WELCOME TO OUR WEBINAR The EU General Data Protection Regulation (GDPR) Tuesday, December 22, 2015 15:00pm GMT / 16:00pm CET / 10:00am EST If you cannot hear us speaking, please make sure you have called into the teleconference number on your invite information.  UK participants: 0800 279 5994  Outside the UK: +44 (0) 1452 584 233  Event Code: 585 479 55 The audio portion is available via conference call. It is not broadcast through your computer. *This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.

Welcome CURRENTLY SPEAKING

Today's speakers

Carol Umhoefer Partner, DLA Piper Paris

Patrick van Eecke Partner, DLA Piper Brussels

Giangacomo Olivi Partner, DLA Piper Milano

[email protected] or [email protected]

 You are on mute  A link to a recording of the webinar will be made available

EU General Data Protection Regulation

December 22, 2015

2

The GDPR in 20 Questions

1. Why all the buzz around the EU General Data Protection Regulation? CURRENTLY SPEAKING

 One law, directly applicable in all 28 Member States.  Replaces the 1995 Data Protection Directive and the national laws transposing the Directive.  Will apply from 2018 – national laws apply until then.

 Big picture implications: Will the EU continue to lead the way in personal data protection? Carol Umhoefer Partner, DLA Piper Paris

EU General Data Protection Regulation

December 22, 2015

4

2. Has it been adopted now? Are these really the final rules? CURRENTLY SPEAKING

 Last week  17 December: EP LIBE endorsed the texts agreed in the trilogues.  18 December: COREPER confirmed the final compromise texts.

 Next weeks  Early 2016: Legal-linguistic review of the texts  Early 2016: Adoption by the Council Patrick van Eecke Partner, DLA Piper Brussels

 Early 2016: Adoption by the Parliament

 Spring 2016  Publication in Official Journal  20 days after publication: enter into force

 2016-2017  Delegated acts/implementing acts

 Spring 2018  Application of the rules EU General Data Protection Regulation

December 22, 2015

5

3. To whom does it apply? CURRENTLY SPEAKING

Giangacomo Olivi Partner, DLA Piper Milan

 Processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing itself takes place within the EU.  Processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to the offering of goods or services to data subjects in the European Union irrespective of whether a payment of the data subject is required, or related to the monitoring of the behaviour of such data subjects as far as their behaviour takes place within the EU.

EU General Data Protection Regulation

December 22, 2015

6

4. Do the principles stay the same or are we starting over? CURRENTLY SPEAKING

 Personal data must be processed lawfully, fairly and in a transparent manner.  Personal data must be processed for specified, explicit and legitimate purposes and not further processed in an incompatible way.

 Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes. Carol Umhoefer Partner, DLA Piper Paris

 Personal data must be accurate and where necessary kept up to date.  Personal data must be kept in a form that permits identification of data subjects for no longer than necessary for the purposes.  Personal data must be processed in a way that ensures appropriate security using appropriate technical or organizational measures. And a new principle: The controller shall be responsible for and be able to demonstrate compliance with the principles.

EU General Data Protection Regulation

December 22, 2015

7

5. How large are the fines likely to be? CURRENTLY SPEAKING

 Graduated approach – up to 4% worldwide turnover maximum.  Due regard is to be given to:  the nature, gravity and duration of the infringement;

 the intentional character of the infringement;  actions taken to mitigate the damage suffered;

Giangiacomo Olivi Partner, DLA Piper Milan

 degree of responsibility (e.g. data protection by design or by default) or any relevant previous infringements;  cooperation with the supervisory authority (and the manner in which supervisory authority learned of infringement);  categories of personal data affected;  compliance with measures ordered;  adherence to a code of conduct (or certification mechanism);  other aggravating or mitigating factors (e.g. financial benefits, etc.)

EU General Data Protection Regulation

December 22, 2015

8

6. Will international transfer mechanisms be affected? CURRENTLY SPEAKING

 Same philosophy as before i.e. only under very strict conditions:  Adequacy decisions by Commission.  Appropriate safeguards, such as:  Binding corporate rules;  Standard data protection clauses adopted by the Commission or by a supervisory authority or contractual clauses authorised by a supervisory authority;

Patrick van Eecke Partner, DLA Piper Brussels

 Derogations: Explicit consent/necessary for performance of the agreement/…

 What about legal disclosure obligations?  "Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty."

