1 Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?
The two key pieces of legislation that govern data privacy at an EU level from a general perspective are the following:
- EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (also known as the European General Data Protection Regulation (GDPR); and
The GDPR lays down common rules on data protection and processing in order to ensure consistent effective protection of personal data throughout the European Union. This does not, however, mean that data privacy requirements are identical in all areas across all EU member states: the GDPR permits diverging national legislation in specified areas (eg, in relation to employment data or the age of consent for children).
The e-Privacy Directive deals with a number of important issues, such as confidentiality of information, treatment of traffic data, spam and cookies. In this regard, the e-Privacy Directive aims to complement the provisions of the GDPR with respect to the processing of personal data in the electronic communication sector. Since the e-Privacy Directive is a European directive, it has no direct effect and may not necessarily be interpreted in an identical manner across EU member states.
1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?
Yes, there are additional texts applicable to certain sectors, such as the following:
- EU Directive 2016/680 of 27 April 2016, which applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and
- EU Regulation 2018/1725 of 23 October 2018, which applies to the processing of personal data by EU institutions, bodies, offices and agencies.
In addition, each EU member state may enact its own set of rules in relation to specific areas. By way of illustration, the UK National Health Service has issued rules in relation to data protection – for example, in relation to the use of public cloud services. Likewise, the UK Financial Conduct Authority has also issued guidance in relation to data protection and outsourcing to the cloud.
1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?
The European Union has entered into strategic agreements with various countries covering topics such as privacy and cybersecurity, due to the importance of data transfers in today's global economy.
For example, on 23 January 2019, the European Commission adopted its adequacy decision in relation to Japan, allowing the transfer of personal data from the European Economic Area (EEA) to Japan. In parallel, Japan's Personal Information Protection Commission of Japan published on the same date a notice specifying that EEA member states are henceforth included in Japan's data transfer 'white list'.
1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?
The GDPR established the European Data Protection Board (EDPB) to ensure a consistent application of the GDPR across the European Union.
Likewise, the European Data Protection Supervisor is an independent EU body responsible for monitoring the application of data protection rules within European institutions.
The bodies responsible for the enforcement of data privacy legislation vary across European member states. The list of the various national bodies is available on the EDPB's website (see here).
The powers of supervisory authorities include the following:
- Investigatory powers: Supervisory authorities may:
- order controllers or processors to provide information required for the supervisory authority to perform its duties or to obtain access to personal data and information necessary to perform its duties;
- carry out data protection audits or investigations;
- carry out reviews on certifications issued;
- notify controllers or processors of alleged GDPR infringements; and
- obtain access to the premises of controllers or processors.
- Authorisation and advisory powers: Supervisory authorities can:
- advise controllers in accordance with the prior consultation procedure set out in Article 36 of the GDPR;
- issue opinions to national parliaments or member state governments in relation to the protection of personal data;
- authorise data processing if the law of such member state requires prior authorisation for certain processing operations;
- issue opinions and draft codes of conduct;
- accredit certification bodies, certify organisations and approve criteria for certifications;
- adopt standard data protection clauses; and
- approve binding corporate rules.
- Corrective powers: Supervisory authorities can:
- issue warnings about intended processing operations that are likely to infringe the GDPR;
- issue reprimands to controllers or processors for infringements;
- order compliance with the data subject's requests to exercise rights pursuant to the GDPR;
- order controllers or processors to bring processing operations into compliance with the GDPR (within time limits or in a specified way);
- order a controller to communicate a personal data breach to the data subject;
- impose temporary or definitive limitations on processing (including a ban);
- order the rectification or erasure of personal data or the restriction of processing;
- withdraw certifications;
- order the suspension of data flows to a recipient in a third country or an international organisation; and
- where relevant, initiate enforcement actions and impose a fine.
Fines that EU regulatory authorities may impose are set out in Article 83 of the GDPR. In essence, the potential sanctions broadly fall within the following two categories:
- fines of up to €10 million or up to 2% of total worldwide turnover for the preceding financial year (whichever is higher) for infringements relating to the following:
- obligations of controllers and processors, including security and data breach notification obligations;
- obligations of certification bodies; and
- obligations of a monitoring body; and
- fines of up to €20 million or up to 4% of total worldwide turnover for the preceding financial year (whichever is higher) for infringements relating to the following:
- basic principles for processing including conditions for consent;
- data subjects' rights;
- international transfer restrictions;
- any obligations imposed by member state law for special cases such as processing employee data; and
- certain orders of a supervisory authority.
1.5 What is the regulator's general approach to data privacy regulation?
Article 83 of the GDPR indicates that the imposition of fines should be "effective, proportionate and dissuasive" in order to give full effect to the requirements of the GDPR. That said, there is no indication that EU regulators are seeking to impose high fines simply for the sake of setting an example. Instead, regulators usually take into account a number of criteria when determining to impose a sanction or fine, including the nature, gravity, duration and character of the infringement. Supervising authorities are also likely to take into account the types of personal data affected, whether there were any previous infringements and the level of cooperation.
1.6 To what extent will the regulator cooperate with its counterparts in other jurisdictions?
The GDPR contains several provisions aimed at ensuring smooth cooperation between EU member states and their supervisory authorities.
In particular, the GDPR includes the concept of a 'lead supervisory authority', whose primary responsibility is to coordinate investigations involving multiple EU member states, thus facilitating the process for businesses, as they only have to deal with one lead regulator. The main benefit of having a lead supervisory authority is to enable an organisation with multiple establishments across the European Union to deal with a main supervisory authority, rather than several authorities throughout the European Union: this is the 'one-stop shop' mechanism. However, the lead supervisory authority mechanism is applicable only in relation to a company's cross-border processing activities. This mechanism can apply regardless of whether the organisation is a controller or a processor under the GDPR.
Pursuant to the GDPR, supervisory authorities are obliged to provide each other with mutual assistance to apply the GDPR consistently. This mutual assistance covers information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations pursuant to Article 61(1) of the GDPR. In addition, a supervisory authority should not refuse requests for mutual assistance unless:
- it is not competent for the subject matter of the request or for the measures requested to execute; or
- compliance would infringe the GDPR or the law of the requested authority's jurisdiction.
