Proposed EU Data Protection Regulation: Impact on Handling of Data - - PowerPoint PPT Presentation

proposed eu data protection regulation
SMART_READER_LITE
LIVE PREVIEW

Proposed EU Data Protection Regulation: Impact on Handling of Data - - PowerPoint PPT Presentation

Dec 29, 2022 406 likes •667 views

Proposed EU Data Protection Regulation: Impact on Handling of Data Breach, DPOs and Staff Surveillance by non-EEA Financial Services Firms Cross Border Group 28 February 2013 39 Offices in 19 Countries Agenda 1) Proposed EU Data Protection

slide-1
SLIDE 1

39 Offices in 19 Countries

Proposed EU Data Protection Regulation:

Impact on Handling of Data Breach, DPOs and Staff Surveillance by non-EEA Financial Services Firms

Cross Border Group 28 February 2013

slide-2
SLIDE 2

2

Agenda

1) Proposed EU Data Protection Regulation 2) Data Breaches 3) Data Protection Officers 4) Employee Surveillance

slide-3
SLIDE 3

3

Your speakers today

Caroline Egan Birmingham, UK Stephanie Faber Paris, France Andreas Fillmann Frankfurt, Germany Ann La France London, UK

slide-4
SLIDE 4

39 Offices in 19 Countries

1) Proposed EU Data Protection Regulation

slide-5
SLIDE 5

5

Proposed EU Data Protection Regulation

  • Direct applicability of Regulation across EU Member

States

  • NB: possible conflict with existing national laws (e.g. money

laundering, fraud)

  • Proposed Regulation provides three tiers of sanctions
  • Up to a maximum fine of € 1,000,000 or, in the case of an

"enterprise“, up to 2% of its annual worldwide turnover

  • Projected timetable
  • Significance of 10/14
  • 2 year phase-in
  • Accompanying Directive - implications
slide-6
SLIDE 6

39 Offices in 19 Countries

2) Data Breaches

slide-7
SLIDE 7

7

  • e-Privacy Directive (2002/58/EC, amended in 2009) Article 4(3):
  • Data breach notification limited to providers of “publicly available electronic

communications services”

  • Proposed data breach notification Regulation (to be made public March 2013)

– Applies to telecoms providers only, expected 24-hour notification obligation – Expected 24-hour notification obligation – Possibly a “trial run” for proposed Data Protection Regulation

  • Data Protection Directive (95/46/EC)
  • Currently no obligations to notify a data breach to enforcement authorities
  • France: no legal obligations to notify, other than under the e-Privacy Directive

(implemented in August 2011)

  • UK:
  • No obligations to notify under the Data Protection Act
  • No other legal obligations to notify, other than under the e-Privacy Directive

(implemented through amendment

  • f

the Privacy and Electronic Communications (EC Directive) Regulations 2003)

  • However, ICO has issued guidance

– "Serious" breach should be notified - failure to do so cited as factor in determining

whether penalties imposed and severity

EU, France & UK: Existing Rules

slide-8
SLIDE 8

8

Germany: Existing Rules

  • Federal Data Protection Act (BDSG) Section 42a
  • Data

controller must implement appropriate technical and

  • rganizational measures to prevent data breaches
  • Personal data breach notifications are required:
  • If one of the following data categories is concerned:

– sensitive data – personal data subject to professional or official secrecy – personal data referring to actual or suspected criminal or administrative

  • ffences; or

– personal data concerning bank or credit card accounts

  • Personal data have been transferred unlawfully
  • Personal data has been otherwise accessed by third parties
  • If unlawfully disclosed to third parties and threatens serious harm

to the rights or legitimate interests of data subjects, the data controller must notify the competent authority and the data subjects without delay

slide-9
SLIDE 9

9

Germany: Existing Rules cont’d

  • Individuals must be informed as soon as appropriate measures

to safeguard the data have been taken:

  • Description of unlawful disclosure
  • Recommendations to limit negative consequences
  • NB: Information provided must not endanger criminal proceedings
  • Where notifying data subjects would require a disproportionate

effort, public advertisements will suffice (e.g. in two newspapers)

