Insurance in FOS (Freedom of Service) – Joint liability with intermediaries for violation of GDPR
26 11 月 2019
- 分销协议
- 保险
- 隐私与数据保护
Are insurers liable for breach of the GDPR on account of their appointed intermediaries?
Insurers acting out of their traditional borders through a local intermediary should choose carefully their intermediaries when distributing insurance products, and use any means at their disposal to control them properly. Distribution of insurance products through an intermediary can be a fast way to distribute insurance products and enter a territory with a minimum of investments. However, it implies a strict control of the intermediary’s activities.
The reason is that Insurers in FOS can be held jointly liable with the intermediary if this one violates personal data regulation and its obligations as set by the GDPR (Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
In a decision dated 18 July 2019 , the CNIL (Commission Nationale Informatique et Libertés), the French authority in charge of personal data protection rendered a decision against ACTIVE ASSURANCE, a French intermediary, for several breaches of the GDPR. The intermediary was found guilty and fined EUR 180,000 for failing to properly protect the personal data of its clients. Those were found easily accessible on the web by any technician well versed in data processing. Moreover, the personal access codes of the clients were too simple and therefore easily accessible by third parties.
Although in this particular case insurers were not fined by the CNIL, the GDPR considers that they can be jointly liable with the intermediary in case of breach of personal data. In particular, the controller is liable for any acts of the processor he has appointed, this one being considered as a sub-contractor (clauses 24 and 28 of the GDPR).
This illustrates the risks to distribute insurance products through an intermediary without controlling its activities. Acting through intermediaries, in particular for insurance companies acting from foreign EU countries in FOS under the EU Directive on freedom of insurance services (Directive 2016/97 of 20 January 2016 on insurance distribution) requires a strict control through enacting contractual dispositions whereas are defined:
- a clear distribution of the duties between insurer and distributor (who is controller/joint controller/processor ?) as regards technical means used for protecting personal data (who shall do/control what ?) and legal requirements (who must report to the authorities in case of breach of security/ who shall reply to requests from data owners?, etc.);
- the right of the insurer to audit the distributors’ technical means used for this protection at any time during the term of the contract. In addition to this, one should always keep in mind that this audit should be conducted efficiently by the insurer at regular times. As Napoleon rightly said: “You can govern from afar, but you can only administer closely”.
The concept of privacy by design has been around for a few decades. Although it has been referred to in studies since the 1970s and present in legislation since as far as the early 1990s, it was consolidated only in 2009 with the work of Ann Cavoukian, the Information & Privacy Commissioner of Ontario, Canada
This author defined the seven foundational principles of privacy by design: (i) to be proactive not reactive, preventative not remedial; (ii) privacy as the default setting; (iii) privacy embedded into design; (iv) full functionality – positive-sum, not zero-sum; (v) end-to-end security – full lifecycle protection; (vi) visibility and transparency – keep it open; and (vii) respect for user privacy – keep it user-centric.
After being adopted as a privacy standard by the International Data Protection and Privacy Commissioners in 2010, privacy by design was also included in the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016). However, in the GDPR (article 25) it no longer remains as a mere principle. Instead, it has become a mandatory legal obligation and failure to comply can lead to severe administrative fines (article 83/4/a).
Regarding privacy by design, the GDPR establishes that the data controller shall implement the appropriate technical and organisational measures designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing. The appropriate technical and organisational measures are to be determined taking into account (i) the nature, scope, context and purpose of processing, (ii) the risks for rights and freedoms, (iii) the state of the art, and (iv) the cost of implementation.
Regarding privacy by default, the GDPR establishes that the controller shall implement the appropriate technical and organisational measures to ensure that, by default, (i) only the necessary data is processed, (ii) only to the necessary extent of processing, (iii) is only accessible by the necessary individuals, and (iv) is only stored by the necessary period of time.
Both privacy by design and privacy by default are established around the idea of the implementation of the appropriate technical and organisational measures to safeguard the personal data protection principles and rules. The GDPR provides some examples of these measures (such as pseudonymisation, encryption, anonymisation), but it is not a catalogue for these measures or other privacy enhancing technologies (PET) and the provided examples should not be seen as mandatory measures.
Clear guidance on privacy by design and by default is not to be found in the GDPR and it is a work in progress by all the community and parties involved. But the GDPR has the clear intention of impacting the core of the digital age system, reshaping its values regarding privacy.
The success of this ambition is uncertain, but some important challenges are already very clear, such as the role of the producers of products, services and applications, the integration of data protection principles in the design of User Experience (UX) and User Interface (UI) and also in the software development planning (agile and scrum, for instance).
In the meantime, examples of the real impact of privacy by design and by default are coming to light. In 2018, Valve changed the privacy settings of the users of the gaming platform Steam, making games owned private by default. As a direct consequence, the analytics activity provided by SteamSpy and other similar companies was severely damaged.
Privacy by design certainly is, for those closely involved in the design process of products, services and applications, one of the most interesting and challenging topics in personal data protection.
On 25 May 2018, the EU Regulation 2016/679 came into force, concerning the “protection” of personal data (hereinafter the “Regulation” or “GDPR”). It is a Community legislative instrument aimed at strengthening the right of natural persons to have their personal data protected, which has been elevated to “fundamental right” in the Charter of Fundamental Rights of the European Union (Article 8 paragraph 1) and in the Treaty on the Functioning of the European Union (Article 16 paragraph 1).
The Regulation has a direct application in Italian law and does not require any implementation by the national legislator. These provisions prevail over national laws. From a practical standpoint, this means that, in the event of a conflict between a provision contained in the Regulations and one provided for in the “old” Legislative Decree 196/2003, the earlier would prevail over the latter.
The GDPR consists of 99 articles, of which only some constitute an in comparison with the preceding regime and bear specific relevance for the owners/managers of accommodation facilities.
Indeed, the first novelty concerns the “explicit consent” for the processing of “sensitive” data and the decisions based on automated processing (including profiling -Article 22- ). It is, in fact, necessary for the client to express his consent in relation to the processing of these data independently of that relating to other data. The consent obtained before 25 May 2018 remains valid only if it meets the requirements below.
It is required, for example, that the data owners modify their websites or promotional newsletters addressed to the customers. The latter need to be aware of the purposes for which the data is collected and of rights to which they are entitled. In order to subscribe to the newsletter, only the email address should be necessary, and if the owners request for more data, the purposes of such request ought to be specified. Before sending the subscription request, the customer must give his consent and accept the privacy policy. The privacy statement must be clearly accessible from the home page of the website. In particular, as to the newsletter, the privacy policy must also be indicated and linked in the relevant registration box.
Substantial changes were also introduced in relation to the duties of the Data Controller and the Data Processor. Both profiles are important in the hotel industry.
Now the Data Controller must (i) be able to prove that the data subject has consented to a specific processing, (ii) provide the contact details of the Data Protection Officer, (iii) declare the eventual transfer of the personal data towards third countries and, if so, through which means the transfer takes place, (iv) specify the retention period of the data or the criteria employed to establish the retention period, as well as the right to file a complaint with the supervisory authority; (v) indicate whether the processing involves automated decision-making processes (including profiling), and the expected consequences for the data subject concerned.
The Data Protection Officer (“DPO”), on the other hand, is a professional (who can be internal or external to the structure) who guarantees the observance of the rules of the GPDR and the management and processing of the data.
According to the new Regulation, the duties of this professional concern: (i) the keeping of the data processing reports (pursuant to Article 30, paragraph 2, of the Regulation), and (ii) the adoption of suitable technical and organisational measures to get the safety of the procedures (pursuant to Article 32 of the Regulation).
The name of the DPO must be indicated in the privacy policy to be delivered to the customer. The relationship between the data protection officer and the data controller is governed by a contract that must strictly regulate the subjects set forth in paragraph 3 of the article 28 in order to demonstrate that the manager provides “sufficient guarantees” for the correct management and processing of data. The Officer can appoint a “sub-manager” but only for limited processing activities, in compliance with the provisions of the contract, and responds to the non-compliance of the sub-manager.
In light of these provisions, the hotels will then have to make a more careful assessment of the risk deriving from data processing, prepare a detailed procedure as to enable the constant monitoring on, amongst others, the suitability of the treatment, and promptly notify a breach of the security procedure which involves the accidental disclosure of data, adapt its information to be delivered to the customer.
Finally, it is worth noting that the penalties for violations of the GDPR can be very significant and reach up to 4% of the company’s turnover. As such, they are far more severe than those previously specified. It is, therefore, necessary to pay close attention to compliance with the GDPR since an incorrect or defective application can cause severe prejudices to the company.
The author of this post is Giovanni Izzo.
一般数据保护条例(欧盟第2016/679号条例)于2018年5月25日生效。它适用于所有的数据处理,不管是自动化的还是非自动化的。然而,条例中最特别的部分是其领土适用范围。许多人认为,虚拟世界已经消除了边界,互联网世界的最大参与者已经形成了大量的争论,特别是在税收问题上逃避地方立法的行为。因此,欧盟决定澄清事实。欧盟传递出的信息很清楚,不管你是在美国、亚洲还是其他地方,在处理欧盟居民的个人数据时,你都必须遵守这些规则。制裁的高昂代价意味着,这一新的法律框架必须被非常认真地对待。最高罚款额定为上一年度营业额的4%,对任何在2018年度被制裁的企业来说上一年度均为2017年度。例如,对于GAFA(谷歌、苹果、Facebook和亚马逊)来说,如果他们不遵守规定,最大制裁罚款金额可估计如下:亚马逊约为1780亿美元营业额中的71亿美元(高于利润……),苹果约为1410亿美元营业额中的56亿美元,谷歌约为1000亿美元营业额中的40亿美元,Facebook约为320亿美元营业额中的12.8亿美元。
前项指令之有限地域适用范围
1995年10月24日第95/46EC号欧洲指令,2004年8月6日法国第2004-801号法律,对1978年1月6日第78-17号法国数据保护法进行了更新。
该指令当然可适用于不在欧盟境内设立的数据控制器,但该指令要求它们使用位于欧盟境内的处理手段。
后来发现,许多处理器都是基于其处理的治外法权而设法规避欧洲数据保护条例的。
多年来,谷歌一直声称,其在法国和欧洲收集的数据不受法国法规的制约,而是受加州法规的制约,因为该公司及其服务器都位于加州。
由于欧洲委员会的宗旨是保护个人数据,新条例应纠正这一缺陷。
条例的境外适用范围
从2018年5月25日起,欧洲条例将适用于在欧盟内设立了数据控制器或数据处理器(一般是信息技术服务供应商)的所有个人数据的处理,而不论数据处理本身是否在欧盟内进行。
条例还规定,如果控制器或处理器不在欧盟内设立,而处理的对象是位于欧盟内的一个数据主体,则不论有关人员的国籍如何,都应适用条例。
在欧盟内设立的控制器或处理器
该条例没有界定设立的概念。法国和欧洲法院对此作了广泛的解释,它们优先考虑通过稳定的安排,以有效而真实的活动为基础来对设立作出解释。
设立这一概念已经(在2015年10月1日欧盟法院 Weltimmo案中)被认定为,在有关会员国有一名代表、一个银行账户和一个信箱。
此外,这种设立的法律形式并不是绝对的。因此,一个没有法人资格的简单的分支机构,用非欧洲籍管理器进行的个人数据的处理,也必须遵守条例执行。
未在欧盟内建立的控制器或处理器
如果控制器或处理器并非在欧盟内建立,也没有在欧盟内设立机构,则适用该条例的情况是,处理数据与位于欧盟境内的居民有关,处理活动与欧盟28个成员国(包括5.2亿名居民)的因特网用户有联系。
- (i) 向用户提供物品或服务,无论这些服务是免费的还是付费的
该条例没有关于提供货物和服务的任何定义,但它提供了一些指示,使人们有可能将这种提供定性(第23条),例如用在一个或多个欧盟成员国内通常使用的语言或货币来订购货物和服务,或者是提及欧盟内的客户或用户。
然而,仅仅是访问一个网站、电子邮件地址或其他联系方式则不足以定性。
换言之,必须核查数据管制员对有关人员的意图。他是否打算向欧洲联盟的有关人员提供货物或服务。
- (ii) 对用户的行为进行监测,如果这种行为发生在欧盟内。
特别是,该条例规定对自然人进行观察,以便就其作出决定,或分析或预测其个人偏好、行为和态度。
这两个条件(i)和(ii)是可变的,而非累积的。
在欧盟之外的个人数据的转移又如何呢?
原则上,禁止在欧盟之外转移个人数据。其目的是保护个人数据免受数据避风港的影响,在这方面适用更灵活的规定。
这项原则有很多例外:
- 向欧洲经济区国家转移数据
这些国家已与欧盟签署了一项协议,通过这些协定,他们通过了个人数据保护条例。
- 向订有适足协议的国家转让数据
欧洲联盟承认,某些国家有与欧洲条例相当的关于保护个人资料的条例。这些条例相当于欧洲法规。
- 向已签署标准合同条款或BCR(“有约束力的公司规则”)的国家转让数据
这些国家尚未作出充分的决定,或没有关于个人数据保护的条例。因此,其想法是通过标准条款或公司集团内部的协议,对数据建立合同保护而不是法律保护。
标准合同条款
标准条款已由欧洲委员会起草,可通过其网站查阅。这些协议是数据管制员和在国外设立的处理器之间在信息技术服务协议的框架内缔结的,或者是在向集团子公司或实体发送个人数据方面订立的协议。
目前,在使用这些条款之前,数据管制员可以从法国的国家管理机构(CNIL)获得授权。这项授权申请将从2018年5月25日起停止。
约束性公司规则(BCR)
BCR只关注公司集团。集团内部通过章程,所有子公司和实体承诺遵守欧洲数据保护条例。
宪章一经起草,将通过相互承认制度提交欧洲数据保护当局批准。
这项授权请求将在2018年5月25日之后继续。
向美国转移个人数据:“隐私保护”系统
这是欧洲联盟和美国联邦贸易委员会(FTC)之间的一项国际协议,美国公司可以自由遵守。根据该协议的条款,FTC会承诺确保签署该系统的公司遵守这一国际协议所载的数据保护规则。
总之,欧洲个人数据保护条例的目的是适用于处理欧洲居民个人数据的世界各地的公司。
它结束了所有的线上服务选择最有利和最不严格的国家来发展公司的经济模式,以及捉迷藏式择地行诉的做法。
制裁的程度消除了人们对这一新框架将要实施的坚定性的怀疑。它产生的风险很难被认为是次要的。
它要求使用欧洲联盟28个居民5.2亿人的个人数据的任何公司深思熟虑并遵守条例。
这篇文章的作者是ThierryAbuléa.
The application of the General Data Protection Regulation (“GDPR”), in force since 25 May 2018, will oblige companies to deal with issues concerning IT security and liability for collection and storage of personal data, without the possibility of any further hesitation. Privacy protection will become an important part of corporate culture and will have to be necessarily managed from the top levels, i.e. the managing director as well as the management team. Employees will also be involved in this awareness process through adequate training on such matter. Companies should set forth order and priorities of some data-related procedures, in accordance with privacy by design and privacy by default principles. In other words, such companies should ensure data protection from the onset of the product phase or service ideation and design, opting for behaviors that are aimed to prevent possible issues affecting personal data.
An even wider definition of personal data
The concept of “personal data” refers to all the information that identifies or makes a person identifiable and provides details related to his/her features, habits, life-style, personal relationships, health and economic conditions. Also, the definition of “personal data” becomes even wider and more well-structured when considering electronic communications with new technologies including geolocation bearing significant weight.
This transition, certainly problematic, introduces new challenges and opportunities, and highlights the question of data protection as a fundamental human right at the center of the international debate and digital policies. This results in a significant turning point. In fact, digitalization has caused several information security issues, which until a few years ago could be handled by national authorities in each single EU country, and now require a more focused and structured legal framework. The induction of platforms such as SaaS (Software as a Service) and the cloud computing growth have completely changed the scenario.
Therefore, the European Data Protection Supervisor (EDPS) positively dealt with the request to reform the legal framework on personal data protection in 2011, since the existing legislation was no longer appropriate.
Even though it is way too early to predict the impact of such privacy regulation, we believe that it is interesting to focus on certain general considerations and some of the GDPR’s outcomes in the international scenario.
The potential applicability of the GDPR worldwide
Certainly, one of the important changes brought about by the GDPR is its potential applicability worldwide: the regulation thus overcomes European borders in the name of personal data protection.