EU General Data Protection Regulation

December 22, 2015

9

7. Will we need to appoint a DPO or not? CURRENTLY SPEAKING

 Yes and No! - DPO to be designated when the core activities of the controller / processor:  require regular and systematic monitoring of data subjects on a large scale;  consists of processing on a large scale of "special categories of data" (Art. 9) or data relating to criminal convictions.  A group of undertaking may appoint a single DPO.

Giangiacomo Olivi Partner, DLA Piper Milan

 A DPO may be a staff member or a consultant (service contract), to report to the highest management level.

 Tasks include:  inform and advise the controller / processor (and employees) of their obligations;  monitor compliance with the GDPR;

 advise on data protection impact assessment;  cooperate with the supervisory authority (including acting as point of contact).

EU General Data Protection Regulation

December 22, 2015

10

8. How will one-stop-shop change our compliance program? CURRENTLY SPEAKING

 One-stop-shop relevant to interactions with supervisory authorities in relation to cross-border processing.  Definition of cross-border processing could be clarified, even if the intent is clear.

Carol Umhoefer Partner, DLA Piper Paris

 With respect to its cross-border processing, the controller or processor will deal only with its lead supervisory authority.  Exceptions may apply – for example, issues arising in a single Member State; employee data processing; healthcare data processing.

EU General Data Protection Regulation

December 22, 2015

11

9. What will we need to do in case of a data breach? CURRENTLY SPEAKING

 Notification to the supervisory authority without undue delay and where feasible no more than 72 hours, unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.  Reasoned justification in case breach is not notified within 72 hours.

Giangiacomo Olivi Partner, DLA Piper Milan

 Data subjects shall be notified without undue delay if the breach is likely to result in a high risk for the rights and freedoms of individuals to allow them to take the necessary precautions.  Communication to the data subject is not required if the controller:  implemented appropriate technical and organization measures to that rendered the data affected unintelligible (e.g. encryption);  took subsequent measures to ensure that the high risks are no longer likely to materialise;  if it causes disproportionate effort.

EU General Data Protection Regulation

December 22, 2015

12

10. Can we still process personal data on the basis of consent? CURRENTLY SPEAKING

 Yes, but:  consent should be freely given, specific, informed and unambiguous;  by a statement or clear affirmative action;

 Controller has burden of proof.  In practice: Patrick van Eecke Partner, DLA Piper Brussels

 ticking a box, choosing technical settings, or conduct clearly indicating acceptance of proposed processing.  Silence, pre-ticked boxes or inactivity should not constitute consent.  Contract performance cannot be made conditional to consent, if processing is not necessary.

EU General Data Protection Regulation

December 22, 2015

13

11. Can we still process personal data on the basis of legitimate interests? CURRENTLY SPEAKING

 Yes – with some changes:

 Obligation to specifically inform data subjects.  Data subject entitled to require restriction of processing of his/her data while verifying if fundamental rights don't override legitimate interests. Carol Umhoefer Partner, DLA Piper Paris

 Reasonable expectations of data subjects should be given consideration, such as when a data subject is a client or in the service of the controller.  Examples: Preventing fraud; ensuring network and information security.  Direct marketing purposes may be regarded as carried out for a legitimate interest?

EU General Data Protection Regulation

December 22, 2015

14

12. Will data collection from kids become illegal? CURRENTLY SPEAKING

 No - General principles of lawfulness of processing (Art. 6) shall apply.  Processing of personal data of a child below the age of 16 years requires the consent (given or authorized) by the parent (or other holder of parental responsibility).  Member States can lower the age threshold (but not below 13 years).

Giangiacomo Olivi Partner, DLA Piper Milan

 The controller shall make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the child.  Rules to consider available technology and not to affect general contract law.

EU General Data Protection Regulation

December 22, 2015

15

13. Will individuals get new rights? CURRENTLY SPEAKING

 Yes – several new and expanded rights.  Data portability.  Restriction of processing.  Expanded right of erasure - the Right To Be Forgotten.

Carol Umhoefer Partner, DLA Piper Paris

 Rights regarding profiling: using data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that person's performance at work, economic situation, health, personal preferences, interest, reliability, behaviour, location or movements.

EU General Data Protection Regulation

December 22, 2015

16

14. Will we get new types of sensitive data? CURRENTLY SPEAKING

 General rule - prohibition to process personal data, revealing:  racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data in order to uniquely identify a person or data concerning health or sex life and sexual orientation.

 But 10 exceptions apply:  explicit consent

Patrick van Eecke Partner, DLA Piper Brussels

 vital interest

 assessment of the working capacity of the employee  public health, …

 Pay attention!  Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or health data.