Pursuant to Article 62 of the GDPR, supervisory authorities can, where appropriate, conduct joint operations including investigations and enforcement.
In terms of regulatory cooperation outside of the European Union, Article 50 of the GDPR indicates that the European Commission and supervisory authorities should take steps to:
- develop international cooperation mechanisms to facilitate the effective enforcement of legislation for data protection;
- provide international mutual assistance in the enforcement of legislation for data protection, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for data protection and other fundamental rights and freedoms;
- engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of data protection legislation; and
- promote the exchange and documentation of data protection legislation and practice, including on jurisdictional conflicts with third countries.
2 Scope of application
2.1 Which entities are captured by the data privacy regime in your jurisdiction?
Article 2 of the General Data Protection Regulation (GDPR) sets out the material scope of the regulation. The GDPR applies to "the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system".
In addition, the GDPR has a broad territorial scope: Article 3 of the GDPR provides that the regulation
applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union.
The GDPR also applies to the processing of personal data of EU data subjects by an organisation that is not established in the European Union, where the processing activities are related to:
- the offering of goods or services to EU residents (regardless of whether a payment takes place); or
- the monitoring of the behaviour of EU residents.
The e-Privacy Directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks (Article 3).
2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?
The GDPR does not apply to the processing of personal data in certain cases, such as the following:
- in the course of an activity which falls outside the scope of EU law (Article 2(2)(a));
- by EU member states when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on the European Union (Article 2(2)(b));
- by a natural person in the course of a purely personal or household activity (Article 2(2)(c)); or
- by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against, and prevention of, threats to public security.
Article 23(1) of the GDPR further indicates that the various obligations and rights set out in Articles 12 to 22 (covering individual rights of data subjects) and Article 34 (relating to the communication of a data breach to impacted individuals) may in some cases be restricted by EU or member state law, where it is "necessary and proportionate...in a democratic society to safeguard":
- national security, defence or public security;
- the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties;
- other important objectives of public interest of the European Union or a member state (eg, financial interests, taxation matters, public health and social security); or
- the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions.
Derogations from the GDPR may also include the monitoring, inspection or regulatory function connected with the exercise of an official authority in relation to the exceptions set out above. There may also be restrictions on obligations in order to protect judicial independence and judicial proceedings, and to safeguard the enforcement of civil law claim. Such derogations and exceptions must take into account the protection of the data subject and the rights and freedoms of others.
The e-Privacy Directive does not apply to "activities falling outside the scope of the Treaty establish the European Community, such as those covered by Titles V and VI of the Treaty on European Union, and in any case to activities concerning public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law" (Article 1(3)).
2.3 Does the data privacy regime have extra-territorial application?
Yes, Article 3 of the GDPR indicates that the regulation has extra-territorial application.
More specifically, Article 3 states that the GDPR applies to the processing of personal data:
- "in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not";
- "of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union"; or
- "by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law".
3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.
(a) Data processing
This is defined in Article 4(2) of the General Data Protection Regulation (GDPR) as: "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."
(b) Data processor
This is defined in Article 4(8) of the GDPR as: "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."
(c) Data controller
This is defined in Article 4(7) of the GDPR as: "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law."
(d) Data subject
This is defined in Article 4(1) of the GDPR as the identified or identifiable person to whom the personal data relates.
(e) Personal data
This is defined in Article 4(1) of the GDPR as: "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
(f) Sensitive personal data
This is defined in Article 9(1) of the GDPR to include data that identifies a data subject's:
- racial or ethnic origin;
- political opinions;
- religious and philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data for the purpose of uniquely identifying a natural person;
- data concerning health; or
- sex life and sexual orientation.
'Genetic data' is defined in Article 4(13) of the GDPR as: "personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question."
'Biometric data' is defined in Article 4(14) of the GDPR as: "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data."
'Data concerning health' is defined in Article 4(15) of the GDPR as: "personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status."
3.2 What other key terms are relevant in the data privacy context in your jurisdiction?
The GDPR sets out the following key definitions:
- 'Restriction of processing' is defined in Article 4(3) of the GDPR as: "the marking of stored personal data with the aim of limiting their processing in the future."
- 'Profiling' is defined in Article 4(4) of the GDPR as: "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements."
- 'Pseudonymisation' is defined in Article 4(5) of the GDPR as: "the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person."
- 'Filing system' is defined in Article 4(6) of the GDPR as: "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
- 'Recipient' is defined in Article 4(9) of the GDPR as: "a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing."
- 'Third party' is defined in Article 4(10) of the GDPR as: "a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data."
- 'Consent' of the data subject is defined in Article 4(11) of the GDPR as: "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
- 'Personal data breach' is defined in Article 4(12) of the GDPR as: "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."
- 'Main establishment' is defined in the GDPR as:
- "as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment" (Article 4(16)(a)); and
- "as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation" (Article 4(16)(b)).
- 'Representative' is defined in Article 4(17) of the GDPR as: "a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation."
- 'Enterprise' is defined in Article 4(18) the GDPR as: "a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity."
- 'Group of undertakings' is defined in Article 4(19) of the GDPR as: "a controlling undertaking and its controlled undertakings."
- 'Binding corporate rules' are defined in Article 4(20) of the GDPR as: "personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity."
- 'Supervisory authority' is defined in Article 4(21) of the GDPR as: "an independent public authority which is established by a Member State pursuant to Article 51."
- "Supervisory authority concerned' is defined in Article 4(22) of the GDPR as: "a supervisory authority which is concerned by the processing of personal data because: (a) the controller or processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority."
- 'Cross-border processing' is defined in Article 4(23) of the GDPR as either:
- "(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State"; or
- "(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State".
- 'Relevant and reasoned objection' is defined in Article 4(24) of the GDPR as: "an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union."