Such regulation, in fact, not only applies to all cases where data are handled by EU based companies, but in all cases where a company, even though not EU based, also deals with EU based individuals’ personal data, within the scope to offer them goods or services or to monitor their behavior in the EU.
Consequently, in the light of the above, all foreign companies still pursuing to offer and provide their services to EU-citizens cannot avoid complying with the GDPR.
Furthermore, even UK organizations may be forced to comply with the regulation to protect UK citizens’ personal data and maintain their competitiveness in the EU market, for reasons of opportunity and convenience, apart from compulsoriness as above described and, in any case, for as long as Brexit does not materialize.
The lack of connection with the data location
The regulation not only limits foreign companies that deal with EU citizens’ personal data, but also aims to govern all the processing of personal data, irrespective of the place where such data are located. It therefore provides that all the personal data processing made by EU based companies will be subject to the GDPR, regardless of the fact whether such processing is carried out within or outside the EU.
From a legal point of view, such data will be in the spotlight and subjected to this new regulation rather than to national laws. This means that the physical position loses relevance before the aim to grant interested individuals with a greater control on the information that is collected, processed and used by third parties.
For sure companies may stop their business with EU citizens in order to avoid compliance with the GDPR principles, but such choice should be correctly made: i.e. the GDPR’s application should be taken into account when a company provides a web service which is available also to EU citizens.
The disposition of strict fines
The fines for companies that are not in compliance with such regulation can amount to up to 4% of their global revenue and up to Euro 20 million. The relevance of such measures drew attention of all the parties, particularly in the US where organizations have a strong presence in the EU. Furthermore, the GDPR applies to organizations of any dimension and to both individual enterprises as well as large companies.
The forward-looking companies started to set forth their compliance programs immediately after the EU regulation announcement, but this appears complex and as a result meeting the set deadline called for 25 May could be difficult.
According to PwC’s reports, 9% of US companies declare to have allocated more than 10 million dollars with the aim to obtain such compliance.
Some compliance requirements for companies
- Accountability principle: data processing needs to be carried out by recorded procedures, regardless of the fact that such procedures will be managed by the companies or by third parties on their behalf. Doing so will make the data controller responsible and oblige him to be compliant with the GDPR.
- Risk based approach: the driving force of such a regulation is the aim to make companies responsible, which are therefore asked to comply with the GDPR principles by adopting a new risk based approach and risks assessment.
- Clear and concise consent: much attention is paid to the consent of personal data processing, which should be clear, concise, distinguishable and unequivocal.
- Data protection by design and by default: privacy management and implementation executed by means of default settings since the design phase; it means that companies should take into account the personal data protection, from the beginning a product, service or app is designed and developed.
- Right to be forgotten: individuals are entitled to obtain, without delay, that their data is deleted by the data controller when certain conditions- provided by the GDPR -are met, such as for example when data become redundant and no longer necessary, or regarding the aims for which data have been collected or in the event when the individual’s consent is withdrawn.
- Right to data portability: individuals are entitled to receive their personal data in a frequently-used, well-structured and machine-readable format, so as to transfer such data to another data controller, excluding any possible encumbrance by the former data controller.
- Appointment of an EU Representative: the Representative should act on behalf of the data controller or the data processor and may be questioned by any surveillance Authority.
How to make the transition process easier?
The EU regulation relating to personal data protection requires a strong legal formation and, at the same time, tremendous technical implementation skills on the basis of the ongoing digitalization processes and use of even more innovative and complex technologies.
In such regard, companies may rely on professionals who are able to provide multidisciplinary services and consultancy, not only of a legal and IT nature, but who can exchange and implement synergies between professionals and business workers such as engineers and mathematicians.
Consequently, this burdensome commitment to follow the GDPR together with the obligation to comply with the law shall also enable companies to combine the aforesaid skills and join forces to commence a transition process that will ensure and ultimately result in growth.
The author of this post is Giorgio Piccolotto
Less than one year from now, on May 25, 2018, the new European Regulation on the protection of personal data (EU) 2016/679 will come into force. Whatever its size or business activity, every company has to process personal data files at some point.
The new sanctions provide a strong incentive to prepare organisations for compliance with the new legal framework in twelve months’ time.
Non-European undertakings must also be particularly careful regarding these new measures, the principal aspects of which are summarised below.
Extraterritorial application
The Regulation applies to personal data processing when the controller is established on the territory of the European Union.
If the controller is not established in the European Union, the Regulation applies when data processing involves persons situated within the European Union and when the processing is linked to the offering of goods or services to such persons. Non-EU companies must appoint a representative for this purpose.
The right to data portability and appointment of a DPO
This new right enables a person to recover the data that he has supplied in a form that is easily reusable, such as a USB key for example. Companies must get organised in order to be able to satisfy these portability requirements.
Appointment of a Data Protection Officer
Companies must appoint a DPO (Data Protection Officer), successor to the CIL (Correspondant Informatique et Libertés) who is appointed based on his professional skills (legal and technical), his independence and his accessibility in order to ensure compliance.
We would like to point out that a specialist lawyer should be authorised to carry out this role provided relevant Bar rules do not prevent it.
Sanctions
These measures must imperatively be respected at the risk of seeing heavy sanctions imposed.
Depending on the category of infraction, these sanctions may amount to:
- 10 to 20 million euro; or
- 2% to 4% of annual world revenues,
The higher of the above two amounts is applied.
Recommendations
To ensure that your practices comply with the new legislation, it is necessary to:
- Set in motion an internal project dedicated to compliance with the new legislation within the next 9 months;
- Anticipate the obligations specified by the Regulation;
- Budget for the right to data portability and the position of DPO;
- Organise, for SME, the sharing of the DPO position with other companies.
The author of this post is Thierry Aballéa.
写信给 Insurance in FOS (Freedom of Service) – Joint liability with intermediaries for violation of GDPR
GDPR – Privacy by design and by default
9 8 月 2019
- 欧洲
- 葡萄牙
- 隐私与数据保护
Are insurers liable for breach of the GDPR on account of their appointed intermediaries?
Insurers acting out of their traditional borders through a local intermediary should choose carefully their intermediaries when distributing insurance products, and use any means at their disposal to control them properly. Distribution of insurance products through an intermediary can be a fast way to distribute insurance products and enter a territory with a minimum of investments. However, it implies a strict control of the intermediary’s activities.
The reason is that Insurers in FOS can be held jointly liable with the intermediary if this one violates personal data regulation and its obligations as set by the GDPR (Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
In a decision dated 18 July 2019 , the CNIL (Commission Nationale Informatique et Libertés), the French authority in charge of personal data protection rendered a decision against ACTIVE ASSURANCE, a French intermediary, for several breaches of the GDPR. The intermediary was found guilty and fined EUR 180,000 for failing to properly protect the personal data of its clients. Those were found easily accessible on the web by any technician well versed in data processing. Moreover, the personal access codes of the clients were too simple and therefore easily accessible by third parties.
Although in this particular case insurers were not fined by the CNIL, the GDPR considers that they can be jointly liable with the intermediary in case of breach of personal data. In particular, the controller is liable for any acts of the processor he has appointed, this one being considered as a sub-contractor (clauses 24 and 28 of the GDPR).
This illustrates the risks to distribute insurance products through an intermediary without controlling its activities. Acting through intermediaries, in particular for insurance companies acting from foreign EU countries in FOS under the EU Directive on freedom of insurance services (Directive 2016/97 of 20 January 2016 on insurance distribution) requires a strict control through enacting contractual dispositions whereas are defined:
- a clear distribution of the duties between insurer and distributor (who is controller/joint controller/processor ?) as regards technical means used for protecting personal data (who shall do/control what ?) and legal requirements (who must report to the authorities in case of breach of security/ who shall reply to requests from data owners?, etc.);
- the right of the insurer to audit the distributors’ technical means used for this protection at any time during the term of the contract. In addition to this, one should always keep in mind that this audit should be conducted efficiently by the insurer at regular times. As Napoleon rightly said: “You can govern from afar, but you can only administer closely”.
The concept of privacy by design has been around for a few decades. Although it has been referred to in studies since the 1970s and present in legislation since as far as the early 1990s, it was consolidated only in 2009 with the work of Ann Cavoukian, the Information & Privacy Commissioner of Ontario, Canada
This author defined the seven foundational principles of privacy by design: (i) to be proactive not reactive, preventative not remedial; (ii) privacy as the default setting; (iii) privacy embedded into design; (iv) full functionality – positive-sum, not zero-sum; (v) end-to-end security – full lifecycle protection; (vi) visibility and transparency – keep it open; and (vii) respect for user privacy – keep it user-centric.
After being adopted as a privacy standard by the International Data Protection and Privacy Commissioners in 2010, privacy by design was also included in the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016). However, in the GDPR (article 25) it no longer remains as a mere principle. Instead, it has become a mandatory legal obligation and failure to comply can lead to severe administrative fines (article 83/4/a).
Regarding privacy by design, the GDPR establishes that the data controller shall implement the appropriate technical and organisational measures designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing. The appropriate technical and organisational measures are to be determined taking into account (i) the nature, scope, context and purpose of processing, (ii) the risks for rights and freedoms, (iii) the state of the art, and (iv) the cost of implementation.
Regarding privacy by default, the GDPR establishes that the controller shall implement the appropriate technical and organisational measures to ensure that, by default, (i) only the necessary data is processed, (ii) only to the necessary extent of processing, (iii) is only accessible by the necessary individuals, and (iv) is only stored by the necessary period of time.
Both privacy by design and privacy by default are established around the idea of the implementation of the appropriate technical and organisational measures to safeguard the personal data protection principles and rules. The GDPR provides some examples of these measures (such as pseudonymisation, encryption, anonymisation), but it is not a catalogue for these measures or other privacy enhancing technologies (PET) and the provided examples should not be seen as mandatory measures.
Clear guidance on privacy by design and by default is not to be found in the GDPR and it is a work in progress by all the community and parties involved. But the GDPR has the clear intention of impacting the core of the digital age system, reshaping its values regarding privacy.
The success of this ambition is uncertain, but some important challenges are already very clear, such as the role of the producers of products, services and applications, the integration of data protection principles in the design of User Experience (UX) and User Interface (UI) and also in the software development planning (agile and scrum, for instance).
In the meantime, examples of the real impact of privacy by design and by default are coming to light. In 2018, Valve changed the privacy settings of the users of the gaming platform Steam, making games owned private by default. As a direct consequence, the analytics activity provided by SteamSpy and other similar companies was severely damaged.
Privacy by design certainly is, for those closely involved in the design process of products, services and applications, one of the most interesting and challenging topics in personal data protection.
On 25 May 2018, the EU Regulation 2016/679 came into force, concerning the “protection” of personal data (hereinafter the “Regulation” or “GDPR”). It is a Community legislative instrument aimed at strengthening the right of natural persons to have their personal data protected, which has been elevated to “fundamental right” in the Charter of Fundamental Rights of the European Union (Article 8 paragraph 1) and in the Treaty on the Functioning of the European Union (Article 16 paragraph 1).
The Regulation has a direct application in Italian law and does not require any implementation by the national legislator. These provisions prevail over national laws. From a practical standpoint, this means that, in the event of a conflict between a provision contained in the Regulations and one provided for in the “old” Legislative Decree 196/2003, the earlier would prevail over the latter.
The GDPR consists of 99 articles, of which only some constitute an in comparison with the preceding regime and bear specific relevance for the owners/managers of accommodation facilities.
Indeed, the first novelty concerns the “explicit consent” for the processing of “sensitive” data and the decisions based on automated processing (including profiling -Article 22- ). It is, in fact, necessary for the client to express his consent in relation to the processing of these data independently of that relating to other data. The consent obtained before 25 May 2018 remains valid only if it meets the requirements below.
It is required, for example, that the data owners modify their websites or promotional newsletters addressed to the customers. The latter need to be aware of the purposes for which the data is collected and of rights to which they are entitled. In order to subscribe to the newsletter, only the email address should be necessary, and if the owners request for more data, the purposes of such request ought to be specified. Before sending the subscription request, the customer must give his consent and accept the privacy policy. The privacy statement must be clearly accessible from the home page of the website. In particular, as to the newsletter, the privacy policy must also be indicated and linked in the relevant registration box.
Substantial changes were also introduced in relation to the duties of the Data Controller and the Data Processor. Both profiles are important in the hotel industry.
Now the Data Controller must (i) be able to prove that the data subject has consented to a specific processing, (ii) provide the contact details of the Data Protection Officer, (iii) declare the eventual transfer of the personal data towards third countries and, if so, through which means the transfer takes place, (iv) specify the retention period of the data or the criteria employed to establish the retention period, as well as the right to file a complaint with the supervisory authority; (v) indicate whether the processing involves automated decision-making processes (including profiling), and the expected consequences for the data subject concerned.
The Data Protection Officer (“DPO”), on the other hand, is a professional (who can be internal or external to the structure) who guarantees the observance of the rules of the GPDR and the management and processing of the data.
According to the new Regulation, the duties of this professional concern: (i) the keeping of the data processing reports (pursuant to Article 30, paragraph 2, of the Regulation), and (ii) the adoption of suitable technical and organisational measures to get the safety of the procedures (pursuant to Article 32 of the Regulation).
The name of the DPO must be indicated in the privacy policy to be delivered to the customer. The relationship between the data protection officer and the data controller is governed by a contract that must strictly regulate the subjects set forth in paragraph 3 of the article 28 in order to demonstrate that the manager provides “sufficient guarantees” for the correct management and processing of data. The Officer can appoint a “sub-manager” but only for limited processing activities, in compliance with the provisions of the contract, and responds to the non-compliance of the sub-manager.
In light of these provisions, the hotels will then have to make a more careful assessment of the risk deriving from data processing, prepare a detailed procedure as to enable the constant monitoring on, amongst others, the suitability of the treatment, and promptly notify a breach of the security procedure which involves the accidental disclosure of data, adapt its information to be delivered to the customer.
Finally, it is worth noting that the penalties for violations of the GDPR can be very significant and reach up to 4% of the company’s turnover. As such, they are far more severe than those previously specified. It is, therefore, necessary to pay close attention to compliance with the GDPR since an incorrect or defective application can cause severe prejudices to the company.
The author of this post is Giovanni Izzo.
一般数据保护条例(欧盟第2016/679号条例)于2018年5月25日生效。它适用于所有的数据处理,不管是自动化的还是非自动化的。然而,条例中最特别的部分是其领土适用范围。许多人认为,虚拟世界已经消除了边界,互联网世界的最大参与者已经形成了大量的争论,特别是在税收问题上逃避地方立法的行为。因此,欧盟决定澄清事实。欧盟传递出的信息很清楚,不管你是在美国、亚洲还是其他地方,在处理欧盟居民的个人数据时,你都必须遵守这些规则。制裁的高昂代价意味着,这一新的法律框架必须被非常认真地对待。最高罚款额定为上一年度营业额的4%,对任何在2018年度被制裁的企业来说上一年度均为2017年度。例如,对于GAFA(谷歌、苹果、Facebook和亚马逊)来说,如果他们不遵守规定,最大制裁罚款金额可估计如下:亚马逊约为1780亿美元营业额中的71亿美元(高于利润……),苹果约为1410亿美元营业额中的56亿美元,谷歌约为1000亿美元营业额中的40亿美元,Facebook约为320亿美元营业额中的12.8亿美元。
前项指令之有限地域适用范围
1995年10月24日第95/46EC号欧洲指令,2004年8月6日法国第2004-801号法律,对1978年1月6日第78-17号法国数据保护法进行了更新。
该指令当然可适用于不在欧盟境内设立的数据控制器,但该指令要求它们使用位于欧盟境内的处理手段。
后来发现,许多处理器都是基于其处理的治外法权而设法规避欧洲数据保护条例的。
多年来,谷歌一直声称,其在法国和欧洲收集的数据不受法国法规的制约,而是受加州法规的制约,因为该公司及其服务器都位于加州。
由于欧洲委员会的宗旨是保护个人数据,新条例应纠正这一缺陷。
条例的境外适用范围
从2018年5月25日起,欧洲条例将适用于在欧盟内设立了数据控制器或数据处理器(一般是信息技术服务供应商)的所有个人数据的处理,而不论数据处理本身是否在欧盟内进行。
条例还规定,如果控制器或处理器不在欧盟内设立,而处理的对象是位于欧盟内的一个数据主体,则不论有关人员的国籍如何,都应适用条例。
在欧盟内设立的控制器或处理器
该条例没有界定设立的概念。法国和欧洲法院对此作了广泛的解释,它们优先考虑通过稳定的安排,以有效而真实的活动为基础来对设立作出解释。
设立这一概念已经(在2015年10月1日欧盟法院 Weltimmo案中)被认定为,在有关会员国有一名代表、一个银行账户和一个信箱。
此外,这种设立的法律形式并不是绝对的。因此,一个没有法人资格的简单的分支机构,用非欧洲籍管理器进行的个人数据的处理,也必须遵守条例执行。
未在欧盟内建立的控制器或处理器
如果控制器或处理器并非在欧盟内建立,也没有在欧盟内设立机构,则适用该条例的情况是,处理数据与位于欧盟境内的居民有关,处理活动与欧盟28个成员国(包括5.2亿名居民)的因特网用户有联系。
- (i) 向用户提供物品或服务,无论这些服务是免费的还是付费的
该条例没有关于提供货物和服务的任何定义,但它提供了一些指示,使人们有可能将这种提供定性(第23条),例如用在一个或多个欧盟成员国内通常使用的语言或货币来订购货物和服务,或者是提及欧盟内的客户或用户。
然而,仅仅是访问一个网站、电子邮件地址或其他联系方式则不足以定性。
换言之,必须核查数据管制员对有关人员的意图。他是否打算向欧洲联盟的有关人员提供货物或服务。
- (ii) 对用户的行为进行监测,如果这种行为发生在欧盟内。
特别是,该条例规定对自然人进行观察,以便就其作出决定,或分析或预测其个人偏好、行为和态度。
这两个条件(i)和(ii)是可变的,而非累积的。
在欧盟之外的个人数据的转移又如何呢?