  • Notification to the DPA must include:
  • Description of type of unlawful disclosure
  • Recommendations for measures to limit possible consequences
  • Information about the measures undertaken
  • Failure to notify the authorities and/or the data subjects in the

case of data loss is an administrative offence in Germany

slide-10
SLIDE 10

10

Proposed EU Data Protection Regulation

  • Personal data breach means a:
  • breach of security, leading to
  • accidental or unlawful
  • destruction, loss, alteration, or
  • un-authorised disclosure of, or access to,
  • personal data transmitted, stored or otherwise processed;
  • All data controllers, with full support of their processors, will be

required to notify EU data protection authorities within 24 hours of a personal data breach (Article 31)

  • Controllers may also have to notify individuals if the breach is

likely to have adversely affected them

  • unless

the controller is able to demonstrate to the data protection authority that it has implemented appropriate security

slide-11
SLIDE 11

11

Proposed EU Data Protection Regulation cont’d

  • The controller shall document any personal data breaches,

comprising the facts surrounding the breach, its effects and the remedial action taken

  • Regulation sets out information that has to be provided as a

minimum

  • Obligation of processor: Article 26(2)(f): alert and inform the

controller immediately after the establishment of a personal data breach

  • Fine up to €1,000,000 or, in the case of an “enterprise”, up to 2

% of its annual worldwide turnover

slide-12
SLIDE 12

12

Take aways

  • High level of sanctions
  • Short time periods for notification
  • Therefore, need to:
  • have

data breach team appointed, trained and ready to act immediately using agreed process and communications plan

  • include requirement to notify breach, and assist in addressing

breaches, in agreements with processors (sub-contractors)

  • ensure all relevant staff understand breach notification requirement

and timetable

  • EU companies have to prepare themselves (as do companies
  • utside EEA doing business in EEA)
  • EU data controllers and processors will have to increase their

attention to the level of security applied to the processing (including storage) of personal data, regardless of where this

  • ccurs
  • E.g. ICO on encryption in transit and on portable devices
slide-13
SLIDE 13

39 Offices in 19 Countries

3) Data Protection Officers (“DPOs”)

slide-14
SLIDE 14

14

DPOs: Existing Rules

France and UK – Data Protection Officer not currently compulsory Germany – Data Protection Officer is compulsory

  • General duty to register a company with the data protection authority
  • Notification not necessary if company appointed own DPO, if:
  • more than 9 people are engaged with automated data processing
  • more than 20 people employed with non-automated processing
  • Engagement must be notified to the DPA
  • Only persons with knowledge and reliability should be appointed
  • DPO may only be dismissed for cause
  • Dismissal protection until one year after termination
  • Entitlement to participate in employer-sponsored training
  • DPO is autonomous and is responsible for:
  • Proper use of data processing programs
  • Familiarize management and employees with data protection rules and

regulations

  • Investigation the data controller practices
  • DPO shall handle day-to-day administration measures, privacy

complaints, checking international transfers etc.

slide-15
SLIDE 15

15

DPOs: Proposed EU Data Protection Regulation

Under Articles 35, 36 and 37:

  • Obligation to appoint a DPO for private companies, based on thresholds
  • DPO must have expert knowledge and no conflict of interest
  • Limitations on the grounds for dismissing the DPO
  • Can be an employee or a service provider
  • Contact details of DPO communicated to supervisory authority and public
  • Data subjects right to contact DPO on all issues related to the processing of

his/her data and to request exercising the rights under the Regulation

  • DPO not decision maker - data controller or processor responsible
  • Controller/processor ensure DPO involved in all data protection issues
  • DPO

must have adequate resources, benefit from a level

  • f

independence and report directly to management

  • DPO shall have the following tasks (among others)
  • Monitoring the documentation, notification and communication of personal data

breaches pursuant to Articles 31 and 32

  • Monitoring the response to requests from the supervisory authorit
  • Acting as the contact point for the supervisory authority
slide-16
SLIDE 16

39 Offices in 19 Countries

4) Employee Surveillance

slide-17
SLIDE 17

17

Employee Surveillance: Existing Rules

These rules remain unchanged under the proposed EU Data Protection Regulation

  • Legitimate purpose
  • Proportionality and data minimization
  • International transfers require implementing specific safeguards
  • Notifications with local DPA (if required, as in France)
  • Financial service regulation
  • Outsourcing in financial service industry
  • Relations with employee representatives
  • Governed by each local labor law and depends on whether or not data

can be used to sanction employees (consultation, special agreement etc.)

