do not require any specific authorisation[16]. As India (third country) does not yet have a separate law dealing with data protection and is regarded as an unsecure third country by EU, the agreements with EU countries consist of a standard contractual clauses as per notifications by the EU Commission which Indian entities abide while dealing with processing of personal data. These standard contractual clauses cannot be amended to contradict the notification. The parties are free to add clauses so long as it is consonance with the standard contractual clauses as given in the notification.

The EU Commission’s decision dated 5 February 2010 deals with standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of European Parliament and of the Council which is still to be followed under the GDPR laws. This Notification C(2010) 593 applies to as given under Recital Point 2 stating:

Member States may authorise, subject to certain safeguards, a transfer or a set of transfers of personal data to third countries which do not ensure an adequate level of protection. Such safeguards may in particular result from appropriate contractual clauses.

Thus along with other agreed terms between a controller situated in EU and a processor processing data in India, the standard contractual clauses stated in the Notification C(2010) 593 are required to be followed by India. These additional obligations are followed by Indian companies as India does not have a Data Protection Act in place.

What’s next for India?

Is India Chapter V of GDPR compliant? 

For the purpose of data transferred from a controller situated in EU and processed in India i.e. data transfer, without any necessary safeguard provisions, it is necessary that the Indian Data Protection Bill, 2019 comply with Chapter V of GDPR and be regarded as those countries providing adequate protection. India is gearing up to seek ‘adequacy’ status with the European Union‘s General Data Protection Regulation[17] .

In conclusion, the author states that the purpose of this article is to create awareness among the processors regarding their obligations and subsequently its liability. A processor cannot be held liable for all data privacy breaches. Thus it’s necessary to understand the obligations of the controller and the processor and separately allocate each entity their responsibility in the agreement entered between them. This article will also assist the data subjects who have been aggrieved by data privacy breach to approach the right entity and claim relief.


* Advocate

[1] India gets ready for EU’s new data regime, Rahul Kumar, 25 April 2017, https://www.cioandleader.com/article/2017/05/02/india-gets-ready-eu%e2%80%99s-new-data-regime

[2] Personal Data Protection Bill, 2019 

[3] How can Indian organisations prepare for the GDPR regime?, Sivarama Krishnan

[4] General Data Protection Regulation, Key Issue, Third Country 

[5] General Data Protection Regulation, Recital 79, Allocation of Responsibilities, https://gdpr-info.eu/recitals/no-79/

[6] General Data Protection Regulation, Key Issue, Consent

[7] Article 5 of General Data Protection Regulation, 2018

[8] General Data Protection Regulation, Key Issue, Processing, https://gdpr-info.eu/issues/processing/

[9] Article 32 of General Data Protection Regulation, 2018

[10] Article 29 of General Data Protection Regulation, 2018

[11] Article 28(10) of General Data Protection Regulation, 2018

[12] General Data Protection Regulation, Key Issue, Processing, https://gdpr-info.eu/issues/processing/

[13] General Data Protection Regulation, Recital 81, The Use of Processors, https://gdpr-info.eu/recitals/no-81/

[14] Article 30 of General Data Protection Regulation, 2018

[15] General Data Protection Regulation, Key Issue, Third Country, https://gdpr-info.eu/issues/third-countries/

[16] Article 45 of General Data Protection Regulation, 2018

[17] India to seek EU’s approval on GDPR compliance for ‘adequacy’ status, Abhimanyu Ghoshal, https://thenextweb.com/asia/2019/07/30/india-to-seek-eus-approval-on-gdpr-compliance-for-adequacy-status/


[Image Credits: analyticsindiamag.com]

Cabinet DecisionsLegislation Updates

The Union Cabinet has approved the proposal of the Securities & Exchange Board of India (SEBI) to sign an updated Alternative Investment Fund Managers Directive (AIFMD) MoU signed between SEBI and Financial Conduct Authority (FCA), UK, pursuant to UK’s exit from the European Union on 31-01-2020.

Major impact

The UK exited the EU on 31st January 2020. FCA, UK had submitted to SEBI that no transitional measures would be available if the amended MoU is not signed before the date when the UK exits the European Union (Brexit), and requested SEBI to sign an updated MoU as early as possible. As such, the proposal is not expected or intended to have any effect on employment in India.

Background

In accordance with the requirement of establishing adequate supervisory cooperation arrangements between EU and non-EU authorities under the European Union Alternative Investment Fund Managers Directive (AIFMD), a bilateral MoU was signed by SEBI with securities regulators of 27 member States of EU / European Economic Area, including Financial Conduct Authority (FCA), United Kingdom on 28th July 2014. In the context of UK’s proposed withdrawal from EU, FCA brought to the notice of SEBI that the existing MoU between SEBI and FCA relating to AIFMD, which is currently anchored on EU law, will no longer apply directly in the UK, and have, therefore, suggested signing an updated MoU after amending the AIFMD MoU by suitably modifying it and substituting references to EU legislation with the relevant UK law.