- 'Information society service' is defined in Article 4(25) of the GDPR as: "a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council."
- 'International organisation' is defined in Article 4(25) of the GDPR as: "an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries."
4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?
The GDPR does not impose mandatory registration of data controllers and processors across the European Union. This may, however, vary between European countries, which may impose certain restrictions depending on the types of data handled and the sector area.
As noted in question 8, the contact details of the data protection officer must be published by the relevant controller or processor and be communicated to the supervisory authority (as per Article 37(7) of the General Data Protection Regulation (GDPR)).
4.2 What is the process for registration?
Not applicable – as noted in question 4.1, this may vary between countries across Europe.
4.3 Is registered information publicly accessible?
Not applicable – as noted in question 4.1, this may vary between countries across Europe.
4.4 What are the effects of registration?
Not applicable – as noted in question 4.1, this may vary between countries across Europe.
4.5 Is registered information publicly accessible?
Not applicable – as noted in question 4.1, this may vary between countries across Europe.
5 Data processing
5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?
Pursuant to Article 6 of the General Data Protection Regulation (GDPR), processing shall be lawful only if and to the extent that at least one of the following legal bases applies:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- The processing is necessary for compliance with a legal obligation to which the controller is subject;
- The processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data – in particular, where the data subject is a child.
There are further qualifications on legal bases for the processing of sensitive data (as defined by Article 9 of the GDPR, set out at question 3.1(f) above). The general prohibition of processing sensitive personal data does not apply where:
- the data subject consents to such processing (Article 9(2)(a) of the GDPR);
- the processing is necessary:
- for "the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law" (Article 9(2)(c) of the GDPR);
- "to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent" (Article 9(2)(c) of the GDPR);
- for "legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subject" (Article 9(2)(d) of the GDPR);
- "for the establishment, exercise or defence of legal claims" (Article 9(2)(f) of the GDPR);
- for "reasons of substantial public interest" (Article 9(2)(g) of the GDPR);
- "for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services" (Article 9(2)(h) of the GDPR);
- "for reasons of public interest in the area of public health" (Article 9(2)(i) of the GDPR); or
- "for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes" (Article 9(2)(j) of the GDPR); or
- the relevant sensitive personal data has been made public by the data subject (Article 9(2)(e) of the GDPR).
Article 8 of the GDPR further indicates that where processing is based on consent in relation to the personal data of a child, such consent shall be lawful if the child is at least 16 years old. Consent for processing of personal data in relation to any child below the age of 16 is lawful "if and to the extent that consent is given or authorised by the holder of parental responsibility over the child". The GDPR allows member states to lower this age, but member states may not go below the age of 13. In addition, data controllers are obliged, taking into account available technology, to make reasonable efforts to verify consent received.
Article 10 of the GDPR governs processing personal data in relation to criminal convictions and offences based on an Article 6 lawful basis (as described above). Such processing must be carried out under the control of relevant official authorities or be authorised under relevant EU or member state law, with appropriate provision of safeguards for rights and freedoms of data subjects.
5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?
Article 5 of the GDPR sets out key principles in relation to the processing of personal data. These principles should drive an organisation's approach to compliance with data protection law:
- 'Lawfulness, fairness and transparency' principle: Please see the lawful bases for processing set out in question 5.1.
- 'Purpose limitation' principle: Organisations should limit the collection of personal data to "specified, explicit and legitimate purposes".
- 'Data minimisation' principle: Organisations should keep personal data "adequate, relevant and limited to what is necessary" in relation to the purposes for which the data is processed.
- 'Accuracy' principle: Personal data should be accurate and, where necessary, kept up to date. Organisations must take every reasonable step to ensure inaccurate data is erased or corrected.
- 'Storage limitation' principle: Organisations should ensure that personal data is "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes" of processing.
- 'Privacy by design' principle: Organisations need to secure personal data with approach technical and organisational measures against accidental loss, destruction or damage, and against unauthorised and unlawful processing.
Article 24 of the GDPR indicates that controllers should take into account the "nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons" when implementing appropriate technical and organisational security measures.
Article 32 of the GDPR provides more guidance on security obligations and indicates that organisations should also take into account the state of the art and the cost of implementation when implementing measures that are commensurate with the level of risk. Such measures can include:
- pseudonymising and encrypting personal data;
- ensuring the confidentiality, integrity, availability and resilience of processing systems and services;
- having mechanisms to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- having a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Organisations should carry out risk assessments to determine the appropriate security measures depending on the level of risk. Organisations may also perform data protection impact assessments to help demonstrate compliance.
Beyond the principles set out above, accountability is also a fundamental and guiding principle of the GDPR. The principle of accountability puts the onus on organisations to put in place appropriate technical and organisational measures to comply with the GDPR, and be able to demonstrate the steps taken to comply and how effective these measures have been.
5.3 Is the processing of personal data subject to a notification requirement?
When collecting personal data, controllers must provide the data subject with the following information:
- the identity and contact details of the controller (or representative);
- the data protection officer (DPO) contact details (if applicable);
- the legitimate interests pursued by the controller where processing is based on such a legitimate interest (in accordance with Article 6(1)(f) of the GDPR);
- the recipients or categories of recipients of personal data;
- information about the purposes and details of international transfers of personal data;
- the data storage period or the criteria used to determine the period of time of storage;
- where processing is based on consent, the right to withdraw consent at any time (such withdrawal will not affect the lawfulness of processing based on consent prior to this withdrawal);
- the right to lodge a complaint with a supervisory authority;
- the existence of the data subject's right to request access to his or her personal data, to rectify or erase such person's personal data, and the right to restrict processing, object to processing and the right to data portability;
- whether the provision of personal data is a statutory or contractual requirement, or whether entering into a contract is necessary, as well as whether a data subject is obligated to provide personal data (and the consequences of not providing the data); and
- the existence of automated decision making.
When personal data is collected from a third party and not from the data subject directly, notice must also be provided. This notice must include the same information listed above as if the data were obtained directly from the data subject, but the following additional information must also be provided:
- the categories of personal data collected by the controller; and
- the source of the personal data (including whether the personal data came from public sources).