原则上,禁止在欧盟之外转移个人数据。其目的是保护个人数据免受数据避风港的影响,在这方面适用更灵活的规定。
这项原则有很多例外:
- 向欧洲经济区国家转移数据
这些国家已与欧盟签署了一项协议,通过这些协定,他们通过了个人数据保护条例。
- 向订有适足协议的国家转让数据
欧洲联盟承认,某些国家有与欧洲条例相当的关于保护个人资料的条例。这些条例相当于欧洲法规。
- 向已签署标准合同条款或BCR(“有约束力的公司规则”)的国家转让数据
这些国家尚未作出充分的决定,或没有关于个人数据保护的条例。因此,其想法是通过标准条款或公司集团内部的协议,对数据建立合同保护而不是法律保护。
标准合同条款
标准条款已由欧洲委员会起草,可通过其网站查阅。这些协议是数据管制员和在国外设立的处理器之间在信息技术服务协议的框架内缔结的,或者是在向集团子公司或实体发送个人数据方面订立的协议。
目前,在使用这些条款之前,数据管制员可以从法国的国家管理机构(CNIL)获得授权。这项授权申请将从2018年5月25日起停止。
约束性公司规则(BCR)
BCR只关注公司集团。集团内部通过章程,所有子公司和实体承诺遵守欧洲数据保护条例。
宪章一经起草,将通过相互承认制度提交欧洲数据保护当局批准。
这项授权请求将在2018年5月25日之后继续。
向美国转移个人数据:“隐私保护”系统
这是欧洲联盟和美国联邦贸易委员会(FTC)之间的一项国际协议,美国公司可以自由遵守。根据该协议的条款,FTC会承诺确保签署该系统的公司遵守这一国际协议所载的数据保护规则。
总之,欧洲个人数据保护条例的目的是适用于处理欧洲居民个人数据的世界各地的公司。
它结束了所有的线上服务选择最有利和最不严格的国家来发展公司的经济模式,以及捉迷藏式择地行诉的做法。
制裁的程度消除了人们对这一新框架将要实施的坚定性的怀疑。它产生的风险很难被认为是次要的。
它要求使用欧洲联盟28个居民5.2亿人的个人数据的任何公司深思熟虑并遵守条例。
这篇文章的作者是ThierryAbuléa.
The application of the General Data Protection Regulation (“GDPR”), in force since 25 May 2018, will oblige companies to deal with issues concerning IT security and liability for collection and storage of personal data, without the possibility of any further hesitation. Privacy protection will become an important part of corporate culture and will have to be necessarily managed from the top levels, i.e. the managing director as well as the management team. Employees will also be involved in this awareness process through adequate training on such matter. Companies should set forth order and priorities of some data-related procedures, in accordance with privacy by design and privacy by default principles. In other words, such companies should ensure data protection from the onset of the product phase or service ideation and design, opting for behaviors that are aimed to prevent possible issues affecting personal data.
An even wider definition of personal data
The concept of “personal data” refers to all the information that identifies or makes a person identifiable and provides details related to his/her features, habits, life-style, personal relationships, health and economic conditions. Also, the definition of “personal data” becomes even wider and more well-structured when considering electronic communications with new technologies including geolocation bearing significant weight.
This transition, certainly problematic, introduces new challenges and opportunities, and highlights the question of data protection as a fundamental human right at the center of the international debate and digital policies. This results in a significant turning point. In fact, digitalization has caused several information security issues, which until a few years ago could be handled by national authorities in each single EU country, and now require a more focused and structured legal framework. The induction of platforms such as SaaS (Software as a Service) and the cloud computing growth have completely changed the scenario.
Therefore, the European Data Protection Supervisor (EDPS) positively dealt with the request to reform the legal framework on personal data protection in 2011, since the existing legislation was no longer appropriate.
Even though it is way too early to predict the impact of such privacy regulation, we believe that it is interesting to focus on certain general considerations and some of the GDPR’s outcomes in the international scenario.
The potential applicability of the GDPR worldwide
Certainly, one of the important changes brought about by the GDPR is its potential applicability worldwide: the regulation thus overcomes European borders in the name of personal data protection.
Such regulation, in fact, not only applies to all cases where data are handled by EU based companies, but in all cases where a company, even though not EU based, also deals with EU based individuals’ personal data, within the scope to offer them goods or services or to monitor their behavior in the EU.
Consequently, in the light of the above, all foreign companies still pursuing to offer and provide their services to EU-citizens cannot avoid complying with the GDPR.
Furthermore, even UK organizations may be forced to comply with the regulation to protect UK citizens’ personal data and maintain their competitiveness in the EU market, for reasons of opportunity and convenience, apart from compulsoriness as above described and, in any case, for as long as Brexit does not materialize.
The lack of connection with the data location
The regulation not only limits foreign companies that deal with EU citizens’ personal data, but also aims to govern all the processing of personal data, irrespective of the place where such data are located. It therefore provides that all the personal data processing made by EU based companies will be subject to the GDPR, regardless of the fact whether such processing is carried out within or outside the EU.
From a legal point of view, such data will be in the spotlight and subjected to this new regulation rather than to national laws. This means that the physical position loses relevance before the aim to grant interested individuals with a greater control on the information that is collected, processed and used by third parties.
For sure companies may stop their business with EU citizens in order to avoid compliance with the GDPR principles, but such choice should be correctly made: i.e. the GDPR’s application should be taken into account when a company provides a web service which is available also to EU citizens.
The disposition of strict fines
The fines for companies that are not in compliance with such regulation can amount to up to 4% of their global revenue and up to Euro 20 million. The relevance of such measures drew attention of all the parties, particularly in the US where organizations have a strong presence in the EU. Furthermore, the GDPR applies to organizations of any dimension and to both individual enterprises as well as large companies.
The forward-looking companies started to set forth their compliance programs immediately after the EU regulation announcement, but this appears complex and as a result meeting the set deadline called for 25 May could be difficult.
According to PwC’s reports, 9% of US companies declare to have allocated more than 10 million dollars with the aim to obtain such compliance.
Some compliance requirements for companies
- Accountability principle: data processing needs to be carried out by recorded procedures, regardless of the fact that such procedures will be managed by the companies or by third parties on their behalf. Doing so will make the data controller responsible and oblige him to be compliant with the GDPR.
- Risk based approach: the driving force of such a regulation is the aim to make companies responsible, which are therefore asked to comply with the GDPR principles by adopting a new risk based approach and risks assessment.
- Clear and concise consent: much attention is paid to the consent of personal data processing, which should be clear, concise, distinguishable and unequivocal.
- Data protection by design and by default: privacy management and implementation executed by means of default settings since the design phase; it means that companies should take into account the personal data protection, from the beginning a product, service or app is designed and developed.
- Right to be forgotten: individuals are entitled to obtain, without delay, that their data is deleted by the data controller when certain conditions- provided by the GDPR -are met, such as for example when data become redundant and no longer necessary, or regarding the aims for which data have been collected or in the event when the individual’s consent is withdrawn.
- Right to data portability: individuals are entitled to receive their personal data in a frequently-used, well-structured and machine-readable format, so as to transfer such data to another data controller, excluding any possible encumbrance by the former data controller.
- Appointment of an EU Representative: the Representative should act on behalf of the data controller or the data processor and may be questioned by any surveillance Authority.
How to make the transition process easier?
The EU regulation relating to personal data protection requires a strong legal formation and, at the same time, tremendous technical implementation skills on the basis of the ongoing digitalization processes and use of even more innovative and complex technologies.
In such regard, companies may rely on professionals who are able to provide multidisciplinary services and consultancy, not only of a legal and IT nature, but who can exchange and implement synergies between professionals and business workers such as engineers and mathematicians.
Consequently, this burdensome commitment to follow the GDPR together with the obligation to comply with the law shall also enable companies to combine the aforesaid skills and join forces to commence a transition process that will ensure and ultimately result in growth.
The author of this post is Giorgio Piccolotto
Less than one year from now, on May 25, 2018, the new European Regulation on the protection of personal data (EU) 2016/679 will come into force. Whatever its size or business activity, every company has to process personal data files at some point.
The new sanctions provide a strong incentive to prepare organisations for compliance with the new legal framework in twelve months’ time.
Non-European undertakings must also be particularly careful regarding these new measures, the principal aspects of which are summarised below.
Extraterritorial application
The Regulation applies to personal data processing when the controller is established on the territory of the European Union.
If the controller is not established in the European Union, the Regulation applies when data processing involves persons situated within the European Union and when the processing is linked to the offering of goods or services to such persons. Non-EU companies must appoint a representative for this purpose.
The right to data portability and appointment of a DPO
This new right enables a person to recover the data that he has supplied in a form that is easily reusable, such as a USB key for example. Companies must get organised in order to be able to satisfy these portability requirements.
Appointment of a Data Protection Officer
Companies must appoint a DPO (Data Protection Officer), successor to the CIL (Correspondant Informatique et Libertés) who is appointed based on his professional skills (legal and technical), his independence and his accessibility in order to ensure compliance.
We would like to point out that a specialist lawyer should be authorised to carry out this role provided relevant Bar rules do not prevent it.
Sanctions
These measures must imperatively be respected at the risk of seeing heavy sanctions imposed.
Depending on the category of infraction, these sanctions may amount to:
- 10 to 20 million euro; or
- 2% to 4% of annual world revenues,
The higher of the above two amounts is applied.
Recommendations
To ensure that your practices comply with the new legislation, it is necessary to:
- Set in motion an internal project dedicated to compliance with the new legislation within the next 9 months;
- Anticipate the obligations specified by the Regulation;
- Budget for the right to data portability and the position of DPO;
- Organise, for SME, the sharing of the DPO position with other companies.
The author of this post is Thierry Aballéa.
写信给 Insurance in FOS (Freedom of Service) – Joint liability with intermediaries for violation of GDPR
Application of GDPR to hotel businesses
3 11 月 2018
- 意大利
- 隐私与数据保护
- 赛车
Are insurers liable for breach of the GDPR on account of their appointed intermediaries?
Insurers acting out of their traditional borders through a local intermediary should choose carefully their intermediaries when distributing insurance products, and use any means at their disposal to control them properly. Distribution of insurance products through an intermediary can be a fast way to distribute insurance products and enter a territory with a minimum of investments. However, it implies a strict control of the intermediary’s activities.
The reason is that Insurers in FOS can be held jointly liable with the intermediary if this one violates personal data regulation and its obligations as set by the GDPR (Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
In a decision dated 18 July 2019 , the CNIL (Commission Nationale Informatique et Libertés), the French authority in charge of personal data protection rendered a decision against ACTIVE ASSURANCE, a French intermediary, for several breaches of the GDPR. The intermediary was found guilty and fined EUR 180,000 for failing to properly protect the personal data of its clients. Those were found easily accessible on the web by any technician well versed in data processing. Moreover, the personal access codes of the clients were too simple and therefore easily accessible by third parties.
Although in this particular case insurers were not fined by the CNIL, the GDPR considers that they can be jointly liable with the intermediary in case of breach of personal data. In particular, the controller is liable for any acts of the processor he has appointed, this one being considered as a sub-contractor (clauses 24 and 28 of the GDPR).
This illustrates the risks to distribute insurance products through an intermediary without controlling its activities. Acting through intermediaries, in particular for insurance companies acting from foreign EU countries in FOS under the EU Directive on freedom of insurance services (Directive 2016/97 of 20 January 2016 on insurance distribution) requires a strict control through enacting contractual dispositions whereas are defined:
- a clear distribution of the duties between insurer and distributor (who is controller/joint controller/processor ?) as regards technical means used for protecting personal data (who shall do/control what ?) and legal requirements (who must report to the authorities in case of breach of security/ who shall reply to requests from data owners?, etc.);
- the right of the insurer to audit the distributors’ technical means used for this protection at any time during the term of the contract. In addition to this, one should always keep in mind that this audit should be conducted efficiently by the insurer at regular times. As Napoleon rightly said: “You can govern from afar, but you can only administer closely”.
The concept of privacy by design has been around for a few decades. Although it has been referred to in studies since the 1970s and present in legislation since as far as the early 1990s, it was consolidated only in 2009 with the work of Ann Cavoukian, the Information & Privacy Commissioner of Ontario, Canada
This author defined the seven foundational principles of privacy by design: (i) to be proactive not reactive, preventative not remedial; (ii) privacy as the default setting; (iii) privacy embedded into design; (iv) full functionality – positive-sum, not zero-sum; (v) end-to-end security – full lifecycle protection; (vi) visibility and transparency – keep it open; and (vii) respect for user privacy – keep it user-centric.
After being adopted as a privacy standard by the International Data Protection and Privacy Commissioners in 2010, privacy by design was also included in the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016). However, in the GDPR (article 25) it no longer remains as a mere principle. Instead, it has become a mandatory legal obligation and failure to comply can lead to severe administrative fines (article 83/4/a).
Regarding privacy by design, the GDPR establishes that the data controller shall implement the appropriate technical and organisational measures designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing. The appropriate technical and organisational measures are to be determined taking into account (i) the nature, scope, context and purpose of processing, (ii) the risks for rights and freedoms, (iii) the state of the art, and (iv) the cost of implementation.
Regarding privacy by default, the GDPR establishes that the controller shall implement the appropriate technical and organisational measures to ensure that, by default, (i) only the necessary data is processed, (ii) only to the necessary extent of processing, (iii) is only accessible by the necessary individuals, and (iv) is only stored by the necessary period of time.
Both privacy by design and privacy by default are established around the idea of the implementation of the appropriate technical and organisational measures to safeguard the personal data protection principles and rules. The GDPR provides some examples of these measures (such as pseudonymisation, encryption, anonymisation), but it is not a catalogue for these measures or other privacy enhancing technologies (PET) and the provided examples should not be seen as mandatory measures.
Clear guidance on privacy by design and by default is not to be found in the GDPR and it is a work in progress by all the community and parties involved. But the GDPR has the clear intention of impacting the core of the digital age system, reshaping its values regarding privacy.
The success of this ambition is uncertain, but some important challenges are already very clear, such as the role of the producers of products, services and applications, the integration of data protection principles in the design of User Experience (UX) and User Interface (UI) and also in the software development planning (agile and scrum, for instance).
In the meantime, examples of the real impact of privacy by design and by default are coming to light. In 2018, Valve changed the privacy settings of the users of the gaming platform Steam, making games owned private by default. As a direct consequence, the analytics activity provided by SteamSpy and other similar companies was severely damaged.
Privacy by design certainly is, for those closely involved in the design process of products, services and applications, one of the most interesting and challenging topics in personal data protection.
On 25 May 2018, the EU Regulation 2016/679 came into force, concerning the “protection” of personal data (hereinafter the “Regulation” or “GDPR”). It is a Community legislative instrument aimed at strengthening the right of natural persons to have their personal data protected, which has been elevated to “fundamental right” in the Charter of Fundamental Rights of the European Union (Article 8 paragraph 1) and in the Treaty on the Functioning of the European Union (Article 16 paragraph 1).