Cabinet

[Press Release dt. 19-02-2020]

[Source: PIB]

Hot Off The PressNews

The Geneva Act of the Lisbon Agreement on Appellations of Origin and Geographical Indications reached a milestone enabling its entry into force, as the European Union (EU) joined as the key fifth member of the international registration system that provides protection for names identifying the geographic origin of products such as coffee, tea, fruits, wine, pottery, glass and cloth.

Background

Appellations of origin and geographical indications are distinctive product designations that require a qualitative link between the product to which they refer and its place of origin. Both are interesting marketing tools for producers, as they inform consumers about a product’s geographical origin and a quality, characteristic and/or reputation of the product linked to its place of origin. The basic difference between the two terms is that the link with the place of origin is stronger in the case of an appellation of origin.

Like all intellectual property rights, the rights granted by an appellation of origin or a geographical indication fundamentally have a territorial character and only take effect in the country or region in which the distinctive sign is protected.

The Lisbon System offers an international registration system for appellations of origin and geographical indications through a single procedure with WIPO. By means of a single registration procedure and a minimum expense, the holder of a national or regional appellation of origin or geographical indication may obtain the protection of the distinctive sign in the other contracting parties of the Lisbon System.

Examples of appellations of origin and geographical indications include Kampot Pepper, Darjeeling Tea, Panjin Rice, Café de Colombia, Prosciutto di Parma, Oku Honey, Scotch Whisky, Tequila, Argane, Chulucanas, Khokhloma, Chiangmai Celadon, Swiss Watches and Bohemia Crystal.


WIPO

[Press Release dt. 26-11-2019]

Hot Off The PressNews

French Parliament is the first to adopt the European Copyright reform, which would ensure that:

Ensure media are paid for original content, typically news, offered online by tech giants such as Google and Facebook.”

As reported by media, “revamp to European copyright legislation, adopted by the European Parliament in March, was agreed by the French lower chamber in a final reading, making France the first country to adopt the directive.”

The EU copyright directive is due to be adopted by all member states by April next year.

Read more:
European Copyright Reform:
According to a press release by the European Union, it stated that:
The reform will adapt copyright rules to today’s world, where music streaming services, video-on-demand platforms, news aggregators and user-uploaded-content platforms have become the main gateways to access creative works and press articles. The new Directive will boost high-quality journalism in the EU and offer better protection for European authors and performers.
Users will benefit from the new rules, which will allow them to upload copyright-protected content on platforms legally. Moreover, they will benefit from enhanced safeguards linked to the freedom of expression when they upload videos that contain rights holders’ content, i.e. in memes or parodies.
Case BriefsForeign Courts

Supreme Court of United Kingdom: In a landmark decision with regards to the June 2016 referendum which marked the “BREXIT”, the 11- Judge Bench of the Court with a ratio of 8:3 held that, in conformation of Article 50 of the Treaty on the European Union, an Act of Parliament is required to authorise ministers to give ‘Notice’ of the decision of the United Kingdom to withdraw from the European Union.

The issue in the present case was that whether the Notice as stated in Article 50 of the Treaty on the European Union can be lawfully given by the government ministers, without an Act of Parliament. Article 50 clearly states that if a member state decides to withdraw from the European Union ‘in accordance with its own constitutional requirements’, it should serve a Notice of that intention and that the treaties which govern the EU “shall cease to apply” to that member state within two years thereafter. It was contended that, “the Government cannot serve a Notice unless first authorised to do so by an Act of Parliament. Resolution of this dispute depends on the proper interpretation of the European Communities Act 1972 (‘the ECA’), which gave domestic effect to the UK’s obligations under the then existing EU Treaties”.

While deciding the case, the Court made it clear that, it is not conducting a scrutiny over the validity of the decision of the United Kingdom to withdraw from the EU. President, Lord Neuberger, heading the majority decision, stated that “Section 2 of the ECA authorises a dynamic process by which EU law becomes a source of UK law and takes precedence over all domestic sources of UK law, including statutes”. Observing upon the major political and legal significance of the 2016 Refrendum, the majority stated that, “The change in the law required to implement the referendum’s outcome must be made in the only way permitted by the UK constitution, namely, by an Act of Parliament”. The dissenting Judges however observed that, “The ECA does not impose any requirement or manifest any intention in respect of the UK’s membership of the EU. It does not therefore affect the Crown’s exercise of prerogative powers in respect of UK membership.” [R v. Secretary of State, [2017] 2 WLR 583: [2017] UKSC 5, decided on 24.01.2017]