The controller in this instance would not, however, need to notify the data subject about the legal or contractual requirements for providing personal data (and the consequences for not providing such personal data).
The required information should be provided to the data subject within a reasonable time after obtaining the data (one month at the latest); or if the controller intends to use the personal data to communicate with the data subject, then the information should be provided at the latest at the time of the first communication. If there are any intended disclosures to another recipient, this information should be provided at the time of the first disclosure at the latest.
Article 14(4) also notes that: "where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose."
There are limited exceptions to these notice requirements, such as where:
- the data subject already has the required information; or
- provision of the information requires a disproportionate effort.
Such personal data may also be required by EU or member state law to remain confidential.
5.4 Can the processing of personal data be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
The outsourcing or processing of personal data outside the European Union is possible, but subject to restrictions under the GDPR.
If a controller outsources processing to a processor, it should use a processor that sufficiently guarantees appropriate technical and organisational measures which will comply with the requirements of the GDPR and protect the rights of data subjects.
If a processor wishes to sub-process, it may not do so without the prior specific or general authorisation of the controller. A processing by a processor on behalf of a controller should be governed by a binding legal contract.
Transfers out of the jurisdiction are also subject to specific rules under the GDPR. For more information on requirements, restrictions and best practice for transfers of personal data outside of the European Union, please see question 6. Please also note the comments in question 2 regarding the extra-territorial effect of the GDPR.
5.5 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?
Entities should ensure that they have robust policies, processes and measures in place to meet, and be able to demonstrate that they meet, the requirements set out in the GDPR. Organisations should think about who is responsible within the organisation for driving compliance when it comes to processing personal data.
Data protection impact assessments (DPIAs) are a useful tool in helping organisations to identify and minimise the data protection risks within the organisation or in relation to a specific project. DPIAs are also mandatory in instances where there is a high risk to individuals, including where there is a high volume of processing or where sensitive personal data is being processed.
6 Data transfers
6.1 What requirements and restrictions apply to the transfer of data to third parties?
Transfers to third parties within the EU are subject to certain safeguards. Article 28 of the General Data Protection Regulation (GDPR) requires a controller to select a processor that provides sufficient guarantees in relation to the implementation of security measures and the controller-processor contract. Such a contract must set out the subject matter, duration, nature and purpose of the processing, as well as the types of personal data and the categories of data subjects. The contract must also set out the obligations and rights of the controller, and the processor must act only on documented instructions from the controller. The contract must also have a provision obliging the processor to take security measures as described in Article 32 of the GDPR (set out at question 5.1).
6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?
Pursuant to Article 44 of the GDPR, personal data may be transferred outside the European Economic Area (EEA) only if the controller and processor comply with the conditions set out in Chapter V of the GDPR.
A transfer outside the EEA can take place if:
- the European Commission has declared a territory as adequate for the purpose of transferring data; or
- the controller or processor has:
- provided appropriate safeguards as per Article 46(2) of the GDPR; and
- implemented effective legal remedies and enforceable data subject rights available for data subjects.
The appropriate safeguards set out in Article 46(2) include:
- a legally binding agreement between public authorities or bodies;
- binding corporate rules (as defined in question 3.2 and set out in Article 47 of the GDPR);
- standard data protection clauses adopted by a supervisory authority;
- standard data protection clauses adopted by the European Commission;
- compliance with an approved code of conduct (pursuant to Article 40, as approved by a supervisory authority);
- an approved certification mechanism (in accordance with Article 42 of the GDPR); and
- contractual provisions authorised by the relevant and competent supervisory authority.
Article 46(3) of the GDPR also notes that the following appropriate safeguards, subject to the authorisation from the competent supervisory authority, are available:
- contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; and
- provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
Countries currently recognised as 'adequate' include Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. Standard contractual clauses (SCCs) were issued by the European Commission to enable international data transfers where there is no adequacy decision in place. The SCCs are available here.
The United States was until recently recognised as providing an 'adequate level of protection' through the EU-US Privacy Shield Framework, which allowed entities to certify that they complied with various obligations associated with the protection and processing of personal data. However, the recent case of Data Protection Commissioner v. Facebook Ireland Limited (Case C-311/1) – also commonly known as the 'Schrems II' decision – invalidated the Privacy Shield mechanism for transfers of personal data from the European Union to the United States.
The judgment in Schrems II also called into question the use of SCCs. The SCCs were not declared as automatically invalid; however, their use must now be assessed on a case-by-case basis in particular taking into account the "relevant aspects of the legal system of the [relevant recipient] country". Accordingly, an organisation based in the EEA sending data outside of the EEA pursuant to the SCCs must perform an assessment as to the validity of such transfer with regard to the protection of personal data, and potentially put into place "supplementary measures" if there are issues with that jurisdiction.
6.3 Is the transfer of personal data abroad subject to a notification requirement?
As set out in question 5.3, a data subject must be notified about details of personal data transfers outside of the EEA or where there is an intention to transfer outside the EEA.
6.4 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?
In light of the Schrems II decision, organisations that are transferring data outside of the European Union should assess their data transfers to understand the safeguards in place in respect of the entity they are transferring the data to if they are outside the EEA. Carrying out a data mapping exercise and data protection impact assessments can assist organisations in understanding their data flows and their obligations when it comes to international transfers.
Organisations should ensure that when they contract with third parties or parties in other countries, the provisions of such a contract are robust enough to comply with the GDPR and are capable of suspension in the event that such a third party cannot guarantee compliance with the GDPR or adequate protection of personal data.
Multinational organisations should consider applying for approval of binding corporate rules to enable transfers outside of the EEA involving their entities in other countries.
7 Rights of data subjects
7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?
The rights of data subjects are set out in Section III of the General Data Protection Regulation (GDPR).
Data subjects have a broad range of rights in relation to the processing of their personal data, including the following.
