DATA PROTECTION NEWS
In October 2017, the Article 29 Working Party (Art. 29 WP), an EU advisory body on data protection and privacy, has adopted a number of guidelines to clarify requirements of the EU General Data Protection Regulation (GDPR), which will apply from May 2018:
Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk”
DPIA is a process designed to describe the personal data processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing by assessing them and determining the measures to address them.
The data controllers are required to carry out a DPIA of envisaged processing operations when they are “likely to result in a high risk” to the rights and freedoms of natural persons. The risk should be determined by reference to the nature, scope, context and purposes of the processing. The GDPR gives four examples when the DPIA is required, i.e. in case of:
- A systematic and extensive evaluation of personal aspects which is based on automated processing, including profiling on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect them;
- A systematic monitoring of a publicly accessible area on a large scale;
- Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
The guidelines seek to clarify the provisions of the GDPR on DPIA and cover the following questions:
- Which processing operations are subject to a DPIA?
- When is a DPIA mandatory and when isn’t it required?
- When DPIA is required for already existing processing activities?
- How to carry out a DPIA?
- When shall the supervisory authority be consulted?
Draft Guidelines on Automated Decision-Making and Profiling
The GDPR introduces new requirements on automated individual decision-making and profiling. The draft guidelines clarify the provisions of the GDPR and cover:
- Definitions of profiling and automated decision-making;
- Specific provisions on automated decision-making, including profiling, which produces legal effects or similarly significantly affects data subject (the right not to be subject to such a decision and exceptions to this right; the duty of data controller to implement suitable measures to safeguard the data subject’s rights, including the right to obtain human intervention and to contest the decision);
- General provisions on profiling and automated decision-making (the relevant principles for profiling and automated decision-making; lawful bases for processing and rights of the data subjects);
- The additional obligations for processing children’s personal data;
- The duty of the processor to assess the risks involved in automated decision-making, including profiling, and to carry out the DPIA.
Draft Guidelines on Personal Data Breach Notification
The GDPR obliges every processor and controller to implement all appropriate technological protection and organisational measures to ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damages.
The guidelines clarify the definition of a personal data breach, types of breaches and the possible consequences. Further the guidelines examine the new notification requirements of processors:
- to notify the personal data breach to the supervisory authority (without undue delay and, where feasible, not later than 72 hours);
- to communicate the personal data breach to the individuals whose personal data have been affected when the breach is likely to result in a high risk to the rights and freedoms of natural persons (without undue delay).
The guidelines emphasize the controler’s duty to keep documentation of all data breaches, the role of the data protection officer in case of data breach as well as notification obligations under other EU legislation.
Guidelines on the Application and Setting of Administrative Fines
The GDPR significantly increases accountability of data processors and controllers. Administrative fines are a central element in the new regime. Under the GDPR the supervisory aouthorities are entitled to impose administrative fines on companies up to 20 million or up to 4 % of the total worldwide annual turnover, whichever is higher. The guidelines are mainly intended for use by the supervisory authorities and clarifies the assessment criteria that has to be taken into account when calculating the administrative fines.
In addition to the above-mentioned guidelines, the Article 29 Working Party has clarified a number of other data protection issues (e.g. on the right to data portability, on data protection officers) and continues to work on new GDPR issues (e.g. on consent, transparency, and update of data transfer tools). See Art. 29 WP guidelines here
If you would like any further information or assistance
to ensure the GDPR compliance, please contact
Data Protection Officer