EU General Data Protection Regulation

December 22, 2015

17

15. Does the Regulation still apply if we de-identify our data? CURRENTLY SPEAKING

 Information that does not relate to an identified or identifiable natural person, or data rendered anonymous in such a way that the data subject is not or no longer identifiable, will not be subject to the Regulation.  Data that has undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, is personal data subject to the Regulation.

Carol Umhoefer Partner, DLA Piper Paris

 To determine whether a person is identifiable, account should be taken of all the means reasonably likely to be used, looking at all objective factors, such as the costs and amount of time required, available technology at the time of the processing, and technological developments.

EU General Data Protection Regulation

December 22, 2015

18

16. When will we need to conduct a privacy impact assessment? CURRENTLY SPEAKING

 When using new technologies and likely to result in a risk for the rights and freedoms of individuals. In particular:  systematic and extensive evaluation of personal aspects based on automated processing (including profiling) and on which decisions are made, significantly affecting the individual.  large scale processing of "special categories of data" or criminal data.

Giangiacomo Olivi Partner, DLA Piper Milan

 systematic monitoring of a publicly accessible area on a large scale.  A single assessment may address a set of similar processing operations with similar risks.  Supervisory authority to publish a list of operations subject (and not subject) to data protection impact assessment.  Assessment review when risk changes.

EU General Data Protection Regulation

December 22, 2015

19

17. We've always acted as a processor – what will our liability be? CURRENTLY SPEAKING

 Direct claims: data subject can lodge a complaint directly against a P (administrative as well as judicial).  Qualified liability: A P shall be liable for the damage caused by the processing only where it has not complied with obligations of this Regulation specifically directed to Ps or acted outside or contrary to lawful instructions of the C.

Patrick van Eecke Partner, DLA Piper Brussels

 Burden of proof: A C or P shall be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage.  Joint and several liability: Where more than one C or P are involved in the same processing and, where they are responsible for any damage caused by the processing, each shall be held liable for the entire damage, in order to ensure effective compensation of the data subject.  Liable for sub-processors: Where that other P fails to fulfil its data protection obligations, the initial P shall remain fully liable to the C for the performance of that other processor's obligations.

EU General Data Protection Regulation

December 22, 2015

20

18. Is it true the G29 will be dissolved? CURRENTLY SPEAKING

 An independent body of the Union with legal personality – the European Data Protection Board – will be established.  Will replace the Article 29 Working Party.

Carol Umhoefer Partner, DLA Piper Paris

 Composed of the head of a supervisory authority in each Member State and the European Data Protection Supervisor or their respective representatives.  Contribute to the consistent application of the GDPR.  Empowered to issue binding decisions.  Decisions subject to action for annulment before the Court of Justice of the European Union.

EU General Data Protection Regulation

December 22, 2015

21

19. Will the regulators be issuing guidelines or recommendations? CURRENTLY SPEAKING

 The Commission will be granted implementing powers.  Implementing acts:

Patrick van Eecke Partner, DLA Piper Brussels

 approved codes of conduct;  technical standards for certification mechanisms and data protection seals and marks;  third country adequacy decisions;  format and procedures for the exchange of information between stakeholders for BCRs.  Delegated acts:  information to be presented by the icons;  procedures for providing standardised icons;  requirements for the data protection certification mechanisms.

EU General Data Protection Regulation

December 22, 2015

22

20. How far does harmonization really go? CURRENTLY SPEAKING

 Member State law should reconcile rules governing freedom of expression and information with the protection of personal data.  Member State law or collective agreements may provide for specific rules on employee personal data processing, for example, conditions under which data can be processed on the basis of employee consent.

Giangiacomo Olivi Partner, DLA Piper Milan

 Member States may adopt specific rules if necessary to reconcile the right to the protection of personal data with an obligation of professional secrecy.  Member States may maintain or introduce more specific requirements for processing pursuant to legal obligations under Member State's law.

EU General Data Protection Regulation

December 22, 2015

23

Stay Informed

Subscribe to our Privacy Matters blog for

regular updates http://blogs.dlapiper.com/privacymatters/

Access our

Data Protection Laws of the World Handbook at www.dlapiperdataprotection.com

New edition to be released Q1 2016 EU General Data Protection Regulation

December 22, 2015

24

QUESTIONS

[email protected] EU General Data Protection Regulation

www.dlapiperdataprotection.com December 22, 2015

25

Enjoy your holidays!