Right to information: Article 12 of the GDPR requires data controllers to take measures to "provide information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form".
See question 5.3 for information required when notifying data subjects where their personal data is being processed.
Right to access personal data: Article 15 sets out the right for data subjects to obtain confirmation from the controller as to whether personal data concerning them is being processed and, if so, then also to provide access to the personal data. The data subject may also obtain information similar to that set out at question 5.3 in relation to notification of processing requirements.
Copies of such personal data must be provided to the data subject free of charge.
Article 12(5) of the GDPR provides that a controller may refuse a request or charge a reasonable fee where requests are unfounded or excessive.
Right of rectification: Data subjects can request that controllers rectify inaccurate personal data concerning them pursuant to Article 16 of the GDPR. Article 5(1)(d) of the GDPR emphasises the need for personal data to be accurate, kept up to date and, when inaccurate, either erased or corrected without delay.
Right of erasure: The right to erasure is also known as the right to be forgotten and is set out in Article 17 of the GDPR. Controllers are obliged, when requested by the data subject, to erase personal information where:
- the personal data is no longer necessary in relation to the purposes for which it was collected;
- the data subject withdraws consent to the processing (and there is no other legal ground for the processing);
- the data subject objects to the processing in accordance with Article 21(1) of the GDPR and there are overriding legitimate grounds for the processing, or the objection is pursuant to Article 21(2);
- the personal data has been unlawfully processed;
- there is a legal obligation in EU or member state law (to which the controller is subject) requiring the erasure of information; or
- the personal data has been collected in relation to the offer of information society services referred to in Article 8(1).
The exceptions to the right to erasure include where processing is necessary:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for reasons of public interest in the area of public health;
- for the purposes of archiving in the public interest, scientific, historical or statistical research purposes; or
- for the establishment, exercise or defence of a legal claim.
Right to restrict data processing: Article 18 of the GDPR sets out the right to obtain a restriction in the processing of personal data where:
- the accuracy of the personal data is contested by the data subject;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests restriction instead;
- the controller no longer needs the personal data for processing, but it is required by the data subject in relation to the establishment, exercise or defence of legal claims; or
- the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject
Controllers must inform data subjects who have obtained a restriction in relation to the processing before these restrictions can be lifted.
Right to object to data processing: Data subjects have the right to object to the processing of their data pursuant to Article 21 of the GDPR.
A controller must stop processing data for direct marketing purposes when a data subject objects to such processing. A data subject can also object to processing carried out on the grounds of scientific, historical research or statistical purposes, unless the processing is necessary for the performance of tasks carried out in the public interest.
Whenever there is an objection to the processing, controllers must cease such processing, unless the controller demonstrates a compelling legitimate ground which overrides the interests of the data subject, or where the processing is required to establish, exercise or defend legal claims.
Right to data portability: The right to data portability allows a data subject to receive his or her personal data in a structured, commonly used and machine-readable format, and to transmit that data to another controller. This right is available where the processing is based on consent or a contract, or where the processing is carried out by automated means.
Right not to be subject to automated decision making: Article 22 of the GDPR provides data subjects with the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This right will not apply where the automated decision is necessary for contractual reasons (ie, where there is a contract between the data subject and the controller), is based on explicit consent or is authorised by EU or member state law.
Right to be notified of a data security breach: Article 34 of the GDPR obliges controllers to communicate personal data breaches to data subjects without any undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons.
7.2 How can data subjects seek to exercise their rights in your jurisdiction?
As indicated in question 7.1 in relation to the specific rights, data subjects can make requests to exercise these rights directly to the controller processing their personal data.
The data subject also has the right to lodge a complaint in relation to the exercise of such rights with the relevant supervisory authority.
7.3 What remedies are available to data subjects in case of breach of their rights?
Article 78 provides data subjects with a right to a legal remedy against a supervisory authority; and Article 79 provides the right to a legal remedy against a controller or processor.
Data subjects can also claim compensation for material or non-material damage for GDPR infringements under Article 82 of the GDPR. Controllers are liable in this instance for damaged caused by processing if they are involved in the processing; whereas processor liability is limited to cases in which they have not applied with GDPR obligations and have acted outside or contrary to the controller's lawful instructions.
8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?
The appointment of a data protection officer (DPO) is mandatory in certain scenarios, as set out in Article 37 of the General Data Protection Regulation (GDPR), in which:
- "the processing is carried out by a public authority or body, except for courts acting in their judicial capacity";
- "the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale"; or
- "the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10".
Failure to appoint a DPO where it is mandatory to do so will result in a breach of the GDPR and is subject to a potential fine of the higher of up to €10 million or 2% of the previous year's total worldwide turnover, whichever is higher (Article 83(4)). If a supervisory authority formally requests an organisation to appoint a DPO and the organisation fails to do so, the potential fine can rise to €20 million or 4% of the previous year's total worldwide turnover, whichever is higher (Article 83(6)).
The contact details of the DPO must also be published by the controller or processor, and be communicated to the supervisory authority (Article 37(7)).
In addition to the requirements laid out by the GDPR, EU member states have the possibility to require a broader range of companies to designate DPOs. For example, in Germany, a DPO is required if, as a rule, a controller continuously employs at least 20 persons dealing with the automated processing of personal data.
8.2 What qualifications or other criteria must the data protection officer meet?
The GDPR states that the DPO "shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39" (Article 37(5)).
8.3 What are the key responsibilities of the data protection officer?
A DPO should be involved, properly and in a timely manner, in all issues relating to protecting personal data (GDPR Article 38(1)). The minimum tasks of the DPO are set out in Article 39 of the GDPR and include
- informing and advising the controller or the processor and the employees who carry out processing of their obligations under the GDPR and to other EU or member state data protection provisions (Article 39(a));
- monitoring compliance with the GDPR, with other EU or member state data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations and the related audits (Article 39(b));
- providing advice where requested as regards data protection impact assessments and monitoring their performance pursuant to Article 35 (Article 39(c));
- cooperating with the supervisory authority (Article 39(d)); and
- acting as the point of contact for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and consulting, where appropriate, with regard to any other matter (Article 39(e)).
