The international legal network
After four years "in the making", the new General Data Protection Regulation (the "Regulation") is expected to be formally adopted very soon. The wording of the Regulation has been publicly known since 15 December 2015. It is currently being considered through normal legislative procedure by the European Parliament, Council of the European Union and the European Commission. Once approved, the Regulation will enter into force in all EU member states in the beginning of 2018
The Regulation will in our opinion lead to a significant improvement – and administrative relief – for Danish companies if they have activities throughout the EU. Companies will no longer have to deal with – or seek advice on – personal data rules in the different EU countries. Similarly, the Regulation proposes to establish a one-stop-shop mechanism, where companies only get assigned to one supervisory authority, although there are exceptions for employment data and national security, which still might be subject to local law.
Under the Regulation, the generally high level of protection regarding personal data as we know today will be maintained. The Regulation will thus to a large extent continue the rules that apply in Denmark already pursuant to the Danish Data Protection Act. However, there are a number of changes - the most significant highlighted here:
• It is no longer only the data controllers – the companies "owning" data – that are bound by the rules, but also the data processors – the companies handling data. This means, for example, that it is no longer just an employer company that is responsible for compliance, but also potential subcontractors, such as a payroll agency, to which the employer company has outsourced its processing or storage of personal information.
• Companies established outside the EU are covered by the Regulation if they offer products/services within the EU. For internet-based businesses it will mainly be a matter of whether the individual company promotes itself towards the European market. Key factors in the analysis will include whether the promotion is done in European languages and if prices are specified in European currencies.
• Companies will to a higher degree be required to document an adequate level of data security. This includes an obligation to implement appropriate technical and organizational measures designed to ensure the protection of personal data (data protection by design). Furthermore, these measures must also include a high data protection level by default.
• Some companies will be required to prepare a PIA (Privacy Impact Assessment), which is an assessment of the risks that arise out of the processing of personal data through their IT-system.
• If the processing is carried out by a public authority or by companies having processing of sensitive personal data as a core activity, it is a requirement to appoint a DPO (Data Protection Officer). It is now clear that private companies who are only processing personal data as a subordinate service/activity will not be required to appoint a DPO. In our opinion, most payroll agencies will be required to have a DPO, whereas more traditional companies, which only handle personal data regarding its own employees, will not be required to have that obligation.
• The data subjects are entitled to have more access to information about the processing of their personal data, and the information has to be made available in a clear and understandable manner. The current proposal states that a request for access must be answered within four weeks. In addition thereto, the rules on "the right to be forgotten" have been clarified.
• It will become easier for individuals to have their personal data transferred between service providers.
• The current requirement to report and notify the supervisory authority about processing of personal data will be removed. The Regulation encourages preparation of an industry-specific "code of conduct"(which may be approved by the supervisory authorities) and certification schemes. This provides a real opportunity to be a leader in the making of specific regulations for your industry and meaningful participation should be considered.
• It will be possible for each member state to fix stricter national requirements regarding specific topics, e.g. on the handling of employee data. It is expected that Denmark will retain the requirement to report processing of employee personal data in the employment context.
• If serious breaches occur, then the data controller or data processor will be under a legal obligation to notify the supervisory authority within 72 hours.
• Finally, the level of fines in case of violations has already created an increased focus on the processing of personal data. Violations of the Regulation may thus lead to fines of up to 10-20 mill Euros or up to 2-4 per cent of the company’s total worldwide turnover (whichever is higher) depending on which provisions are violated. For public authorities the level of fines is up to between 10-20 mill Euros.
Although the new Regulation will not enter into force before the beginning of 2018, it is our recommendation that companies put data protection compliance on the agenda – if this has not already happened. By implementing a number of specific initiatives companies will not only ensure compliance with the current rules in the Danish Data Protection Act but they will also be well prepared in time for the implementation of the Regulation.
Concrete initiatives that we recommend companies to implement:
• Companies are advised to clarify and review their current procedures and policies regarding personal data processing. It is advisable to commence this analysis as soon as possible as it may prove to be quite extensive.
• Companies must ensure that as few employees as possible have access to personal data. Each employee should only have access to the personal data that is necessary for solving the tasks lying with the specific position. Procedures and security measures should be established to ensure this.
• All employees who handle personal data must have written instruction and training on how to handle personal data and how the personal data should be protected. This instruction/training must be targeted each employee. Thus, for example, the instruction to the HR manager will be different than the instruction to the IT manager, because the latter will only have access to the data in order to solve technical problems.
• Companies must ensure that access to the IT-system that handles personal data is protected by password and firewall. Furthermore, all access to sensitive personal data should be logged. After a number of unsuccessful attempts (e.g. 3) to gain access to such sensitive personal information, the IT-system should automatically block for further attempts. It should also be possible to delete information in order to meet the "right to be forgotten" demands of the Regulation.
• Companies (data controllers) should review their contracts with external data processors and make sure that they meet the requirements for good practice regarding data processing, that they have an appropriate level of security and that they will inform the companies in case of security breaches. If no data processing agreements have been made with suppliers, we strongly recommend having them made.
• Companies should get an approval for the personnel administration at the Danish Data Protection Agency and notify the Agency in case of transfer of data outside the EEA.
Industries should begin formulating codes of conduct now, with input from counsel. There is no need to wait until the Regulation is effective.
• Finally, it is important to remember that the Regulation introduces a requirement for "accountability", which means that companies must be able to document that they meet the requirements of the Regulation. Therefore, it is not enough only to meet the requirements of the Regulation - it must also be documented.
The Regulation is destined to be adopted and represents years of work by knowledgeable authorities. Prepare for its implementation and your legal risks will be greatly diminished. Data protection is, and will remain, one of the most important tasks for your company.
For legal assistance or further discussion, please contact the authors:
Tommy Angermair at firstname.lastname@example.org
Maria Helbo Holck at email@example.com
Kirk Larsen & Ascanius
H. C. Andersens Boulevard 45
DK 1553 København V
Phone: +45 70 22 66 60
Fax: +45 75 45 46 36
Tue, 03 May 2016 20:49:15 -0400
Tue, 03 May 2016 21:40:08 -0400
Tue, 03 May 2016 18:30:02 -0400
Tue, 03 May 2016 22:01:08 -0400
Europe/Middle East Regional Meeting and Lawyers Next Generation (Budapest) from 5pm on Friday the 16th of September, 2016 to 5pm on Saturday the 17th of September, 2016