ISACA Belgium Privacy Open Forum: GDPR current status
-
Upload
johan-vandendriessche -
Category
Law
-
view
567 -
download
0
Transcript of ISACA Belgium Privacy Open Forum: GDPR current status
Brussels, 2 December 2015 2
Agenda
1. 18:30 Introduction
2. 18:45 GDPR: current status
3. 19:30 Break
4. 19:50 GDPR: current status
5. 20:45 Close
Brussels, 2 December 2015
General warning
• Information is provided on the basis of
available information
• Excerpts from Council position and
trilogue documents available until this
date
• Not all trilogue information is available
• Trilogue principle: “nothing is agreed until
everything is agreed”
5
Brussels, 2 December 2015
Agenda
• Overview
• Short timeline
• Overview initial agenda trilogues
• Review of EC Council position in first
reading
• Review of some information on
trilogues
6
Brussels, 2 December 2015
Overview
• Additional requirements GDPR
• Privacy officer for large companies /
privacy sensitive companies
• Privacy by design
• Privacy by default
• Data portability
• Right to be forgotten
• Data breach notifications
• Data protection impact assessment
• Fines
7
Brussels, 2 December 2015
Overview
• Data Protection Management
• Key principle: accountability
• Ensure and be able to demonstrate
compliance
• Adopt policies
• Implement appropriate measures
• Documentation
• Implementing data security requirements
• Performing data protection impact assessment
• Prior authorization or consultation (where
required)
• Data protection officer (DPO)8
Brussels, 2 December 2015
GDPR: short timeline
• Reform of the data protection legal
framework in the EU
• Dec 1995: Directive 1995/46/EC
• Jan 2012: EC Proposal GDPR COM(2012)
11 final
• March 2014: EP GDPR text (first reading)
• June 2015: EC Council GDPR text (first
reading)
• June-December 2015: trilogue meetings
• Jan-July 2016: final text?
• July-Dec 2018: end of provisional period?
9
Brussels, 2 December 2015
GDPR Initial Trilogue Agenda
• 24 June 2015
• General approach
• Agreement on roadmap
• General method and approach for
delegated and implementing acts
• 14 July 2015
• Territorial Scope, Representative
• Chapter V Transfer of personal data to a
third country or international organisation
10
Brussels, 2 December 2015
GDPR Initial Trilogue Agenda
• 16-17 & 29-30 September 2015
• Chapter II Principles
• Chapter III Rights of the data subject
• Chapter IV Controllers and processors
• 15 & 28 October 2015
• Chapter VI Independent supervisory
authorities
• Chapter VII Cooperation and consistency
• Chapter VIII Remedies, liability and
sanctions
11
Brussels, 2 December 2015
GDPR Initial Trilogue Agenda
• 11-12 & 24 November 2015
• Chapter I General Provisions
• Chapter IX Specific Regimes
• 10 & 15 December 2015
• Chapter X Delegated and implementing
acts
• Chapter XI Final provisions
• Remaining issues
• Parties intend to close discussions at
the end of 2015
12
Brussels, 2 December 2015
Definitions
• Personal data
• Addition of wording “by means
reasonably likely to be used by the
controller or by any other […] person
• Tentative agreement to delete
additional wording
13
Brussels, 2 December 2015
Definitions
• Main establishment
• Controller with establishments in more
than one Member State
• Central administration
• Establishment that decides on purposes and
means (power to implement)
• Processor with establishments in more
than one Member State
• Central administration
• Location of main processing activities
14
Brussels, 2 December 2015
Definitions
• Pseudonymisation
• Prevent attribution to a specific data
subject without use of additional
information
• Additional information kept separately and
subject to measures to ensure non-
attribution
• No information on trilogue position
15
Brussels, 2 December 2015
Definitions
• Profiling
• Automated processing of personal data
• Evaluate personal aspects
• Analyse and predict
• Performance at work
• Economic situation
• Interests
• Behaviour
• …
16
Brussels, 2 December 2015
Material Scope
• Processing of personal data
• Wholly or partly by automated means
• Other processing where personal data are
intended to form part of a filing system
• Clarification on household exemption
• No requirement of absence of gainful
interest
• Tentative agreement in trilogue
17
Brussels, 2 December 2015
Material Scope
• Exemption for law enforcement
processing
• Public authorities or not?
• Extension to prevention of threats to
public security
• Trilogue: suggestion to follow EC
Council text
18
Brussels, 2 December 2015
Material Scope
• Effect on Directive 2000/31/EC
(information society services)
• Impact on liability of intermediaries
• Tentative agreement in trilogue to include
wording to apply Directive 2000/31/EC
19
Brussels, 2 December 2015
Territorial Scope
• Controller or processor established in
the EU
• Activities linked to establishment
• Data subjects residing in the EU
• Offering of goods or services
• Monitoring of behaviour located in EU
20
Brussels, 2 December 2015
Restriction of Data Subject Rights
• Restriction is permitted
• National security
• Defence
• Public security
• Law enforcement (broad sense)
• General public interest
• Judicial independence and judicial
proceedings
• ….