More generally, the DPO must have regard to risk associated with processing operations, taking into account the nature, scope, context and purposes of the processing.
The DPO can undertake other tasks and duties, but the controller or processor must ensure that such other activities do not create a conflict of interest (Article 38(6)).
8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?
Article 37(6) of the GDPR states that a DPO "may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract".
If the DPO is outsourced, organisations should keep in mind that such a DPO must still be professionally qualified with expert knowledge of data protection law (Article 37(5) of the GDPR).
Organisations must also ensure that the DPO has access to be able to report to the highest level of management (Article 38(3) of the GDPR) and be involved in all data protection matters (Article 38(1) of the GDPR); and any external DPO should also be bound by appropriate secrecy and confidentiality measures (Article 38(5) of the GDPR).
8.5 What record-keeping and documentation requirements apply in the data privacy context?
Article 30 of the GDPR sets out key record-keeping and documentation requirements that apply in the data privacy context.
Controllers must maintain a record of processing activities under their responsibility, including:
- the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the DPO;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to which the personal data has been or will be disclosed, including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, where applicable, the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data; and
- where possible, a general description of the technical and organisational security measures in place
Processors (or processors' representatives) must maintain a record of all categories of processing activities carried out on behalf of a controller, including:
- the name and contact details of the processor(s) and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the DPO;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, where applicable, the documentation of suitable safeguards; and
- where possible, a general description of the technical and organisational security measures
8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?
Organisations must conduct data protection impact assessments (DPIAs) in certain circumstances prescribed by the GDPR.
DPIAs should be carried out by controllers where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. Article 35(3) of the GDPR indicates that DPIAs are mandatory where there is:
- "systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person";
- "processing on a large scale of special categories of data" or "of personal data relating to criminal convictions and offences"; or
- "a systematic monitoring of a publicly accessible area on a large scale".
Article 35(7) of the GDPR states that DPIAs should contain:
- a description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects
In terms of best practice, organisations should adopt a prudent approach to data privacy compliance. Non-compliance can result in large fines and generate substantial bad publicity, but compliance should also involve a risk-based approach.
Record keeping, relevant policies and employee training are key to keeping up with compliance with the GDPR, and organisations should ensure they are appropriately equipped in terms of technical and organisational security measures to process personal data.
9 Data security and data breaches
9.1 What obligations apply to data controllers and processors to preserve the security of personal data?
As noted in question 5.2, a key principle of the General Data Protection Regulation (GDPR) is that of "Integrity and Confidentiality". This principle means that organisations must secure personal data with appropriate technical and organisational measures against accidental loss, destruction or damage, and against unauthorised and unlawful processing.
Article 32 of the GDPR provides guidance on security obligations and indicates that organisations should also take into account the state of the art and the cost of implementation when implementing measures that are commensurate with the level of risk.
Such measures can include:
- pseudonymising and encrypting personal data;
- ensuring the confidentiality, integrity, availability and resilience of processing systems and services;
- having mechanisms to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- having a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
These security obligations apply to both controllers and processors. Further, Article 28 of the GDPR requires a controller to select a processor that provides sufficient guarantees in relation to the implementation of security measures; and the controller-processor contract must have a provision obliging the processor to take the steps in Article 32 of the GDPR as set out above.
9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Article 33(1) indicates that controllers are obliged, in the event of a personal data breach, to notify the relevant supervisory authority without undue delay and no later than 72 hours after becoming aware of the breach. Article 33(1) also notes that if a notification is made after 72 hours, the controller should provide reasons for the delay. Processors should notify controllers of security breaches without undue delay as per Article 33(2) of the GDPR (but no time limit is specified here).
In accordance with Article 33(1) of the GDPR, a controller may not be under an obligation to report a breach of personal data where such a breach is "unlikely to result in a risk to the rights and freedoms of natural persons". Where notification to the supervisory authority is required, Article 33(3) provides that a notification of a security breach should, at a minimum, include:
- a description of the nature of the breach (including the categories and approximate number of data subjects and personal data records concerned);
- the data protection officer's (DPO) name and contact details or other contact point for further information;
- a description of likely consequences flowing from the breach; and
- a description of the measures taken or proposed by the controller to address the breach (including any mitigation measures).
Controllers should document any personal data breaches, recording the facts relating to the breach, its effects and the action taken in response.
9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?
Where a breach represents a high risk to the rights and freedoms of natural persons, the controller is obliged to communicate the breach to the data subject without undue delay (Article 34(1)). Any communication of this kind should:
- describe the nature of the breach in clear and plain language;
- provide the DPO's name and contact details or other contact point for further information;
- describe the likely consequences flowing from the breach; and
- describe the measures taken or proposed by the controller to address the breach (including any mitigation measures).
This communication requirement is not required where:
- the controller has implemented appropriate technical and organisational protection measures which were applied to the personal data affected by the breach (in particular, measures that would render the person data unintelligible to any person that is not authorised to access it, such as encryption);
- the controller has taken subsequent steps to ensure that a high risk to data subjects' rights and freedoms is no longer likely to materialise; or
- it would involve disproportionate effort – in which case a public communication should be used to inform data subjects instead.
The supervisory authority may require the controller to notify data subjects of breaches where it has not already done so.
9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?
- Act quickly! Notifications which are obliged under the GDPR should take place without undue delay.
- Find out as much information as possible about the data breach, its causes and its effects in relation to individual data subjects.
- Consider mitigation steps to prevent any or further damage to the rights and freedoms of data subjects.
- Consider its notification obligations as set out in questions 9.2 and 9.3 and notify the supervisory authority and data subjects effected where appropriate.
- Ensure that everything is documented, from discovery of the breach and any steps taken in response to resolution of the incident.
In instances of data breaches, organisations should also consider taking professional advice.