The Regulation has a direct application in Italian law and does not require any implementation by the national legislator. These provisions prevail over national laws. From a practical standpoint, this means that, in the event of a conflict between a provision contained in the Regulations and one provided for in the “old” Legislative Decree 196/2003, the earlier would prevail over the latter.
The GDPR consists of 99 articles, of which only some constitute an in comparison with the preceding regime and bear specific relevance for the owners/managers of accommodation facilities.
Indeed, the first novelty concerns the “explicit consent” for the processing of “sensitive” data and the decisions based on automated processing (including profiling -Article 22- ). It is, in fact, necessary for the client to express his consent in relation to the processing of these data independently of that relating to other data. The consent obtained before 25 May 2018 remains valid only if it meets the requirements below.
It is required, for example, that the data owners modify their websites or promotional newsletters addressed to the customers. The latter need to be aware of the purposes for which the data is collected and of rights to which they are entitled. In order to subscribe to the newsletter, only the email address should be necessary, and if the owners request for more data, the purposes of such request ought to be specified. Before sending the subscription request, the customer must give his consent and accept the privacy policy. The privacy statement must be clearly accessible from the home page of the website. In particular, as to the newsletter, the privacy policy must also be indicated and linked in the relevant registration box.
Substantial changes were also introduced in relation to the duties of the Data Controller and the Data Processor. Both profiles are important in the hotel industry.
Now the Data Controller must (i) be able to prove that the data subject has consented to a specific processing, (ii) provide the contact details of the Data Protection Officer, (iii) declare the eventual transfer of the personal data towards third countries and, if so, through which means the transfer takes place, (iv) specify the retention period of the data or the criteria employed to establish the retention period, as well as the right to file a complaint with the supervisory authority; (v) indicate whether the processing involves automated decision-making processes (including profiling), and the expected consequences for the data subject concerned.
The Data Protection Officer (“DPO”), on the other hand, is a professional (who can be internal or external to the structure) who guarantees the observance of the rules of the GPDR and the management and processing of the data.
According to the new Regulation, the duties of this professional concern: (i) the keeping of the data processing reports (pursuant to Article 30, paragraph 2, of the Regulation), and (ii) the adoption of suitable technical and organisational measures to get the safety of the procedures (pursuant to Article 32 of the Regulation).
The name of the DPO must be indicated in the privacy policy to be delivered to the customer. The relationship between the data protection officer and the data controller is governed by a contract that must strictly regulate the subjects set forth in paragraph 3 of the article 28 in order to demonstrate that the manager provides “sufficient guarantees” for the correct management and processing of data. The Officer can appoint a “sub-manager” but only for limited processing activities, in compliance with the provisions of the contract, and responds to the non-compliance of the sub-manager.
In light of these provisions, the hotels will then have to make a more careful assessment of the risk deriving from data processing, prepare a detailed procedure as to enable the constant monitoring on, amongst others, the suitability of the treatment, and promptly notify a breach of the security procedure which involves the accidental disclosure of data, adapt its information to be delivered to the customer.
Finally, it is worth noting that the penalties for violations of the GDPR can be very significant and reach up to 4% of the company’s turnover. As such, they are far more severe than those previously specified. It is, therefore, necessary to pay close attention to compliance with the GDPR since an incorrect or defective application can cause severe prejudices to the company.
The author of this post is Giovanni Izzo.
一般数据保护条例(欧盟第2016/679号条例)于2018年5月25日生效。它适用于所有的数据处理,不管是自动化的还是非自动化的。然而,条例中最特别的部分是其领土适用范围。许多人认为,虚拟世界已经消除了边界,互联网世界的最大参与者已经形成了大量的争论,特别是在税收问题上逃避地方立法的行为。因此,欧盟决定澄清事实。欧盟传递出的信息很清楚,不管你是在美国、亚洲还是其他地方,在处理欧盟居民的个人数据时,你都必须遵守这些规则。制裁的高昂代价意味着,这一新的法律框架必须被非常认真地对待。最高罚款额定为上一年度营业额的4%,对任何在2018年度被制裁的企业来说上一年度均为2017年度。例如,对于GAFA(谷歌、苹果、Facebook和亚马逊)来说,如果他们不遵守规定,最大制裁罚款金额可估计如下:亚马逊约为1780亿美元营业额中的71亿美元(高于利润……),苹果约为1410亿美元营业额中的56亿美元,谷歌约为1000亿美元营业额中的40亿美元,Facebook约为320亿美元营业额中的12.8亿美元。
前项指令之有限地域适用范围
1995年10月24日第95/46EC号欧洲指令,2004年8月6日法国第2004-801号法律,对1978年1月6日第78-17号法国数据保护法进行了更新。
该指令当然可适用于不在欧盟境内设立的数据控制器,但该指令要求它们使用位于欧盟境内的处理手段。
后来发现,许多处理器都是基于其处理的治外法权而设法规避欧洲数据保护条例的。
多年来,谷歌一直声称,其在法国和欧洲收集的数据不受法国法规的制约,而是受加州法规的制约,因为该公司及其服务器都位于加州。
由于欧洲委员会的宗旨是保护个人数据,新条例应纠正这一缺陷。
条例的境外适用范围
从2018年5月25日起,欧洲条例将适用于在欧盟内设立了数据控制器或数据处理器(一般是信息技术服务供应商)的所有个人数据的处理,而不论数据处理本身是否在欧盟内进行。
条例还规定,如果控制器或处理器不在欧盟内设立,而处理的对象是位于欧盟内的一个数据主体,则不论有关人员的国籍如何,都应适用条例。
在欧盟内设立的控制器或处理器
该条例没有界定设立的概念。法国和欧洲法院对此作了广泛的解释,它们优先考虑通过稳定的安排,以有效而真实的活动为基础来对设立作出解释。
设立这一概念已经(在2015年10月1日欧盟法院 Weltimmo案中)被认定为,在有关会员国有一名代表、一个银行账户和一个信箱。
此外,这种设立的法律形式并不是绝对的。因此,一个没有法人资格的简单的分支机构,用非欧洲籍管理器进行的个人数据的处理,也必须遵守条例执行。
未在欧盟内建立的控制器或处理器
如果控制器或处理器并非在欧盟内建立,也没有在欧盟内设立机构,则适用该条例的情况是,处理数据与位于欧盟境内的居民有关,处理活动与欧盟28个成员国(包括5.2亿名居民)的因特网用户有联系。
- (i) 向用户提供物品或服务,无论这些服务是免费的还是付费的
该条例没有关于提供货物和服务的任何定义,但它提供了一些指示,使人们有可能将这种提供定性(第23条),例如用在一个或多个欧盟成员国内通常使用的语言或货币来订购货物和服务,或者是提及欧盟内的客户或用户。
然而,仅仅是访问一个网站、电子邮件地址或其他联系方式则不足以定性。
换言之,必须核查数据管制员对有关人员的意图。他是否打算向欧洲联盟的有关人员提供货物或服务。
- (ii) 对用户的行为进行监测,如果这种行为发生在欧盟内。
特别是,该条例规定对自然人进行观察,以便就其作出决定,或分析或预测其个人偏好、行为和态度。
这两个条件(i)和(ii)是可变的,而非累积的。
在欧盟之外的个人数据的转移又如何呢?
原则上,禁止在欧盟之外转移个人数据。其目的是保护个人数据免受数据避风港的影响,在这方面适用更灵活的规定。
这项原则有很多例外:
- 向欧洲经济区国家转移数据
这些国家已与欧盟签署了一项协议,通过这些协定,他们通过了个人数据保护条例。
- 向订有适足协议的国家转让数据
欧洲联盟承认,某些国家有与欧洲条例相当的关于保护个人资料的条例。这些条例相当于欧洲法规。
- 向已签署标准合同条款或BCR(“有约束力的公司规则”)的国家转让数据
这些国家尚未作出充分的决定,或没有关于个人数据保护的条例。因此,其想法是通过标准条款或公司集团内部的协议,对数据建立合同保护而不是法律保护。
标准合同条款
标准条款已由欧洲委员会起草,可通过其网站查阅。这些协议是数据管制员和在国外设立的处理器之间在信息技术服务协议的框架内缔结的,或者是在向集团子公司或实体发送个人数据方面订立的协议。
目前,在使用这些条款之前,数据管制员可以从法国的国家管理机构(CNIL)获得授权。这项授权申请将从2018年5月25日起停止。
约束性公司规则(BCR)
BCR只关注公司集团。集团内部通过章程,所有子公司和实体承诺遵守欧洲数据保护条例。
宪章一经起草,将通过相互承认制度提交欧洲数据保护当局批准。
这项授权请求将在2018年5月25日之后继续。
向美国转移个人数据:“隐私保护”系统
这是欧洲联盟和美国联邦贸易委员会(FTC)之间的一项国际协议,美国公司可以自由遵守。根据该协议的条款,FTC会承诺确保签署该系统的公司遵守这一国际协议所载的数据保护规则。
总之,欧洲个人数据保护条例的目的是适用于处理欧洲居民个人数据的世界各地的公司。
它结束了所有的线上服务选择最有利和最不严格的国家来发展公司的经济模式,以及捉迷藏式择地行诉的做法。
制裁的程度消除了人们对这一新框架将要实施的坚定性的怀疑。它产生的风险很难被认为是次要的。
它要求使用欧洲联盟28个居民5.2亿人的个人数据的任何公司深思熟虑并遵守条例。
这篇文章的作者是ThierryAbuléa.
The application of the General Data Protection Regulation (“GDPR”), in force since 25 May 2018, will oblige companies to deal with issues concerning IT security and liability for collection and storage of personal data, without the possibility of any further hesitation. Privacy protection will become an important part of corporate culture and will have to be necessarily managed from the top levels, i.e. the managing director as well as the management team. Employees will also be involved in this awareness process through adequate training on such matter. Companies should set forth order and priorities of some data-related procedures, in accordance with privacy by design and privacy by default principles. In other words, such companies should ensure data protection from the onset of the product phase or service ideation and design, opting for behaviors that are aimed to prevent possible issues affecting personal data.
An even wider definition of personal data
The concept of “personal data” refers to all the information that identifies or makes a person identifiable and provides details related to his/her features, habits, life-style, personal relationships, health and economic conditions. Also, the definition of “personal data” becomes even wider and more well-structured when considering electronic communications with new technologies including geolocation bearing significant weight.
This transition, certainly problematic, introduces new challenges and opportunities, and highlights the question of data protection as a fundamental human right at the center of the international debate and digital policies. This results in a significant turning point. In fact, digitalization has caused several information security issues, which until a few years ago could be handled by national authorities in each single EU country, and now require a more focused and structured legal framework. The induction of platforms such as SaaS (Software as a Service) and the cloud computing growth have completely changed the scenario.
Therefore, the European Data Protection Supervisor (EDPS) positively dealt with the request to reform the legal framework on personal data protection in 2011, since the existing legislation was no longer appropriate.
Even though it is way too early to predict the impact of such privacy regulation, we believe that it is interesting to focus on certain general considerations and some of the GDPR’s outcomes in the international scenario.
The potential applicability of the GDPR worldwide
Certainly, one of the important changes brought about by the GDPR is its potential applicability worldwide: the regulation thus overcomes European borders in the name of personal data protection.
Such regulation, in fact, not only applies to all cases where data are handled by EU based companies, but in all cases where a company, even though not EU based, also deals with EU based individuals’ personal data, within the scope to offer them goods or services or to monitor their behavior in the EU.
Consequently, in the light of the above, all foreign companies still pursuing to offer and provide their services to EU-citizens cannot avoid complying with the GDPR.
Furthermore, even UK organizations may be forced to comply with the regulation to protect UK citizens’ personal data and maintain their competitiveness in the EU market, for reasons of opportunity and convenience, apart from compulsoriness as above described and, in any case, for as long as Brexit does not materialize.
The lack of connection with the data location
The regulation not only limits foreign companies that deal with EU citizens’ personal data, but also aims to govern all the processing of personal data, irrespective of the place where such data are located. It therefore provides that all the personal data processing made by EU based companies will be subject to the GDPR, regardless of the fact whether such processing is carried out within or outside the EU.
From a legal point of view, such data will be in the spotlight and subjected to this new regulation rather than to national laws. This means that the physical position loses relevance before the aim to grant interested individuals with a greater control on the information that is collected, processed and used by third parties.
For sure companies may stop their business with EU citizens in order to avoid compliance with the GDPR principles, but such choice should be correctly made: i.e. the GDPR’s application should be taken into account when a company provides a web service which is available also to EU citizens.
The disposition of strict fines
The fines for companies that are not in compliance with such regulation can amount to up to 4% of their global revenue and up to Euro 20 million. The relevance of such measures drew attention of all the parties, particularly in the US where organizations have a strong presence in the EU. Furthermore, the GDPR applies to organizations of any dimension and to both individual enterprises as well as large companies.
The forward-looking companies started to set forth their compliance programs immediately after the EU regulation announcement, but this appears complex and as a result meeting the set deadline called for 25 May could be difficult.
According to PwC’s reports, 9% of US companies declare to have allocated more than 10 million dollars with the aim to obtain such compliance.
Some compliance requirements for companies
- Accountability principle: data processing needs to be carried out by recorded procedures, regardless of the fact that such procedures will be managed by the companies or by third parties on their behalf. Doing so will make the data controller responsible and oblige him to be compliant with the GDPR.
- Risk based approach: the driving force of such a regulation is the aim to make companies responsible, which are therefore asked to comply with the GDPR principles by adopting a new risk based approach and risks assessment.
- Clear and concise consent: much attention is paid to the consent of personal data processing, which should be clear, concise, distinguishable and unequivocal.
- Data protection by design and by default: privacy management and implementation executed by means of default settings since the design phase; it means that companies should take into account the personal data protection, from the beginning a product, service or app is designed and developed.
- Right to be forgotten: individuals are entitled to obtain, without delay, that their data is deleted by the data controller when certain conditions- provided by the GDPR -are met, such as for example when data become redundant and no longer necessary, or regarding the aims for which data have been collected or in the event when the individual’s consent is withdrawn.
- Right to data portability: individuals are entitled to receive their personal data in a frequently-used, well-structured and machine-readable format, so as to transfer such data to another data controller, excluding any possible encumbrance by the former data controller.
- Appointment of an EU Representative: the Representative should act on behalf of the data controller or the data processor and may be questioned by any surveillance Authority.
How to make the transition process easier?
The EU regulation relating to personal data protection requires a strong legal formation and, at the same time, tremendous technical implementation skills on the basis of the ongoing digitalization processes and use of even more innovative and complex technologies.
In such regard, companies may rely on professionals who are able to provide multidisciplinary services and consultancy, not only of a legal and IT nature, but who can exchange and implement synergies between professionals and business workers such as engineers and mathematicians.
Consequently, this burdensome commitment to follow the GDPR together with the obligation to comply with the law shall also enable companies to combine the aforesaid skills and join forces to commence a transition process that will ensure and ultimately result in growth.
The author of this post is Giorgio Piccolotto
Less than one year from now, on May 25, 2018, the new European Regulation on the protection of personal data (EU) 2016/679 will come into force. Whatever its size or business activity, every company has to process personal data files at some point.
The new sanctions provide a strong incentive to prepare organisations for compliance with the new legal framework in twelve months’ time.
Non-European undertakings must also be particularly careful regarding these new measures, the principal aspects of which are summarised below.
Extraterritorial application
The Regulation applies to personal data processing when the controller is established on the territory of the European Union.
If the controller is not established in the European Union, the Regulation applies when data processing involves persons situated within the European Union and when the processing is linked to the offering of goods or services to such persons. Non-EU companies must appoint a representative for this purpose.
The right to data portability and appointment of a DPO
This new right enables a person to recover the data that he has supplied in a form that is easily reusable, such as a USB key for example. Companies must get organised in order to be able to satisfy these portability requirements.
Appointment of a Data Protection Officer
Companies must appoint a DPO (Data Protection Officer), successor to the CIL (Correspondant Informatique et Libertés) who is appointed based on his professional skills (legal and technical), his independence and his accessibility in order to ensure compliance.
We would like to point out that a specialist lawyer should be authorised to carry out this role provided relevant Bar rules do not prevent it.
Sanctions
These measures must imperatively be respected at the risk of seeing heavy sanctions imposed.
Depending on the category of infraction, these sanctions may amount to:
- 10 to 20 million euro; or
- 2% to 4% of annual world revenues,
The higher of the above two amounts is applied.
Recommendations
To ensure that your practices comply with the new legislation, it is necessary to:
- Set in motion an internal project dedicated to compliance with the new legislation within the next 9 months;
- Anticipate the obligations specified by the Regulation;
- Budget for the right to data portability and the position of DPO;
- Organise, for SME, the sharing of the DPO position with other companies.