• Tentative agreement in the trilogue on
most items21
Brussels, 2 December 2015
Data Protection Management
• Duty to document processing
• Controller
• All categories of personal data processing
activities
• Description of activity (name, purposes,
categories of data, recipients, transfers to third
countries, time limits for erasure, description
of security)
22
Brussels, 2 December 2015
Data Protection Management
• Duty to document processing activities
• Processor
• All categories of processing performed on
behalf of data controller
• Description of activities (name process and
controller, DPO ID, tranfers to third countries,
description of security measures)
23
Brussels, 2 December 2015
Data Protection Management
• Documentation duty exemptions
• Organisations < 250 persons except high
risk for rights and freedoms of data
subject
• Identity theft
• Fraud
• Reversal of pseudonymisation
• Damage (financial loss, loss of confidentiality,
…)
24
Brussels, 2 December 2015
Data Breach Notification
• Data Breach Notification: restricted
scope
• Breach likely to result in high risk for the
rights and freedoms of individuals
• Not required if no communication to data
subject is required
• Deadline
• 72 hours
• Reasoned justification if not made within
deadline
25
Brussels, 2 December 2015
Data Breach Notification
• Contents
• Description of the data breach (where
possible and appropriate approximate
categories of personal data and number of
data subjects)
• DPO ID
• Likely consequences
• Remedial and mitigation action proposed
or taken
• Documentation duty re data breaches
26
Brussels, 2 December 2015
Data Breach Notification
• Communication to data subjects
• Likely to result in high risk for the rights
and freedoms of individuals
• Deadline: without undue delay
• Contents
• DPO ID
• Remedial and mitigation action proposed
and taken
27
Brussels, 2 December 2015
Data Breach Notification
• Exemption
• Technical measures to render data
unintelligeble (e.g. encryption)
• Subsequent measures to ensure that high
risk is no longer likely to materialise
• Disproportionate effort (public
communication is required)
• Adverse effect on a substantial public
interest
28
Brussels, 2 December 2015
Data Breach Notification
• Presidency suggestion
• Undue delay, not later than 72 hours
• Justification is later than 72 hours
• Risk for the rights and freedoms of
individuals
29
Brussels, 2 December 2015
DPO
• Option DPO appointment, unless required by
law
• Groups and public authorities may appoint
single DPO
• Presidency position
• Mandatory DPO (12 months extra
transition period)
• Public authority
• Core activity processing requiring regular /
systematic monitoring on large scale
• Core activity processing special categories of
data on a large scale
30
Brussels, 2 December 2015
Enforcement
• Power of supervisory authority
• Investigation powers
• Data protection audits
• Soft enforcement (notify, issue warnings,
reprimands, compliance orders)
• Administrative fines
• Suspend data flows to recipients in third
countries
• Initiate legal proceedings
• Tentative agreement on most issues
31
Brussels, 2 December 2015
Enforcement
• Complaint procedure
• Single supervisory authority
• Member State of habitual residence, place
of work or place of alleged infringement
• Trilogue suggestion
• More or less identical to Council position
32
Brussels, 2 December 2015
Enforcement
• Legal proceedings
• Courts of Member State of an
establishment
• Alternative jurisdiction: habitual residence
of data subject, unless public authority
acting in the exercise of its public powers
• Tentative agreement in trilogue
33
Brussels, 2 December 2015
Enforcement
• Right to compensation
• Liability
• Controller: liable for infringement
• Processor: liable for specific processor
obligations or exceeding instructions of
controller
• Joint liability
• Tentative agreement in trilogue
34
Brussels, 2 December 2015
Enforcement
• Administrative fines
• Effective, proportionate and disuasive
• Criteria define amount
• Nature, gravity and duration of infringement
• Intentional or negligent nature
• Mitigation action
• Degree of responsibility in security
• Existence of previous infringements
• Cooperation
• Categories of data involved
• …
• Tentative agreement in trilogue35
Brussels, 2 December 2015
Enforcement
• Council position on administrative fines• 250.000 EUR or 0,5% of total worldwide annual turnover of
preceding financial year (whichever is higher)
• 500.000 EUR or 1% of total worldwide annual turnover of
preceding financial year (whichever is higher)
• Data subject rights
• 1.000.000 EUR or 2% of total worldwide annual turnover of
preceding financial year (whichever is higher)
• Essential provisions of GDPR
• Position is considerably more lenient than
EP (!)
36
Brussels, 2 December 2015
Enforcement
• Administrative fines
• 500.000 EUR or 1% of total worldwide annual
turnover of preceding financial year (whichever is
higher)
• Security provisions
• Data flows to third countries
• 1.000.000 EUR or 2% of total worldwide annual
turnover of preceding financial year (whichever is
higher)
• Essential provisions of GDPR
• Suggested text for trilogue, but superseded
37
Brussels, 2 December 2015
Enforcement
• Latest trilogue tekst
• Obligations for controllers
• 1.000.000 EUR or 2% total worldwide annual
turnover preceding year in case of undertaking
• Data subject rights
• 2.000.000 EUR or 4% total worldwide annual
turnover preceding year in case of undertaking
• Non-compliance order of supervisory
authority
• 1.000.000 EUR or 2% total worldwide annual
turnover preceding year in case of undertaking
38
Brussels, 2 December 2015
Specific Data Processing Activities
• National law provisions
• Employment (especially consent)
• Social Security
• Archiving in public interest, scientific,
statistical and historical purposes
• Churches and religious associations
• Mostly tentatively agreed in trilogue
39
Brussels, 2 December 2015
Entry into force
• Entry into force
• 20th day following official publication
• Transition period
• 2 years from entry into force
• Suggested text for trilogue
40
Brussels, 2 December 2015 41
Contact details
Johan Vandendriessche
Partner - crosslaw CVBA
Visiting Professor ICT Law - UGent
Mobile Phone +32 486 36 62 34
E-mail [email protected]
Website www.crosslaw.be