Aside from the occurrence of data breaches, organisations should be mindful of their security obligations and take appropriate preventative measures to protect the integrity and security of the personal data it processes. Such measures could include:
- conducting a DPIA to assess the technical and organisational security measures in place in relation to the processing of personal data;
- implementing a data breach policy which can be deployed in the event of a security breach and ensuring that employees are familiar with best practice;
- ensuring that there is appropriate physical security in place to protect the unauthorised access to personal data; and
- ensuring there are appropriate measures in place to protect against data breaches and minimise their impact, such as pseudonymisation.
10 Employment issues
10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?
Article 88 of the General Data Protection Regulation (GDPR) allows member states to prescribe specific rules in law relating to the protection of rights and freedoms in relation to the processing of employees' personal data in the context of employment. Such rules, for example, may relate to:
- the recruitment of employees;
- the performance of contracts;
- equality and diversity in the workplace;
- health and safety;
- the termination of employees.
These domestic laws must be communicated to the European Commission.
Any domestic law in this context shall "include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place" (Article 88(2)).
The principles, protections and obligations set out in the GDPR applicable to the processing of personal data apply to the processing of employee personal data.
10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?
Surveillance of employees is not expressly prohibited under the GDPR, but employers must ensure that the processing of employee data when monitoring them complies with the principles under the GDPR. There may also be specific member state laws or guidance for supervisory authorities that employers should consider.
Specifically, employees should be mindful of the following:
- Purpose limitation: Be specific and explicit about why personal data is being processed, and ensure that there is a legal basis for doing so (in accordance with Article 6 of the GDPR).
- Data minimisation: Ensure that the personal data collected is necessary for a specific purpose. Employers should also consider whether it is proportionate to monitor employees for a certain length of time or for a certain frequency.
- Lawfulness: Employers should assess the legal grounds for this type of processing. In the employment context, relying on consent for processing can be difficult due to the inherent power imbalance between employers and employees. Regulators have already previously stated that legally valid explicit consent may be unlikely in an employment context, since employees are essentially not 'free' to give their consent in the first place. Necessity – specifically for the performance of the employer-employee contract – may be an appropriate legal ground to rely on when carrying out surveillance on employees (ie, the surveillance and processing of personal data associated with this is necessary to ensure that employees can perform their duties).
- Transparency: Employers should be mindful of the fine line between lawful and covert surveillance. Individuals should be informed in accordance with Articles 13 and 14 of the GDPR about the processing. Employers should ensure that their privacy policies reflect the type of processing, the recipients of the data and the grounds for retention, as well as the purposes and legal grounds for such processing. Changes to these privacy policies should be communicated to employees and employers should also consider any compliance requirements in respect of local law across different EU member states.
Employers must also be mindful of employees' data subject rights which they may still exercise:
- Employees still have a right to object "on grounds relating to [their] particular situation" if the processing involves an automated processing of their personal data (including profiling) on which decisions about them are being made; and
- Employees have the right to access their personal data and may submit a data subject access request, which can be a time-consuming exercise for employers that may process potentially large amounts of information in relation to specific employees.
Considering the potential risk to the rights and freedoms of data subjects, employers should conduct a data protection impact assessment (DPIA) when considering employee monitoring.
10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context
Employers should consider carrying out a data mapping exercise and a DPIA to understand how they process data in the context of their employees. They should always keep in mind the core principles of the GDPR, and ensure that the processing of employee personal data is carried out on a firm legal basis and that they remain transparent with their employees about what they are collecting and why.
Employers should consider what internal policies and training they can put in place to make their organisations more data protection compliant. They should also consider, where appropriate, the appointment of a data protection officer.
11.1 What requirements and restrictions apply to electronic direct marketing in your jurisdiction?
Under the General Data Protection Regulation (GDPR), personal data should be processed fairly and transparently, and data subjects have various rights to information about processing and should be notified accordingly. As such, under the GDPR, in relation to direct marketing, the following information should be provided:
- whether profiling takes place in the processing;
- the legitimate interests of the direct marketer; and
- retention periods (or the criteria for calculating the retention period) for the personal data.
The key legitimate interests that apply in the context of electronic direct marketing are the basis of consent or the legitimate interests of the controller or third party (Recital 47 of the GDPR confirms that processing for direct marketing may be regarded as a legitimate interest).
Where the lawful basis for processing in the case of direct marketing is consent, the data subjects should be notified of their right to withdraw their consent at any time. Controllers should maintain documentation of relevant consents to demonstrate their compliance with the GDPR in general and to specifically demonstrate that a data subject has consented to processing.
A data subject can also object to the processing of personal data in the context of personal data (please see question 7.1 for commentary on the right to object).
The e-Privacy Directive also provides the following restrictions:
- Consent is required from subscribers for the use of automated calling systems without human interventions, faxes or email for the purposes of direct marketing; and
- Where customer details are obtained in the context of a sale of a product or a service by a legal or natural person, that person may use the electronic contact details for direct marketing of its own similar products or services, provided that users are clearly given an opportunity to object, free of charge and in an easy manner, to the use of such data.
If direct marketing is not based on the above, member states must take appropriate measures through national legislation to ensure that unsolicited communications for the purposes of direct marketing are not allowed without consent (Article 13(3) of the e-Privacy Directive)
It is prohibited to send direct marketing which disguises or conceals the identity of the party on whose behalf the communication is made.
11.2 What requirements and restrictions apply to other types of marketing communications in your jurisdiction?
All types of marketing communication should comply with the principles of the GDPR (particularly with respect to lawful basis, consent and transparency) and the e-Privacy Directive.
11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the data privacy context?
The current e-Privacy Directive is due to be replaced with a new e-Privacy Regulation. A key change anticipated is a stricter approach to business-to-business marketing by putting it on the same footing as business-to-consumer marketing. These new laws will need to be kept under review by the marketing team, as this could change the way that marketing directed at individuals is carried out.
To the extent that an organisation's marketing function utilises tools such as cookies, compliance with further relevant law is necessary, as discussed in question 12.
12. Online issues
Article 5(3) of the e-Privacy Directive indicates that consent is required in relation to the tracking of data and that clear comprehensive information about tracking must be provided. This applies to any form of tracking, including cookies.