The author of this post is Thierry Aballéa.
我的地盘我做主!欧盟对于个人数据征税,从欧盟走向境外
11 4 月 2018
- 欧洲
- 隐私与数据保护
Are insurers liable for breach of the GDPR on account of their appointed intermediaries?
Insurers acting out of their traditional borders through a local intermediary should choose carefully their intermediaries when distributing insurance products, and use any means at their disposal to control them properly. Distribution of insurance products through an intermediary can be a fast way to distribute insurance products and enter a territory with a minimum of investments. However, it implies a strict control of the intermediary’s activities.
The reason is that Insurers in FOS can be held jointly liable with the intermediary if this one violates personal data regulation and its obligations as set by the GDPR (Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
In a decision dated 18 July 2019 , the CNIL (Commission Nationale Informatique et Libertés), the French authority in charge of personal data protection rendered a decision against ACTIVE ASSURANCE, a French intermediary, for several breaches of the GDPR. The intermediary was found guilty and fined EUR 180,000 for failing to properly protect the personal data of its clients. Those were found easily accessible on the web by any technician well versed in data processing. Moreover, the personal access codes of the clients were too simple and therefore easily accessible by third parties.
Although in this particular case insurers were not fined by the CNIL, the GDPR considers that they can be jointly liable with the intermediary in case of breach of personal data. In particular, the controller is liable for any acts of the processor he has appointed, this one being considered as a sub-contractor (clauses 24 and 28 of the GDPR).
This illustrates the risks to distribute insurance products through an intermediary without controlling its activities. Acting through intermediaries, in particular for insurance companies acting from foreign EU countries in FOS under the EU Directive on freedom of insurance services (Directive 2016/97 of 20 January 2016 on insurance distribution) requires a strict control through enacting contractual dispositions whereas are defined:
- a clear distribution of the duties between insurer and distributor (who is controller/joint controller/processor ?) as regards technical means used for protecting personal data (who shall do/control what ?) and legal requirements (who must report to the authorities in case of breach of security/ who shall reply to requests from data owners?, etc.);
- the right of the insurer to audit the distributors’ technical means used for this protection at any time during the term of the contract. In addition to this, one should always keep in mind that this audit should be conducted efficiently by the insurer at regular times. As Napoleon rightly said: “You can govern from afar, but you can only administer closely”.
The concept of privacy by design has been around for a few decades. Although it has been referred to in studies since the 1970s and present in legislation since as far as the early 1990s, it was consolidated only in 2009 with the work of Ann Cavoukian, the Information & Privacy Commissioner of Ontario, Canada
This author defined the seven foundational principles of privacy by design: (i) to be proactive not reactive, preventative not remedial; (ii) privacy as the default setting; (iii) privacy embedded into design; (iv) full functionality – positive-sum, not zero-sum; (v) end-to-end security – full lifecycle protection; (vi) visibility and transparency – keep it open; and (vii) respect for user privacy – keep it user-centric.
After being adopted as a privacy standard by the International Data Protection and Privacy Commissioners in 2010, privacy by design was also included in the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016). However, in the GDPR (article 25) it no longer remains as a mere principle. Instead, it has become a mandatory legal obligation and failure to comply can lead to severe administrative fines (article 83/4/a).
Regarding privacy by design, the GDPR establishes that the data controller shall implement the appropriate technical and organisational measures designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing. The appropriate technical and organisational measures are to be determined taking into account (i) the nature, scope, context and purpose of processing, (ii) the risks for rights and freedoms, (iii) the state of the art, and (iv) the cost of implementation.
Regarding privacy by default, the GDPR establishes that the controller shall implement the appropriate technical and organisational measures to ensure that, by default, (i) only the necessary data is processed, (ii) only to the necessary extent of processing, (iii) is only accessible by the necessary individuals, and (iv) is only stored by the necessary period of time.
Both privacy by design and privacy by default are established around the idea of the implementation of the appropriate technical and organisational measures to safeguard the personal data protection principles and rules. The GDPR provides some examples of these measures (such as pseudonymisation, encryption, anonymisation), but it is not a catalogue for these measures or other privacy enhancing technologies (PET) and the provided examples should not be seen as mandatory measures.
Clear guidance on privacy by design and by default is not to be found in the GDPR and it is a work in progress by all the community and parties involved. But the GDPR has the clear intention of impacting the core of the digital age system, reshaping its values regarding privacy.
The success of this ambition is uncertain, but some important challenges are already very clear, such as the role of the producers of products, services and applications, the integration of data protection principles in the design of User Experience (UX) and User Interface (UI) and also in the software development planning (agile and scrum, for instance).
In the meantime, examples of the real impact of privacy by design and by default are coming to light. In 2018, Valve changed the privacy settings of the users of the gaming platform Steam, making games owned private by default. As a direct consequence, the analytics activity provided by SteamSpy and other similar companies was severely damaged.
Privacy by design certainly is, for those closely involved in the design process of products, services and applications, one of the most interesting and challenging topics in personal data protection.
On 25 May 2018, the EU Regulation 2016/679 came into force, concerning the “protection” of personal data (hereinafter the “Regulation” or “GDPR”). It is a Community legislative instrument aimed at strengthening the right of natural persons to have their personal data protected, which has been elevated to “fundamental right” in the Charter of Fundamental Rights of the European Union (Article 8 paragraph 1) and in the Treaty on the Functioning of the European Union (Article 16 paragraph 1).
The Regulation has a direct application in Italian law and does not require any implementation by the national legislator. These provisions prevail over national laws. From a practical standpoint, this means that, in the event of a conflict between a provision contained in the Regulations and one provided for in the “old” Legislative Decree 196/2003, the earlier would prevail over the latter.
The GDPR consists of 99 articles, of which only some constitute an in comparison with the preceding regime and bear specific relevance for the owners/managers of accommodation facilities.
Indeed, the first novelty concerns the “explicit consent” for the processing of “sensitive” data and the decisions based on automated processing (including profiling -Article 22- ). It is, in fact, necessary for the client to express his consent in relation to the processing of these data independently of that relating to other data. The consent obtained before 25 May 2018 remains valid only if it meets the requirements below.
It is required, for example, that the data owners modify their websites or promotional newsletters addressed to the customers. The latter need to be aware of the purposes for which the data is collected and of rights to which they are entitled. In order to subscribe to the newsletter, only the email address should be necessary, and if the owners request for more data, the purposes of such request ought to be specified. Before sending the subscription request, the customer must give his consent and accept the privacy policy. The privacy statement must be clearly accessible from the home page of the website. In particular, as to the newsletter, the privacy policy must also be indicated and linked in the relevant registration box.
Substantial changes were also introduced in relation to the duties of the Data Controller and the Data Processor. Both profiles are important in the hotel industry.
Now the Data Controller must (i) be able to prove that the data subject has consented to a specific processing, (ii) provide the contact details of the Data Protection Officer, (iii) declare the eventual transfer of the personal data towards third countries and, if so, through which means the transfer takes place, (iv) specify the retention period of the data or the criteria employed to establish the retention period, as well as the right to file a complaint with the supervisory authority; (v) indicate whether the processing involves automated decision-making processes (including profiling), and the expected consequences for the data subject concerned.
The Data Protection Officer (“DPO”), on the other hand, is a professional (who can be internal or external to the structure) who guarantees the observance of the rules of the GPDR and the management and processing of the data.
According to the new Regulation, the duties of this professional concern: (i) the keeping of the data processing reports (pursuant to Article 30, paragraph 2, of the Regulation), and (ii) the adoption of suitable technical and organisational measures to get the safety of the procedures (pursuant to Article 32 of the Regulation).
The name of the DPO must be indicated in the privacy policy to be delivered to the customer. The relationship between the data protection officer and the data controller is governed by a contract that must strictly regulate the subjects set forth in paragraph 3 of the article 28 in order to demonstrate that the manager provides “sufficient guarantees” for the correct management and processing of data. The Officer can appoint a “sub-manager” but only for limited processing activities, in compliance with the provisions of the contract, and responds to the non-compliance of the sub-manager.
In light of these provisions, the hotels will then have to make a more careful assessment of the risk deriving from data processing, prepare a detailed procedure as to enable the constant monitoring on, amongst others, the suitability of the treatment, and promptly notify a breach of the security procedure which involves the accidental disclosure of data, adapt its information to be delivered to the customer.
Finally, it is worth noting that the penalties for violations of the GDPR can be very significant and reach up to 4% of the company’s turnover. As such, they are far more severe than those previously specified. It is, therefore, necessary to pay close attention to compliance with the GDPR since an incorrect or defective application can cause severe prejudices to the company.
The author of this post is Giovanni Izzo.
一般数据保护条例(欧盟第2016/679号条例)于2018年5月25日生效。它适用于所有的数据处理,不管是自动化的还是非自动化的。然而,条例中最特别的部分是其领土适用范围。许多人认为,虚拟世界已经消除了边界,互联网世界的最大参与者已经形成了大量的争论,特别是在税收问题上逃避地方立法的行为。因此,欧盟决定澄清事实。欧盟传递出的信息很清楚,不管你是在美国、亚洲还是其他地方,在处理欧盟居民的个人数据时,你都必须遵守这些规则。制裁的高昂代价意味着,这一新的法律框架必须被非常认真地对待。最高罚款额定为上一年度营业额的4%,对任何在2018年度被制裁的企业来说上一年度均为2017年度。例如,对于GAFA(谷歌、苹果、Facebook和亚马逊)来说,如果他们不遵守规定,最大制裁罚款金额可估计如下:亚马逊约为1780亿美元营业额中的71亿美元(高于利润……),苹果约为1410亿美元营业额中的56亿美元,谷歌约为1000亿美元营业额中的40亿美元,Facebook约为320亿美元营业额中的12.8亿美元。
前项指令之有限地域适用范围
1995年10月24日第95/46EC号欧洲指令,2004年8月6日法国第2004-801号法律,对1978年1月6日第78-17号法国数据保护法进行了更新。
该指令当然可适用于不在欧盟境内设立的数据控制器,但该指令要求它们使用位于欧盟境内的处理手段。
后来发现,许多处理器都是基于其处理的治外法权而设法规避欧洲数据保护条例的。
多年来,谷歌一直声称,其在法国和欧洲收集的数据不受法国法规的制约,而是受加州法规的制约,因为该公司及其服务器都位于加州。
由于欧洲委员会的宗旨是保护个人数据,新条例应纠正这一缺陷。
条例的境外适用范围
从2018年5月25日起,欧洲条例将适用于在欧盟内设立了数据控制器或数据处理器(一般是信息技术服务供应商)的所有个人数据的处理,而不论数据处理本身是否在欧盟内进行。
条例还规定,如果控制器或处理器不在欧盟内设立,而处理的对象是位于欧盟内的一个数据主体,则不论有关人员的国籍如何,都应适用条例。
在欧盟内设立的控制器或处理器
该条例没有界定设立的概念。法国和欧洲法院对此作了广泛的解释,它们优先考虑通过稳定的安排,以有效而真实的活动为基础来对设立作出解释。
设立这一概念已经(在2015年10月1日欧盟法院 Weltimmo案中)被认定为,在有关会员国有一名代表、一个银行账户和一个信箱。
此外,这种设立的法律形式并不是绝对的。因此,一个没有法人资格的简单的分支机构,用非欧洲籍管理器进行的个人数据的处理,也必须遵守条例执行。
未在欧盟内建立的控制器或处理器
如果控制器或处理器并非在欧盟内建立,也没有在欧盟内设立机构,则适用该条例的情况是,处理数据与位于欧盟境内的居民有关,处理活动与欧盟28个成员国(包括5.2亿名居民)的因特网用户有联系。
- (i) 向用户提供物品或服务,无论这些服务是免费的还是付费的
该条例没有关于提供货物和服务的任何定义,但它提供了一些指示,使人们有可能将这种提供定性(第23条),例如用在一个或多个欧盟成员国内通常使用的语言或货币来订购货物和服务,或者是提及欧盟内的客户或用户。
然而,仅仅是访问一个网站、电子邮件地址或其他联系方式则不足以定性。
换言之,必须核查数据管制员对有关人员的意图。他是否打算向欧洲联盟的有关人员提供货物或服务。
- (ii) 对用户的行为进行监测,如果这种行为发生在欧盟内。
特别是,该条例规定对自然人进行观察,以便就其作出决定,或分析或预测其个人偏好、行为和态度。
这两个条件(i)和(ii)是可变的,而非累积的。
在欧盟之外的个人数据的转移又如何呢?
原则上,禁止在欧盟之外转移个人数据。其目的是保护个人数据免受数据避风港的影响,在这方面适用更灵活的规定。
这项原则有很多例外:
- 向欧洲经济区国家转移数据
这些国家已与欧盟签署了一项协议,通过这些协定,他们通过了个人数据保护条例。
- 向订有适足协议的国家转让数据
欧洲联盟承认,某些国家有与欧洲条例相当的关于保护个人资料的条例。这些条例相当于欧洲法规。
- 向已签署标准合同条款或BCR(“有约束力的公司规则”)的国家转让数据
这些国家尚未作出充分的决定,或没有关于个人数据保护的条例。因此,其想法是通过标准条款或公司集团内部的协议,对数据建立合同保护而不是法律保护。
标准合同条款
标准条款已由欧洲委员会起草,可通过其网站查阅。这些协议是数据管制员和在国外设立的处理器之间在信息技术服务协议的框架内缔结的,或者是在向集团子公司或实体发送个人数据方面订立的协议。
目前,在使用这些条款之前,数据管制员可以从法国的国家管理机构(CNIL)获得授权。这项授权申请将从2018年5月25日起停止。
约束性公司规则(BCR)
BCR只关注公司集团。集团内部通过章程,所有子公司和实体承诺遵守欧洲数据保护条例。
宪章一经起草,将通过相互承认制度提交欧洲数据保护当局批准。
这项授权请求将在2018年5月25日之后继续。
向美国转移个人数据:“隐私保护”系统
这是欧洲联盟和美国联邦贸易委员会(FTC)之间的一项国际协议,美国公司可以自由遵守。根据该协议的条款,FTC会承诺确保签署该系统的公司遵守这一国际协议所载的数据保护规则。
总之,欧洲个人数据保护条例的目的是适用于处理欧洲居民个人数据的世界各地的公司。
它结束了所有的线上服务选择最有利和最不严格的国家来发展公司的经济模式,以及捉迷藏式择地行诉的做法。
制裁的程度消除了人们对这一新框架将要实施的坚定性的怀疑。它产生的风险很难被认为是次要的。
它要求使用欧洲联盟28个居民5.2亿人的个人数据的任何公司深思熟虑并遵守条例。
这篇文章的作者是ThierryAbuléa.
The application of the General Data Protection Regulation (“GDPR”), in force since 25 May 2018, will oblige companies to deal with issues concerning IT security and liability for collection and storage of personal data, without the possibility of any further hesitation. Privacy protection will become an important part of corporate culture and will have to be necessarily managed from the top levels, i.e. the managing director as well as the management team. Employees will also be involved in this awareness process through adequate training on such matter. Companies should set forth order and priorities of some data-related procedures, in accordance with privacy by design and privacy by default principles. In other words, such companies should ensure data protection from the onset of the product phase or service ideation and design, opting for behaviors that are aimed to prevent possible issues affecting personal data.
An even wider definition of personal data
The concept of “personal data” refers to all the information that identifies or makes a person identifiable and provides details related to his/her features, habits, life-style, personal relationships, health and economic conditions. Also, the definition of “personal data” becomes even wider and more well-structured when considering electronic communications with new technologies including geolocation bearing significant weight.
This transition, certainly problematic, introduces new challenges and opportunities, and highlights the question of data protection as a fundamental human right at the center of the international debate and digital policies. This results in a significant turning point. In fact, digitalization has caused several information security issues, which until a few years ago could be handled by national authorities in each single EU country, and now require a more focused and structured legal framework. The induction of platforms such as SaaS (Software as a Service) and the cloud computing growth have completely changed the scenario.
Therefore, the European Data Protection Supervisor (EDPS) positively dealt with the request to reform the legal framework on personal data protection in 2011, since the existing legislation was no longer appropriate.
Even though it is way too early to predict the impact of such privacy regulation, we believe that it is interesting to focus on certain general considerations and some of the GDPR’s outcomes in the international scenario.
The potential applicability of the GDPR worldwide
Certainly, one of the important changes brought about by the GDPR is its potential applicability worldwide: the regulation thus overcomes European borders in the name of personal data protection.