  • Privacy of correspondence issue: local law
slide-18
SLIDE 18

18

Employee consent

Existing rule in many EU jurisdictions:

  • Not possible to legitimize processing by obtaining employee

consent

  • Previously decided by WP 29 and certain EU Member States (such as

France) that employee consent cannot be considered as “freely” given

Under proposed EU Data Protection Regulation:

  • Recitals 33 and 34 and Article 7(4), consent cannot be used:
  • “where the individual has no genuine and free choice and is

subsequently not able to refuse

  • r

withdraw consent without detriment”

  • “where there is a clear imbalance between the data subject and the
  • controller. This is especially the case where the data subject is in a

situation of dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in the employment context.”

slide-19
SLIDE 19

19

Information to be provided to the employee

(Amendments put forward under Article 14 of the proposed EU Data Protection Regulation are in bold)

a) Contact details of the controller and the DPO b) The purposes c) Retention period d) Employee’s rights as data subject (access, rectification or erasure and right to object) e) The right to lodge a complaint to the supervisory authority and the contact details f) The recipients or categories of recipients of the personal data g) International transfers and safeguards h) Any further information (having regard to the specific circumstances) i) Whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data And from which source the personal data originate Fine of up to €500,000 or, in case of an enterprise up to 1% of its annual worldwide turnover

slide-20
SLIDE 20

20

Profiling

Most employee monitoring software is based on a form of profiling (Amendments put forward under Article 20 of the proposed EU Data Protection Regulation are in bold)

  • A person (here, an employee) has the right not to be subject to a

measure which produces legal effects or significantly affects it, and which is based solely on automated processing

  • This includes processing intended to analyze or predict performance at work,

reliability or behavior

  • Information to be provided to the employee (as the data subject)

shall include the existence of profiling and the envisaged effects on the employee

  • Administrative sanction
  • Fine of up to €1,000,000 or, in case of an “enterprise” up to 2% of annual

worldwide turnover

slide-21
SLIDE 21

21

Proposed EU Data Protection Regulation

Certain provisions of the proposed Regulation to note in relation to employee surveillance:

  • Ethics, justice and liability
  • Accountability under Article 22

– Ensuring compliance and being able to demonstrate compliance

  • Technology
  • Impact assessments under Article 33

– Where processing involves profiling or presents certain risks (by virtue of its

nature, scope or purpose)

  • Privacy by design and privacy by default under Article 20
  • Administrative sanction for the above
  • Fine of up to €1,000,000 or, in case of an “enterprise” up to 2% of

annual worldwide turnover

slide-22
SLIDE 22

39 Offices in 19 Countries

QUESTIONS

slide-23
SLIDE 23

39 Offices in 19 Countries

For questions regarding CLE, CPD or CPE credit, please contact:

Robin Hallagan robin.hallagan@squiresanders.com

slide-24
SLIDE 24

24

Contact Us

Caroline Egan caroline.egan@squiresanders.com T: +44 (0)121 222 3386 Stephanie Faber stephanie.faber@squiresanders.com T: + 33 1 5383 7400 Andreas Fillmann andreas.fillmann@squiresanders.com T: +49 69 1739 2423 Ann La France ann.lafrance@squiresanders.com T: +44 (0)20 7655 1752

slide-25
SLIDE 25

25

Worldwide Locations

  • Cincinnati
  • Cleveland
  • Columbus
  • Houston
  • Los Angeles
  • Miami
  • New York
  • Northern Virginia
  • Palo Alto
  • Phoenix
  • San Francisco
  • Tampa
  • Washington DC
  • West Palm Beach
  • Bogotá+
  • Buenos Aires+
  • Caracas+
  • La Paz+
  • Lima+
  • Panamá+
  • Santiago+
  • Santo Domingo
  • Beirut+
  • Berlin
  • Birmingham
  • Bratislava
  • Brussels
  • Bucharest+
  • Budapest
  • Frankfurt
  • Kyiv
  • Leeds
  • London
  • Madrid
  • Manchester
  • Moscow
  • Paris
  • Prague
  • Riyadh+
  • Warsaw
  • Beijing
  • Hong Kong
  • Perth
  • Seoul
  • Shanghai
  • Singapore
  • Sydney
  • Tokyo

North America Latin America Europe & Middle East Asia Pacific

+ Independent Network Firm