In accordance with the standard defined in Article 4(11) of the GDPR, consent must be "freely given, specific, informed and unambiguous". 'Unambiguous' means that there should be an opt-in to tracking, which is a clear and affirmative action providing consent. It must also be possible to withdraw consent at any time. There is an exemption to the consent requirement for strictly necessary services that are specifically requested by the user, but this is a very narrow exemption.
The GDPR is relevant to online tracking, as 'consent' under the e-Privacy Directive is defined by reference to the GDPR's standard definition of 'consent'. In addition, when tracking, personal data will be processed and as such, compliance with GDPR obligations should be taken into account. In that respect, organisations should provide accurate and specific information about the data tracked by cookies and the purpose of the tracking, in clear and plain language, before consent is obtained; and should also document records of consent received.
12.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?
Cloud computing service providers, like any other type of entity that processes personal data, must comply with the GDPR. Even where a cloud service provider is located outside of the European Union, the extra-territorial effect of the GDPR is likely to mean that organisations must comply with the GDPR.
The key aspects and obligations of the GDPR that cloud computing service providers should bear in mind are as follows.
As many cloud computing service providers are processors, working on behalf of controllers, they should bear in mind the obligations on processors set out in the GDPR:
- Processors must have certain contractual terms in place providing for certain standards in relation to the GDPR;
- Records of processing activities should be kept;
- Personal data must be kept secure;
- Where necessary, a data protection officer should be appointed; and
- Processors must cooperate with relevant regulators where required.
Organisations contracting with cloud computing service providers to process personal data should ensure that they comply with the requirements of Article 28 of the GDPR (set out at question 6.1). The cloud computing service provider must process personal data only on documented instructions from its customer. When contractually agreeing to provide services to controllers, cloud computing service providers should be mindful of any audit rights that are being negotiated, and ensure that any audit privileges granted do not create security or confidentiality issues in relation to other data stored. Both parties should also ensure that if data is being transferred outside the European Economic Area, such transfers are compliant with the GDPR in relation to international transfers.
Some EU Member States have enacted additional rules in relation to IT outsourcing in certain industry sectors.
12.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?
Organisations should consider local implementation of the e-Privacy Directive to understand their obligations in relation to different technologies used for marketing purposes.
13.1 In which forums are data privacy disputes typically heard in your jurisdiction?
The potential forums for data privacy disputes can vary according to the specific jurisdiction and the context of the dispute.
Under the General Data Protection Regulation (GDPR), individual data subjects have various rights (as set out in question 7), which include:
- the right to complain to a supervisory authority;
- the right to an effective remedy against a supervisory authority; and
- the right to an effective remedy against a controller or processor.
Disputes may be heard in a number of forums or indeed may be resolved informally between the data subject and the relevant entity. Supervisory authorities may be involved in handling complaints against specific controllers or processors; and national legislative proceedings for infringements of the GDPR are possible.
There may also be instances in which disputes arise between controllers and processors. In this instance, the contract between the two entities may specify the form of dispute resolution used to resolve the dispute (eg, mediation or arbitration); or either party could issue proceedings against the other in the relevant jurisdiction. Member state disputes can escalate to the Court of Justice of the European Union where there is a dispute over the interpretation of EU law.
In instances of certain disputes between supervisory authorities, the European Data Protection Board has the power to issue a binding decision to resolve the dispute in accordance with Article 65 of the GDPR.
13.2 What issues do such disputes typically involve? How are they typically resolved?
Issues involving data privacy can involve a multitude of issues, such as:
- breaches of the GDPR;
- breaches of contractual obligations between parties in relation to the processing of personal data; or
- breaches of the e-Privacy Directive.
Disputes can often be resolved informally or confidentially, and supervisory authorities are active in pursuing non-compliance with the GDPR with fines and other measures at their disposal.
13.3 Have there been any recent cases of note?
A key recent decision is the Schrems II case in relation to international transfers and the invalidity of the EU-US Privacy Shield Framework, which is further discussed in question 6.
14. Trends and predictions
14.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
As noted above in relation to data transfers, the recent Schrems II decision has had far-reaching consequences for international organisations. Businesses with international operations and cross-border data flows must be very cautious about how they manage the transfer of data internationally. There is an expectation that new versions of the standard contractual clauses (under which transfers of data take place) will soon be issued.
The issue of data transfers also raises the issue of the 'adequacy' of data protection laws – for example, in relation to the United Kingdom after it leaves the European Union (Brexit). At the time of writing, it remains uncertain as to whether the United Kingdom will be granted an 'adequacy' decision from the European Commission facilitating data transfers between the European Union and the United Kingdom.
The current e-Privacy Directive is also due to be replaced with a new e-Privacy Regulation. A key change anticipated is a stricter approach towards business-to-business marketing by putting it on the same footing as business-to-consumer marketing. New legislative updates in this space will need to be monitored by marketing departments, as these are likely to change the way marketing directed at individuals is carried out.
On a broader scale, the digital market is a key focus of EU legislation. The European Union has adopted a digital strategy aimed at harnessing digital developments in the single market and encouraging companies of different sizes and across various sectors to compete on equal terms. The European Union is committed to creating a fair and trustworthy environment for its citizens – the GDPR, the upcoming e-Privacy Regulation and the newly in force Platform-to-Business Regulation are examples of the European Union trying to tip the balance in favour of individual consumers and smaller businesses.
15. Tips and traps
15.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?
A robust data protection strategy is no longer optional in today's connected world; it has become mandatory. As a result, organisations should constantly review their data protection and retention policies to ensure that they are collecting only data that they need, and that they are adequately protecting the data that they hold. Clear policies and good monitoring are necessary to achieve this. Conducting data mapping and data audits early can help organisations to understand their data flows and their obligations. Finally, appointing a data protection officer, carrying out relevant data protection impact assessments and getting internal policies and training in place may help organisations to demonstrate compliance and deal with unexpected events.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.