Such regulation, in fact, not only applies to all cases where data are handled by EU based companies, but in all cases where a company, even though not EU based, also deals with EU based individuals’ personal data, within the scope to offer them goods or services or to monitor their behavior in the EU.
Consequently, in the light of the above, all foreign companies still pursuing to offer and provide their services to EU-citizens cannot avoid complying with the GDPR.
Furthermore, even UK organizations may be forced to comply with the regulation to protect UK citizens’ personal data and maintain their competitiveness in the EU market, for reasons of opportunity and convenience, apart from compulsoriness as above described and, in any case, for as long as Brexit does not materialize.
The lack of connection with the data location
The regulation not only limits foreign companies that deal with EU citizens’ personal data, but also aims to govern all the processing of personal data, irrespective of the place where such data are located. It therefore provides that all the personal data processing made by EU based companies will be subject to the GDPR, regardless of the fact whether such processing is carried out within or outside the EU.
From a legal point of view, such data will be in the spotlight and subjected to this new regulation rather than to national laws. This means that the physical position loses relevance before the aim to grant interested individuals with a greater control on the information that is collected, processed and used by third parties.
For sure companies may stop their business with EU citizens in order to avoid compliance with the GDPR principles, but such choice should be correctly made: i.e. the GDPR’s application should be taken into account when a company provides a web service which is available also to EU citizens.
The disposition of strict fines
The fines for companies that are not in compliance with such regulation can amount to up to 4% of their global revenue and up to Euro 20 million. The relevance of such measures drew attention of all the parties, particularly in the US where organizations have a strong presence in the EU. Furthermore, the GDPR applies to organizations of any dimension and to both individual enterprises as well as large companies.
The forward-looking companies started to set forth their compliance programs immediately after the EU regulation announcement, but this appears complex and as a result meeting the set deadline called for 25 May could be difficult.
According to PwC’s reports, 9% of US companies declare to have allocated more than 10 million dollars with the aim to obtain such compliance.
Some compliance requirements for companies
- Accountability principle: data processing needs to be carried out by recorded procedures, regardless of the fact that such procedures will be managed by the companies or by third parties on their behalf. Doing so will make the data controller responsible and oblige him to be compliant with the GDPR.
- Risk based approach: the driving force of such a regulation is the aim to make companies responsible, which are therefore asked to comply with the GDPR principles by adopting a new risk based approach and risks assessment.
- Clear and concise consent: much attention is paid to the consent of personal data processing, which should be clear, concise, distinguishable and unequivocal.
- Data protection by design and by default: privacy management and implementation executed by means of default settings since the design phase; it means that companies should take into account the personal data protection, from the beginning a product, service or app is designed and developed.
- Right to be forgotten: individuals are entitled to obtain, without delay, that their data is deleted by the data controller when certain conditions- provided by the GDPR -are met, such as for example when data become redundant and no longer necessary, or regarding the aims for which data have been collected or in the event when the individual’s consent is withdrawn.
- Right to data portability: individuals are entitled to receive their personal data in a frequently-used, well-structured and machine-readable format, so as to transfer such data to another data controller, excluding any possible encumbrance by the former data controller.
- Appointment of an EU Representative: the Representative should act on behalf of the data controller or the data processor and may be questioned by any surveillance Authority.
How to make the transition process easier?
The EU regulation relating to personal data protection requires a strong legal formation and, at the same time, tremendous technical implementation skills on the basis of the ongoing digitalization processes and use of even more innovative and complex technologies.
In such regard, companies may rely on professionals who are able to provide multidisciplinary services and consultancy, not only of a legal and IT nature, but who can exchange and implement synergies between professionals and business workers such as engineers and mathematicians.
Consequently, this burdensome commitment to follow the GDPR together with the obligation to comply with the law shall also enable companies to combine the aforesaid skills and join forces to commence a transition process that will ensure and ultimately result in growth.
The author of this post is Giorgio Piccolotto
Less than one year from now, on May 25, 2018, the new European Regulation on the protection of personal data (EU) 2016/679 will come into force. Whatever its size or business activity, every company has to process personal data files at some point.
The new sanctions provide a strong incentive to prepare organisations for compliance with the new legal framework in twelve months’ time.
Non-European undertakings must also be particularly careful regarding these new measures, the principal aspects of which are summarised below.
Extraterritorial application
The Regulation applies to personal data processing when the controller is established on the territory of the European Union.
If the controller is not established in the European Union, the Regulation applies when data processing involves persons situated within the European Union and when the processing is linked to the offering of goods or services to such persons. Non-EU companies must appoint a representative for this purpose.
The right to data portability and appointment of a DPO
This new right enables a person to recover the data that he has supplied in a form that is easily reusable, such as a USB key for example. Companies must get organised in order to be able to satisfy these portability requirements.
Appointment of a Data Protection Officer
Companies must appoint a DPO (Data Protection Officer), successor to the CIL (Correspondant Informatique et Libertés) who is appointed based on his professional skills (legal and technical), his independence and his accessibility in order to ensure compliance.
We would like to point out that a specialist lawyer should be authorised to carry out this role provided relevant Bar rules do not prevent it.
Sanctions
These measures must imperatively be respected at the risk of seeing heavy sanctions imposed.
Depending on the category of infraction, these sanctions may amount to:
- 10 to 20 million euro; or
- 2% to 4% of annual world revenues,
The higher of the above two amounts is applied.
Recommendations
To ensure that your practices comply with the new legislation, it is necessary to:
- Set in motion an internal project dedicated to compliance with the new legislation within the next 9 months;
- Anticipate the obligations specified by the Regulation;
- Budget for the right to data portability and the position of DPO;
- Organise, for SME, the sharing of the DPO position with other companies.
The author of this post is Thierry Aballéa.
GDPR – Entry into force and field of application
16 3 月 2018
- 意大利
- 隐私与数据保护
Are insurers liable for breach of the GDPR on account of their appointed intermediaries?
Insurers acting out of their traditional borders through a local intermediary should choose carefully their intermediaries when distributing insurance products, and use any means at their disposal to control them properly. Distribution of insurance products through an intermediary can be a fast way to distribute insurance products and enter a territory with a minimum of investments. However, it implies a strict control of the intermediary’s activities.
The reason is that Insurers in FOS can be held jointly liable with the intermediary if this one violates personal data regulation and its obligations as set by the GDPR (Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
In a decision dated 18 July 2019 , the CNIL (Commission Nationale Informatique et Libertés), the French authority in charge of personal data protection rendered a decision against ACTIVE ASSURANCE, a French intermediary, for several breaches of the GDPR. The intermediary was found guilty and fined EUR 180,000 for failing to properly protect the personal data of its clients. Those were found easily accessible on the web by any technician well versed in data processing. Moreover, the personal access codes of the clients were too simple and therefore easily accessible by third parties.
Although in this particular case insurers were not fined by the CNIL, the GDPR considers that they can be jointly liable with the intermediary in case of breach of personal data. In particular, the controller is liable for any acts of the processor he has appointed, this one being considered as a sub-contractor (clauses 24 and 28 of the GDPR).
This illustrates the risks to distribute insurance products through an intermediary without controlling its activities. Acting through intermediaries, in particular for insurance companies acting from foreign EU countries in FOS under the EU Directive on freedom of insurance services (Directive 2016/97 of 20 January 2016 on insurance distribution) requires a strict control through enacting contractual dispositions whereas are defined:
- a clear distribution of the duties between insurer and distributor (who is controller/joint controller/processor ?) as regards technical means used for protecting personal data (who shall do/control what ?) and legal requirements (who must report to the authorities in case of breach of security/ who shall reply to requests from data owners?, etc.);
- the right of the insurer to audit the distributors’ technical means used for this protection at any time during the term of the contract. In addition to this, one should always keep in mind that this audit should be conducted efficiently by the insurer at regular times. As Napoleon rightly said: “You can govern from afar, but you can only administer closely”.
The concept of privacy by design has been around for a few decades. Although it has been referred to in studies since the 1970s and present in legislation since as far as the early 1990s, it was consolidated only in 2009 with the work of Ann Cavoukian, the Information & Privacy Commissioner of Ontario, Canada
This author defined the seven foundational principles of privacy by design: (i) to be proactive not reactive, preventative not remedial; (ii) privacy as the default setting; (iii) privacy embedded into design; (iv) full functionality – positive-sum, not zero-sum; (v) end-to-end security – full lifecycle protection; (vi) visibility and transparency – keep it open; and (vii) respect for user privacy – keep it user-centric.
After being adopted as a privacy standard by the International Data Protection and Privacy Commissioners in 2010, privacy by design was also included in the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016). However, in the GDPR (article 25) it no longer remains as a mere principle. Instead, it has become a mandatory legal obligation and failure to comply can lead to severe administrative fines (article 83/4/a).
Regarding privacy by design, the GDPR establishes that the data controller shall implement the appropriate technical and organisational measures designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing. The appropriate technical and organisational measures are to be determined taking into account (i) the nature, scope, context and purpose of processing, (ii) the risks for rights and freedoms, (iii) the state of the art, and (iv) the cost of implementation.
Regarding privacy by default, the GDPR establishes that the controller shall implement the appropriate technical and organisational measures to ensure that, by default, (i) only the necessary data is processed, (ii) only to the necessary extent of processing, (iii) is only accessible by the necessary individuals, and (iv) is only stored by the necessary period of time.
Both privacy by design and privacy by default are established around the idea of the implementation of the appropriate technical and organisational measures to safeguard the personal data protection principles and rules. The GDPR provides some examples of these measures (such as pseudonymisation, encryption, anonymisation), but it is not a catalogue for these measures or other privacy enhancing technologies (PET) and the provided examples should not be seen as mandatory measures.
Clear guidance on privacy by design and by default is not to be found in the GDPR and it is a work in progress by all the community and parties involved. But the GDPR has the clear intention of impacting the core of the digital age system, reshaping its values regarding privacy.
The success of this ambition is uncertain, but some important challenges are already very clear, such as the role of the producers of products, services and applications, the integration of data protection principles in the design of User Experience (UX) and User Interface (UI) and also in the software development planning (agile and scrum, for instance).
In the meantime, examples of the real impact of privacy by design and by default are coming to light. In 2018, Valve changed the privacy settings of the users of the gaming platform Steam, making games owned private by default. As a direct consequence, the analytics activity provided by SteamSpy and other similar companies was severely damaged.
Privacy by design certainly is, for those closely involved in the design process of products, services and applications, one of the most interesting and challenging topics in personal data protection.
On 25 May 2018, the EU Regulation 2016/679 came into force, concerning the “protection” of personal data (hereinafter the “Regulation” or “GDPR”). It is a Community legislative instrument aimed at strengthening the right of natural persons to have their personal data protected, which has been elevated to “fundamental right” in the Charter of Fundamental Rights of the European Union (Article 8 paragraph 1) and in the Treaty on the Functioning of the European Union (Article 16 paragraph 1).
The Regulation has a direct application in Italian law and does not require any implementation by the national legislator. These provisions prevail over national laws. From a practical standpoint, this means that, in the event of a conflict between a provision contained in the Regulations and one provided for in the “old” Legislative Decree 196/2003, the earlier would prevail over the latter.
The GDPR consists of 99 articles, of which only some constitute an in comparison with the preceding regime and bear specific relevance for the owners/managers of accommodation facilities.
Indeed, the first novelty concerns the “explicit consent” for the processing of “sensitive” data and the decisions based on automated processing (including profiling -Article 22- ). It is, in fact, necessary for the client to express his consent in relation to the processing of these data independently of that relating to other data. The consent obtained before 25 May 2018 remains valid only if it meets the requirements below.
It is required, for example, that the data owners modify their websites or promotional newsletters addressed to the customers. The latter need to be aware of the purposes for which the data is collected and of rights to which they are entitled. In order to subscribe to the newsletter, only the email address should be necessary, and if the owners request for more data, the purposes of such request ought to be specified. Before sending the subscription request, the customer must give his consent and accept the privacy policy. The privacy statement must be clearly accessible from the home page of the website. In particular, as to the newsletter, the privacy policy must also be indicated and linked in the relevant registration box.
Substantial changes were also introduced in relation to the duties of the Data Controller and the Data Processor. Both profiles are important in the hotel industry.
Now the Data Controller must (i) be able to prove that the data subject has consented to a specific processing, (ii) provide the contact details of the Data Protection Officer, (iii) declare the eventual transfer of the personal data towards third countries and, if so, through which means the transfer takes place, (iv) specify the retention period of the data or the criteria employed to establish the retention period, as well as the right to file a complaint with the supervisory authority; (v) indicate whether the processing involves automated decision-making processes (including profiling), and the expected consequences for the data subject concerned.
The Data Protection Officer (“DPO”), on the other hand, is a professional (who can be internal or external to the structure) who guarantees the observance of the rules of the GPDR and the management and processing of the data.
According to the new Regulation, the duties of this professional concern: (i) the keeping of the data processing reports (pursuant to Article 30, paragraph 2, of the Regulation), and (ii) the adoption of suitable technical and organisational measures to get the safety of the procedures (pursuant to Article 32 of the Regulation).
The name of the DPO must be indicated in the privacy policy to be delivered to the customer. The relationship between the data protection officer and the data controller is governed by a contract that must strictly regulate the subjects set forth in paragraph 3 of the article 28 in order to demonstrate that the manager provides “sufficient guarantees” for the correct management and processing of data. The Officer can appoint a “sub-manager” but only for limited processing activities, in compliance with the provisions of the contract, and responds to the non-compliance of the sub-manager.
In light of these provisions, the hotels will then have to make a more careful assessment of the risk deriving from data processing, prepare a detailed procedure as to enable the constant monitoring on, amongst others, the suitability of the treatment, and promptly notify a breach of the security procedure which involves the accidental disclosure of data, adapt its information to be delivered to the customer.
Finally, it is worth noting that the penalties for violations of the GDPR can be very significant and reach up to 4% of the company’s turnover. As such, they are far more severe than those previously specified. It is, therefore, necessary to pay close attention to compliance with the GDPR since an incorrect or defective application can cause severe prejudices to the company.
The author of this post is Giovanni Izzo.
一般数据保护条例(欧盟第2016/679号条例)于2018年5月25日生效。它适用于所有的数据处理,不管是自动化的还是非自动化的。然而,条例中最特别的部分是其领土适用范围。许多人认为,虚拟世界已经消除了边界,互联网世界的最大参与者已经形成了大量的争论,特别是在税收问题上逃避地方立法的行为。因此,欧盟决定澄清事实。欧盟传递出的信息很清楚,不管你是在美国、亚洲还是其他地方,在处理欧盟居民的个人数据时,你都必须遵守这些规则。制裁的高昂代价意味着,这一新的法律框架必须被非常认真地对待。最高罚款额定为上一年度营业额的4%,对任何在2018年度被制裁的企业来说上一年度均为2017年度。例如,对于GAFA(谷歌、苹果、Facebook和亚马逊)来说,如果他们不遵守规定,最大制裁罚款金额可估计如下:亚马逊约为1780亿美元营业额中的71亿美元(高于利润……),苹果约为1410亿美元营业额中的56亿美元,谷歌约为1000亿美元营业额中的40亿美元,Facebook约为320亿美元营业额中的12.8亿美元。
前项指令之有限地域适用范围
1995年10月24日第95/46EC号欧洲指令,2004年8月6日法国第2004-801号法律,对1978年1月6日第78-17号法国数据保护法进行了更新。
该指令当然可适用于不在欧盟境内设立的数据控制器,但该指令要求它们使用位于欧盟境内的处理手段。
后来发现,许多处理器都是基于其处理的治外法权而设法规避欧洲数据保护条例的。
多年来,谷歌一直声称,其在法国和欧洲收集的数据不受法国法规的制约,而是受加州法规的制约,因为该公司及其服务器都位于加州。
由于欧洲委员会的宗旨是保护个人数据,新条例应纠正这一缺陷。
条例的境外适用范围
从2018年5月25日起,欧洲条例将适用于在欧盟内设立了数据控制器或数据处理器(一般是信息技术服务供应商)的所有个人数据的处理,而不论数据处理本身是否在欧盟内进行。
条例还规定,如果控制器或处理器不在欧盟内设立,而处理的对象是位于欧盟内的一个数据主体,则不论有关人员的国籍如何,都应适用条例。
在欧盟内设立的控制器或处理器
该条例没有界定设立的概念。法国和欧洲法院对此作了广泛的解释,它们优先考虑通过稳定的安排,以有效而真实的活动为基础来对设立作出解释。
设立这一概念已经(在2015年10月1日欧盟法院 Weltimmo案中)被认定为,在有关会员国有一名代表、一个银行账户和一个信箱。
此外,这种设立的法律形式并不是绝对的。因此,一个没有法人资格的简单的分支机构,用非欧洲籍管理器进行的个人数据的处理,也必须遵守条例执行。
未在欧盟内建立的控制器或处理器
如果控制器或处理器并非在欧盟内建立,也没有在欧盟内设立机构,则适用该条例的情况是,处理数据与位于欧盟境内的居民有关,处理活动与欧盟28个成员国(包括5.2亿名居民)的因特网用户有联系。
- (i) 向用户提供物品或服务,无论这些服务是免费的还是付费的
该条例没有关于提供货物和服务的任何定义,但它提供了一些指示,使人们有可能将这种提供定性(第23条),例如用在一个或多个欧盟成员国内通常使用的语言或货币来订购货物和服务,或者是提及欧盟内的客户或用户。
然而,仅仅是访问一个网站、电子邮件地址或其他联系方式则不足以定性。
换言之,必须核查数据管制员对有关人员的意图。他是否打算向欧洲联盟的有关人员提供货物或服务。
- (ii) 对用户的行为进行监测,如果这种行为发生在欧盟内。
特别是,该条例规定对自然人进行观察,以便就其作出决定,或分析或预测其个人偏好、行为和态度。
这两个条件(i)和(ii)是可变的,而非累积的。
在欧盟之外的个人数据的转移又如何呢?
原则上,禁止在欧盟之外转移个人数据。其目的是保护个人数据免受数据避风港的影响,在这方面适用更灵活的规定。
这项原则有很多例外:
- 向欧洲经济区国家转移数据
这些国家已与欧盟签署了一项协议,通过这些协定,他们通过了个人数据保护条例。
- 向订有适足协议的国家转让数据
欧洲联盟承认,某些国家有与欧洲条例相当的关于保护个人资料的条例。这些条例相当于欧洲法规。
- 向已签署标准合同条款或BCR(“有约束力的公司规则”)的国家转让数据
这些国家尚未作出充分的决定,或没有关于个人数据保护的条例。因此,其想法是通过标准条款或公司集团内部的协议,对数据建立合同保护而不是法律保护。
标准合同条款
标准条款已由欧洲委员会起草,可通过其网站查阅。这些协议是数据管制员和在国外设立的处理器之间在信息技术服务协议的框架内缔结的,或者是在向集团子公司或实体发送个人数据方面订立的协议。
目前,在使用这些条款之前,数据管制员可以从法国的国家管理机构(CNIL)获得授权。这项授权申请将从2018年5月25日起停止。
约束性公司规则(BCR)
BCR只关注公司集团。集团内部通过章程,所有子公司和实体承诺遵守欧洲数据保护条例。
宪章一经起草,将通过相互承认制度提交欧洲数据保护当局批准。
这项授权请求将在2018年5月25日之后继续。
向美国转移个人数据:“隐私保护”系统
这是欧洲联盟和美国联邦贸易委员会(FTC)之间的一项国际协议,美国公司可以自由遵守。根据该协议的条款,FTC会承诺确保签署该系统的公司遵守这一国际协议所载的数据保护规则。
总之,欧洲个人数据保护条例的目的是适用于处理欧洲居民个人数据的世界各地的公司。
它结束了所有的线上服务选择最有利和最不严格的国家来发展公司的经济模式,以及捉迷藏式择地行诉的做法。
制裁的程度消除了人们对这一新框架将要实施的坚定性的怀疑。它产生的风险很难被认为是次要的。
它要求使用欧洲联盟28个居民5.2亿人的个人数据的任何公司深思熟虑并遵守条例。
这篇文章的作者是ThierryAbuléa.
The application of the General Data Protection Regulation (“GDPR”), in force since 25 May 2018, will oblige companies to deal with issues concerning IT security and liability for collection and storage of personal data, without the possibility of any further hesitation. Privacy protection will become an important part of corporate culture and will have to be necessarily managed from the top levels, i.e. the managing director as well as the management team. Employees will also be involved in this awareness process through adequate training on such matter. Companies should set forth order and priorities of some data-related procedures, in accordance with privacy by design and privacy by default principles. In other words, such companies should ensure data protection from the onset of the product phase or service ideation and design, opting for behaviors that are aimed to prevent possible issues affecting personal data.
An even wider definition of personal data
The concept of “personal data” refers to all the information that identifies or makes a person identifiable and provides details related to his/her features, habits, life-style, personal relationships, health and economic conditions. Also, the definition of “personal data” becomes even wider and more well-structured when considering electronic communications with new technologies including geolocation bearing significant weight.
This transition, certainly problematic, introduces new challenges and opportunities, and highlights the question of data protection as a fundamental human right at the center of the international debate and digital policies. This results in a significant turning point. In fact, digitalization has caused several information security issues, which until a few years ago could be handled by national authorities in each single EU country, and now require a more focused and structured legal framework. The induction of platforms such as SaaS (Software as a Service) and the cloud computing growth have completely changed the scenario.
Therefore, the European Data Protection Supervisor (EDPS) positively dealt with the request to reform the legal framework on personal data protection in 2011, since the existing legislation was no longer appropriate.
Even though it is way too early to predict the impact of such privacy regulation, we believe that it is interesting to focus on certain general considerations and some of the GDPR’s outcomes in the international scenario.
The potential applicability of the GDPR worldwide
Certainly, one of the important changes brought about by the GDPR is its potential applicability worldwide: the regulation thus overcomes European borders in the name of personal data protection.
Such regulation, in fact, not only applies to all cases where data are handled by EU based companies, but in all cases where a company, even though not EU based, also deals with EU based individuals’ personal data, within the scope to offer them goods or services or to monitor their behavior in the EU.
Consequently, in the light of the above, all foreign companies still pursuing to offer and provide their services to EU-citizens cannot avoid complying with the GDPR.
Furthermore, even UK organizations may be forced to comply with the regulation to protect UK citizens’ personal data and maintain their competitiveness in the EU market, for reasons of opportunity and convenience, apart from compulsoriness as above described and, in any case, for as long as Brexit does not materialize.
The lack of connection with the data location
The regulation not only limits foreign companies that deal with EU citizens’ personal data, but also aims to govern all the processing of personal data, irrespective of the place where such data are located. It therefore provides that all the personal data processing made by EU based companies will be subject to the GDPR, regardless of the fact whether such processing is carried out within or outside the EU.
From a legal point of view, such data will be in the spotlight and subjected to this new regulation rather than to national laws. This means that the physical position loses relevance before the aim to grant interested individuals with a greater control on the information that is collected, processed and used by third parties.
For sure companies may stop their business with EU citizens in order to avoid compliance with the GDPR principles, but such choice should be correctly made: i.e. the GDPR’s application should be taken into account when a company provides a web service which is available also to EU citizens.
The disposition of strict fines
The fines for companies that are not in compliance with such regulation can amount to up to 4% of their global revenue and up to Euro 20 million. The relevance of such measures drew attention of all the parties, particularly in the US where organizations have a strong presence in the EU. Furthermore, the GDPR applies to organizations of any dimension and to both individual enterprises as well as large companies.
The forward-looking companies started to set forth their compliance programs immediately after the EU regulation announcement, but this appears complex and as a result meeting the set deadline called for 25 May could be difficult.
According to PwC’s reports, 9% of US companies declare to have allocated more than 10 million dollars with the aim to obtain such compliance.
Some compliance requirements for companies
- Accountability principle: data processing needs to be carried out by recorded procedures, regardless of the fact that such procedures will be managed by the companies or by third parties on their behalf. Doing so will make the data controller responsible and oblige him to be compliant with the GDPR.
- Risk based approach: the driving force of such a regulation is the aim to make companies responsible, which are therefore asked to comply with the GDPR principles by adopting a new risk based approach and risks assessment.
- Clear and concise consent: much attention is paid to the consent of personal data processing, which should be clear, concise, distinguishable and unequivocal.
- Data protection by design and by default: privacy management and implementation executed by means of default settings since the design phase; it means that companies should take into account the personal data protection, from the beginning a product, service or app is designed and developed.
- Right to be forgotten: individuals are entitled to obtain, without delay, that their data is deleted by the data controller when certain conditions- provided by the GDPR -are met, such as for example when data become redundant and no longer necessary, or regarding the aims for which data have been collected or in the event when the individual’s consent is withdrawn.
- Right to data portability: individuals are entitled to receive their personal data in a frequently-used, well-structured and machine-readable format, so as to transfer such data to another data controller, excluding any possible encumbrance by the former data controller.
- Appointment of an EU Representative: the Representative should act on behalf of the data controller or the data processor and may be questioned by any surveillance Authority.
How to make the transition process easier?
The EU regulation relating to personal data protection requires a strong legal formation and, at the same time, tremendous technical implementation skills on the basis of the ongoing digitalization processes and use of even more innovative and complex technologies.
In such regard, companies may rely on professionals who are able to provide multidisciplinary services and consultancy, not only of a legal and IT nature, but who can exchange and implement synergies between professionals and business workers such as engineers and mathematicians.
Consequently, this burdensome commitment to follow the GDPR together with the obligation to comply with the law shall also enable companies to combine the aforesaid skills and join forces to commence a transition process that will ensure and ultimately result in growth.
The author of this post is Giorgio Piccolotto
Less than one year from now, on May 25, 2018, the new European Regulation on the protection of personal data (EU) 2016/679 will come into force. Whatever its size or business activity, every company has to process personal data files at some point.
The new sanctions provide a strong incentive to prepare organisations for compliance with the new legal framework in twelve months’ time.
Non-European undertakings must also be particularly careful regarding these new measures, the principal aspects of which are summarised below.
Extraterritorial application
The Regulation applies to personal data processing when the controller is established on the territory of the European Union.
If the controller is not established in the European Union, the Regulation applies when data processing involves persons situated within the European Union and when the processing is linked to the offering of goods or services to such persons. Non-EU companies must appoint a representative for this purpose.
The right to data portability and appointment of a DPO
This new right enables a person to recover the data that he has supplied in a form that is easily reusable, such as a USB key for example. Companies must get organised in order to be able to satisfy these portability requirements.
Appointment of a Data Protection Officer
Companies must appoint a DPO (Data Protection Officer), successor to the CIL (Correspondant Informatique et Libertés) who is appointed based on his professional skills (legal and technical), his independence and his accessibility in order to ensure compliance.
We would like to point out that a specialist lawyer should be authorised to carry out this role provided relevant Bar rules do not prevent it.
Sanctions
These measures must imperatively be respected at the risk of seeing heavy sanctions imposed.
Depending on the category of infraction, these sanctions may amount to:
- 10 to 20 million euro; or
- 2% to 4% of annual world revenues,
The higher of the above two amounts is applied.
Recommendations
To ensure that your practices comply with the new legislation, it is necessary to:
- Set in motion an internal project dedicated to compliance with the new legislation within the next 9 months;
- Anticipate the obligations specified by the Regulation;
- Budget for the right to data portability and the position of DPO;
- Organise, for SME, the sharing of the DPO position with other companies.
The author of this post is Thierry Aballéa.
France – Personal Data Protection in a nutshell
8 9 月 2017
- 法国
- 隐私与数据保护
Are insurers liable for breach of the GDPR on account of their appointed intermediaries?
Insurers acting out of their traditional borders through a local intermediary should choose carefully their intermediaries when distributing insurance products, and use any means at their disposal to control them properly. Distribution of insurance products through an intermediary can be a fast way to distribute insurance products and enter a territory with a minimum of investments. However, it implies a strict control of the intermediary’s activities.
The reason is that Insurers in FOS can be held jointly liable with the intermediary if this one violates personal data regulation and its obligations as set by the GDPR (Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
In a decision dated 18 July 2019 , the CNIL (Commission Nationale Informatique et Libertés), the French authority in charge of personal data protection rendered a decision against ACTIVE ASSURANCE, a French intermediary, for several breaches of the GDPR. The intermediary was found guilty and fined EUR 180,000 for failing to properly protect the personal data of its clients. Those were found easily accessible on the web by any technician well versed in data processing. Moreover, the personal access codes of the clients were too simple and therefore easily accessible by third parties.
Although in this particular case insurers were not fined by the CNIL, the GDPR considers that they can be jointly liable with the intermediary in case of breach of personal data. In particular, the controller is liable for any acts of the processor he has appointed, this one being considered as a sub-contractor (clauses 24 and 28 of the GDPR).
This illustrates the risks to distribute insurance products through an intermediary without controlling its activities. Acting through intermediaries, in particular for insurance companies acting from foreign EU countries in FOS under the EU Directive on freedom of insurance services (Directive 2016/97 of 20 January 2016 on insurance distribution) requires a strict control through enacting contractual dispositions whereas are defined:
- a clear distribution of the duties between insurer and distributor (who is controller/joint controller/processor ?) as regards technical means used for protecting personal data (who shall do/control what ?) and legal requirements (who must report to the authorities in case of breach of security/ who shall reply to requests from data owners?, etc.);
- the right of the insurer to audit the distributors’ technical means used for this protection at any time during the term of the contract. In addition to this, one should always keep in mind that this audit should be conducted efficiently by the insurer at regular times. As Napoleon rightly said: “You can govern from afar, but you can only administer closely”.
The concept of privacy by design has been around for a few decades. Although it has been referred to in studies since the 1970s and present in legislation since as far as the early 1990s, it was consolidated only in 2009 with the work of Ann Cavoukian, the Information & Privacy Commissioner of Ontario, Canada
This author defined the seven foundational principles of privacy by design: (i) to be proactive not reactive, preventative not remedial; (ii) privacy as the default setting; (iii) privacy embedded into design; (iv) full functionality – positive-sum, not zero-sum; (v) end-to-end security – full lifecycle protection; (vi) visibility and transparency – keep it open; and (vii) respect for user privacy – keep it user-centric.
After being adopted as a privacy standard by the International Data Protection and Privacy Commissioners in 2010, privacy by design was also included in the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016). However, in the GDPR (article 25) it no longer remains as a mere principle. Instead, it has become a mandatory legal obligation and failure to comply can lead to severe administrative fines (article 83/4/a).
Regarding privacy by design, the GDPR establishes that the data controller shall implement the appropriate technical and organisational measures designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing. The appropriate technical and organisational measures are to be determined taking into account (i) the nature, scope, context and purpose of processing, (ii) the risks for rights and freedoms, (iii) the state of the art, and (iv) the cost of implementation.
Regarding privacy by default, the GDPR establishes that the controller shall implement the appropriate technical and organisational measures to ensure that, by default, (i) only the necessary data is processed, (ii) only to the necessary extent of processing, (iii) is only accessible by the necessary individuals, and (iv) is only stored by the necessary period of time.
Both privacy by design and privacy by default are established around the idea of the implementation of the appropriate technical and organisational measures to safeguard the personal data protection principles and rules. The GDPR provides some examples of these measures (such as pseudonymisation, encryption, anonymisation), but it is not a catalogue for these measures or other privacy enhancing technologies (PET) and the provided examples should not be seen as mandatory measures.
Clear guidance on privacy by design and by default is not to be found in the GDPR and it is a work in progress by all the community and parties involved. But the GDPR has the clear intention of impacting the core of the digital age system, reshaping its values regarding privacy.
The success of this ambition is uncertain, but some important challenges are already very clear, such as the role of the producers of products, services and applications, the integration of data protection principles in the design of User Experience (UX) and User Interface (UI) and also in the software development planning (agile and scrum, for instance).
In the meantime, examples of the real impact of privacy by design and by default are coming to light. In 2018, Valve changed the privacy settings of the users of the gaming platform Steam, making games owned private by default. As a direct consequence, the analytics activity provided by SteamSpy and other similar companies was severely damaged.
Privacy by design certainly is, for those closely involved in the design process of products, services and applications, one of the most interesting and challenging topics in personal data protection.
On 25 May 2018, the EU Regulation 2016/679 came into force, concerning the “protection” of personal data (hereinafter the “Regulation” or “GDPR”). It is a Community legislative instrument aimed at strengthening the right of natural persons to have their personal data protected, which has been elevated to “fundamental right” in the Charter of Fundamental Rights of the European Union (Article 8 paragraph 1) and in the Treaty on the Functioning of the European Union (Article 16 paragraph 1).
The Regulation has a direct application in Italian law and does not require any implementation by the national legislator. These provisions prevail over national laws. From a practical standpoint, this means that, in the event of a conflict between a provision contained in the Regulations and one provided for in the “old” Legislative Decree 196/2003, the earlier would prevail over the latter.
The GDPR consists of 99 articles, of which only some constitute an in comparison with the preceding regime and bear specific relevance for the owners/managers of accommodation facilities.
Indeed, the first novelty concerns the “explicit consent” for the processing of “sensitive” data and the decisions based on automated processing (including profiling -Article 22- ). It is, in fact, necessary for the client to express his consent in relation to the processing of these data independently of that relating to other data. The consent obtained before 25 May 2018 remains valid only if it meets the requirements below.
It is required, for example, that the data owners modify their websites or promotional newsletters addressed to the customers. The latter need to be aware of the purposes for which the data is collected and of rights to which they are entitled. In order to subscribe to the newsletter, only the email address should be necessary, and if the owners request for more data, the purposes of such request ought to be specified. Before sending the subscription request, the customer must give his consent and accept the privacy policy. The privacy statement must be clearly accessible from the home page of the website. In particular, as to the newsletter, the privacy policy must also be indicated and linked in the relevant registration box.
Substantial changes were also introduced in relation to the duties of the Data Controller and the Data Processor. Both profiles are important in the hotel industry.
Now the Data Controller must (i) be able to prove that the data subject has consented to a specific processing, (ii) provide the contact details of the Data Protection Officer, (iii) declare the eventual transfer of the personal data towards third countries and, if so, through which means the transfer takes place, (iv) specify the retention period of the data or the criteria employed to establish the retention period, as well as the right to file a complaint with the supervisory authority; (v) indicate whether the processing involves automated decision-making processes (including profiling), and the expected consequences for the data subject concerned.
The Data Protection Officer (“DPO”), on the other hand, is a professional (who can be internal or external to the structure) who guarantees the observance of the rules of the GPDR and the management and processing of the data.
According to the new Regulation, the duties of this professional concern: (i) the keeping of the data processing reports (pursuant to Article 30, paragraph 2, of the Regulation), and (ii) the adoption of suitable technical and organisational measures to get the safety of the procedures (pursuant to Article 32 of the Regulation).
The name of the DPO must be indicated in the privacy policy to be delivered to the customer. The relationship between the data protection officer and the data controller is governed by a contract that must strictly regulate the subjects set forth in paragraph 3 of the article 28 in order to demonstrate that the manager provides “sufficient guarantees” for the correct management and processing of data. The Officer can appoint a “sub-manager” but only for limited processing activities, in compliance with the provisions of the contract, and responds to the non-compliance of the sub-manager.
In light of these provisions, the hotels will then have to make a more careful assessment of the risk deriving from data processing, prepare a detailed procedure as to enable the constant monitoring on, amongst others, the suitability of the treatment, and promptly notify a breach of the security procedure which involves the accidental disclosure of data, adapt its information to be delivered to the customer.
Finally, it is worth noting that the penalties for violations of the GDPR can be very significant and reach up to 4% of the company’s turnover. As such, they are far more severe than those previously specified. It is, therefore, necessary to pay close attention to compliance with the GDPR since an incorrect or defective application can cause severe prejudices to the company.
The author of this post is Giovanni Izzo.
一般数据保护条例(欧盟第2016/679号条例)于2018年5月25日生效。它适用于所有的数据处理,不管是自动化的还是非自动化的。然而,条例中最特别的部分是其领土适用范围。许多人认为,虚拟世界已经消除了边界,互联网世界的最大参与者已经形成了大量的争论,特别是在税收问题上逃避地方立法的行为。因此,欧盟决定澄清事实。欧盟传递出的信息很清楚,不管你是在美国、亚洲还是其他地方,在处理欧盟居民的个人数据时,你都必须遵守这些规则。制裁的高昂代价意味着,这一新的法律框架必须被非常认真地对待。最高罚款额定为上一年度营业额的4%,对任何在2018年度被制裁的企业来说上一年度均为2017年度。例如,对于GAFA(谷歌、苹果、Facebook和亚马逊)来说,如果他们不遵守规定,最大制裁罚款金额可估计如下:亚马逊约为1780亿美元营业额中的71亿美元(高于利润……),苹果约为1410亿美元营业额中的56亿美元,谷歌约为1000亿美元营业额中的40亿美元,Facebook约为320亿美元营业额中的12.8亿美元。
前项指令之有限地域适用范围
1995年10月24日第95/46EC号欧洲指令,2004年8月6日法国第2004-801号法律,对1978年1月6日第78-17号法国数据保护法进行了更新。
该指令当然可适用于不在欧盟境内设立的数据控制器,但该指令要求它们使用位于欧盟境内的处理手段。
后来发现,许多处理器都是基于其处理的治外法权而设法规避欧洲数据保护条例的。
多年来,谷歌一直声称,其在法国和欧洲收集的数据不受法国法规的制约,而是受加州法规的制约,因为该公司及其服务器都位于加州。
由于欧洲委员会的宗旨是保护个人数据,新条例应纠正这一缺陷。
条例的境外适用范围
从2018年5月25日起,欧洲条例将适用于在欧盟内设立了数据控制器或数据处理器(一般是信息技术服务供应商)的所有个人数据的处理,而不论数据处理本身是否在欧盟内进行。
条例还规定,如果控制器或处理器不在欧盟内设立,而处理的对象是位于欧盟内的一个数据主体,则不论有关人员的国籍如何,都应适用条例。
在欧盟内设立的控制器或处理器
该条例没有界定设立的概念。法国和欧洲法院对此作了广泛的解释,它们优先考虑通过稳定的安排,以有效而真实的活动为基础来对设立作出解释。
设立这一概念已经(在2015年10月1日欧盟法院 Weltimmo案中)被认定为,在有关会员国有一名代表、一个银行账户和一个信箱。
此外,这种设立的法律形式并不是绝对的。因此,一个没有法人资格的简单的分支机构,用非欧洲籍管理器进行的个人数据的处理,也必须遵守条例执行。
未在欧盟内建立的控制器或处理器
如果控制器或处理器并非在欧盟内建立,也没有在欧盟内设立机构,则适用该条例的情况是,处理数据与位于欧盟境内的居民有关,处理活动与欧盟28个成员国(包括5.2亿名居民)的因特网用户有联系。
- (i) 向用户提供物品或服务,无论这些服务是免费的还是付费的
该条例没有关于提供货物和服务的任何定义,但它提供了一些指示,使人们有可能将这种提供定性(第23条),例如用在一个或多个欧盟成员国内通常使用的语言或货币来订购货物和服务,或者是提及欧盟内的客户或用户。
然而,仅仅是访问一个网站、电子邮件地址或其他联系方式则不足以定性。
换言之,必须核查数据管制员对有关人员的意图。他是否打算向欧洲联盟的有关人员提供货物或服务。
- (ii) 对用户的行为进行监测,如果这种行为发生在欧盟内。
特别是,该条例规定对自然人进行观察,以便就其作出决定,或分析或预测其个人偏好、行为和态度。
这两个条件(i)和(ii)是可变的,而非累积的。
在欧盟之外的个人数据的转移又如何呢?
原则上,禁止在欧盟之外转移个人数据。其目的是保护个人数据免受数据避风港的影响,在这方面适用更灵活的规定。
这项原则有很多例外:
- 向欧洲经济区国家转移数据
这些国家已与欧盟签署了一项协议,通过这些协定,他们通过了个人数据保护条例。
- 向订有适足协议的国家转让数据
欧洲联盟承认,某些国家有与欧洲条例相当的关于保护个人资料的条例。这些条例相当于欧洲法规。
- 向已签署标准合同条款或BCR(“有约束力的公司规则”)的国家转让数据
这些国家尚未作出充分的决定,或没有关于个人数据保护的条例。因此,其想法是通过标准条款或公司集团内部的协议,对数据建立合同保护而不是法律保护。
标准合同条款
标准条款已由欧洲委员会起草,可通过其网站查阅。这些协议是数据管制员和在国外设立的处理器之间在信息技术服务协议的框架内缔结的,或者是在向集团子公司或实体发送个人数据方面订立的协议。
目前,在使用这些条款之前,数据管制员可以从法国的国家管理机构(CNIL)获得授权。这项授权申请将从2018年5月25日起停止。
约束性公司规则(BCR)
BCR只关注公司集团。集团内部通过章程,所有子公司和实体承诺遵守欧洲数据保护条例。
宪章一经起草,将通过相互承认制度提交欧洲数据保护当局批准。
这项授权请求将在2018年5月25日之后继续。
向美国转移个人数据:“隐私保护”系统
这是欧洲联盟和美国联邦贸易委员会(FTC)之间的一项国际协议,美国公司可以自由遵守。根据该协议的条款,FTC会承诺确保签署该系统的公司遵守这一国际协议所载的数据保护规则。
总之,欧洲个人数据保护条例的目的是适用于处理欧洲居民个人数据的世界各地的公司。
它结束了所有的线上服务选择最有利和最不严格的国家来发展公司的经济模式,以及捉迷藏式择地行诉的做法。
制裁的程度消除了人们对这一新框架将要实施的坚定性的怀疑。它产生的风险很难被认为是次要的。
它要求使用欧洲联盟28个居民5.2亿人的个人数据的任何公司深思熟虑并遵守条例。
这篇文章的作者是ThierryAbuléa.
The application of the General Data Protection Regulation (“GDPR”), in force since 25 May 2018, will oblige companies to deal with issues concerning IT security and liability for collection and storage of personal data, without the possibility of any further hesitation. Privacy protection will become an important part of corporate culture and will have to be necessarily managed from the top levels, i.e. the managing director as well as the management team. Employees will also be involved in this awareness process through adequate training on such matter. Companies should set forth order and priorities of some data-related procedures, in accordance with privacy by design and privacy by default principles. In other words, such companies should ensure data protection from the onset of the product phase or service ideation and design, opting for behaviors that are aimed to prevent possible issues affecting personal data.
An even wider definition of personal data
The concept of “personal data” refers to all the information that identifies or makes a person identifiable and provides details related to his/her features, habits, life-style, personal relationships, health and economic conditions. Also, the definition of “personal data” becomes even wider and more well-structured when considering electronic communications with new technologies including geolocation bearing significant weight.
This transition, certainly problematic, introduces new challenges and opportunities, and highlights the question of data protection as a fundamental human right at the center of the international debate and digital policies. This results in a significant turning point. In fact, digitalization has caused several information security issues, which until a few years ago could be handled by national authorities in each single EU country, and now require a more focused and structured legal framework. The induction of platforms such as SaaS (Software as a Service) and the cloud computing growth have completely changed the scenario.
Therefore, the European Data Protection Supervisor (EDPS) positively dealt with the request to reform the legal framework on personal data protection in 2011, since the existing legislation was no longer appropriate.
Even though it is way too early to predict the impact of such privacy regulation, we believe that it is interesting to focus on certain general considerations and some of the GDPR’s outcomes in the international scenario.
The potential applicability of the GDPR worldwide
Certainly, one of the important changes brought about by the GDPR is its potential applicability worldwide: the regulation thus overcomes European borders in the name of personal data protection.
Such regulation, in fact, not only applies to all cases where data are handled by EU based companies, but in all cases where a company, even though not EU based, also deals with EU based individuals’ personal data, within the scope to offer them goods or services or to monitor their behavior in the EU.
Consequently, in the light of the above, all foreign companies still pursuing to offer and provide their services to EU-citizens cannot avoid complying with the GDPR.
Furthermore, even UK organizations may be forced to comply with the regulation to protect UK citizens’ personal data and maintain their competitiveness in the EU market, for reasons of opportunity and convenience, apart from compulsoriness as above described and, in any case, for as long as Brexit does not materialize.
The lack of connection with the data location
The regulation not only limits foreign companies that deal with EU citizens’ personal data, but also aims to govern all the processing of personal data, irrespective of the place where such data are located. It therefore provides that all the personal data processing made by EU based companies will be subject to the GDPR, regardless of the fact whether such processing is carried out within or outside the EU.
From a legal point of view, such data will be in the spotlight and subjected to this new regulation rather than to national laws. This means that the physical position loses relevance before the aim to grant interested individuals with a greater control on the information that is collected, processed and used by third parties.
For sure companies may stop their business with EU citizens in order to avoid compliance with the GDPR principles, but such choice should be correctly made: i.e. the GDPR’s application should be taken into account when a company provides a web service which is available also to EU citizens.
The disposition of strict fines
The fines for companies that are not in compliance with such regulation can amount to up to 4% of their global revenue and up to Euro 20 million. The relevance of such measures drew attention of all the parties, particularly in the US where organizations have a strong presence in the EU. Furthermore, the GDPR applies to organizations of any dimension and to both individual enterprises as well as large companies.
The forward-looking companies started to set forth their compliance programs immediately after the EU regulation announcement, but this appears complex and as a result meeting the set deadline called for 25 May could be difficult.
According to PwC’s reports, 9% of US companies declare to have allocated more than 10 million dollars with the aim to obtain such compliance.
Some compliance requirements for companies
- Accountability principle: data processing needs to be carried out by recorded procedures, regardless of the fact that such procedures will be managed by the companies or by third parties on their behalf. Doing so will make the data controller responsible and oblige him to be compliant with the GDPR.
- Risk based approach: the driving force of such a regulation is the aim to make companies responsible, which are therefore asked to comply with the GDPR principles by adopting a new risk based approach and risks assessment.
- Clear and concise consent: much attention is paid to the consent of personal data processing, which should be clear, concise, distinguishable and unequivocal.
- Data protection by design and by default: privacy management and implementation executed by means of default settings since the design phase; it means that companies should take into account the personal data protection, from the beginning a product, service or app is designed and developed.
- Right to be forgotten: individuals are entitled to obtain, without delay, that their data is deleted by the data controller when certain conditions- provided by the GDPR -are met, such as for example when data become redundant and no longer necessary, or regarding the aims for which data have been collected or in the event when the individual’s consent is withdrawn.
- Right to data portability: individuals are entitled to receive their personal data in a frequently-used, well-structured and machine-readable format, so as to transfer such data to another data controller, excluding any possible encumbrance by the former data controller.
- Appointment of an EU Representative: the Representative should act on behalf of the data controller or the data processor and may be questioned by any surveillance Authority.
How to make the transition process easier?
The EU regulation relating to personal data protection requires a strong legal formation and, at the same time, tremendous technical implementation skills on the basis of the ongoing digitalization processes and use of even more innovative and complex technologies.
In such regard, companies may rely on professionals who are able to provide multidisciplinary services and consultancy, not only of a legal and IT nature, but who can exchange and implement synergies between professionals and business workers such as engineers and mathematicians.
Consequently, this burdensome commitment to follow the GDPR together with the obligation to comply with the law shall also enable companies to combine the aforesaid skills and join forces to commence a transition process that will ensure and ultimately result in growth.
The author of this post is Giorgio Piccolotto
Less than one year from now, on May 25, 2018, the new European Regulation on the protection of personal data (EU) 2016/679 will come into force. Whatever its size or business activity, every company has to process personal data files at some point.
The new sanctions provide a strong incentive to prepare organisations for compliance with the new legal framework in twelve months’ time.
Non-European undertakings must also be particularly careful regarding these new measures, the principal aspects of which are summarised below.
Extraterritorial application
The Regulation applies to personal data processing when the controller is established on the territory of the European Union.
If the controller is not established in the European Union, the Regulation applies when data processing involves persons situated within the European Union and when the processing is linked to the offering of goods or services to such persons. Non-EU companies must appoint a representative for this purpose.
The right to data portability and appointment of a DPO
This new right enables a person to recover the data that he has supplied in a form that is easily reusable, such as a USB key for example. Companies must get organised in order to be able to satisfy these portability requirements.
Appointment of a Data Protection Officer
Companies must appoint a DPO (Data Protection Officer), successor to the CIL (Correspondant Informatique et Libertés) who is appointed based on his professional skills (legal and technical), his independence and his accessibility in order to ensure compliance.
We would like to point out that a specialist lawyer should be authorised to carry out this role provided relevant Bar rules do not prevent it.
Sanctions
These measures must imperatively be respected at the risk of seeing heavy sanctions imposed.
Depending on the category of infraction, these sanctions may amount to:
- 10 to 20 million euro; or
- 2% to 4% of annual world revenues,
The higher of the above two amounts is applied.
Recommendations
To ensure that your practices comply with the new legislation, it is necessary to:
- Set in motion an internal project dedicated to compliance with the new legislation within the next 9 months;
- Anticipate the obligations specified by the Regulation;
- Budget for the right to data portability and the position of DPO;
- Organise, for SME, the sharing of the DPO position with other companies.
The author of this post is Thierry Aballéa.