The European General Data Protection Regulation (GDPR) of 27 April 2016 became directly applicable on 25 May 2018.
Do you process EU residents’ personal data and determine the purposes and methods of processing of such data? If your activities are established in the EU or if you directly implement personal data processing in order to provide goods and services to EU residents or to monitor them, you therefore qualify as a data controller. As a result, you might be subject to the GDPR and, in turn, to many new obligations.
Are your corporate clients located in the EU? Do you process EU residents’ personal data on behalf of your corporate clients, including but not limited to activities of call center, help desk, outsourcing services or business process outsourcing? Irrespective of your place of establishment, you are therefore a data processor and will most likely be subject to the GDPR.
Due to a wide territorial scope, the GDPR might indeed be applicable to companies that are not established in the European Union. Chinese companies investing in the EU or processing data originating in the EU thus might be directly concerned by the GDPR.
Early compliance with the GDPR is paramount. The purpose of this alert is therefore to present you some of the main obligations that you will face as a data controller or data processor.
WHAT ARE YOUR MAIN OBLIGATIONS AS A DATA CONTROLLER?
1. Analyze the legal basis on which you use personal data. Make sure that you have a legitimate reason to process personal data (for instance, consent of the person, legitimate interest, contract, legal obligation).
2. Revise your privacy and information notices:
- you should provide clear, intelligible and easily accessible information to the persons concerned by data processing; and
- when the processing is based on consent, users must be informed and agree to the processing of their data. The burden of proof of consent rests with the controller. The materialization of this consent must be unambiguous.
3. Implement procedures to respect the rights of the persons concerned by personal data processing. You must handle claims and requests of persons concerned by data processing when exercising their rights (including rights of access, rectification, opposition, right to portability, withdrawal of consent).
4. Embrace “privacy by design” and "privacy by default". You must implement all technical and organizational measures necessary to respect the protection of personal data, both from the design of the product or service and by default. In concrete terms, you must take care to minimize the amount of data processed from the outset so that only data strictly necessary for the pursuit of your objectives is collected and processed.
5. Implement appropriate data protection measures and policies and demonstrate compliance at all times, according to the principle of accountability. In particular, you must put in place the following compliance tools:
- keep a register that describes the processing you perform. This obligation does not apply to company with less than 250 employees unless the processing performed are likely to represent a risk for the rights of the people whose data you process or the processing are not occasional or relate to special categories of data or data relating to criminal prosecutions. Since processing deemed occasional are very rare, the exception to the obligation of maintaining a register is very limited;
- implement clear policies to make sure you can notify security breaches to the authorities within 72 hours and to the persons concerned by personal data processing if the breach is likely to create a high risk for the rights and freedoms of these persons;
- certify personal data processing, if applicable;
- adhere to codes of conduct, if applicable;
6. In some cases, appoint a data protection officer, especially if your activity consists of processing that require regular and systematic large-scale monitoring of the persons concerned.
7. In some cases, carry out privacy impact assessments, especially where an element of risk is attached to the data processing, including processing of sensitive data and processing based on the systematic and thorough evaluation of personal aspects of natural persons.
8. In some cases, appoint a representative in the European Union, who will be the point of contact of the supervisory authorities and the persons concerned.
9. In the event that you work with data processors, verify that they know their new obligations and their responsibilities. In particular, make sure there are contractual clauses stating the obligations of the data processor with regard to security, confidentiality and protection of the personal data processed.
WHAT ARE YOUR MAIN OBLIGATIONS AS A DATA PROCESSOR?
1. Enter into a contract (or amendment) with your client specifying the obligations of each party in terms of personal data, complying with the requirements of Article 28 of the GDPR, including those to process the data only on documented instructions from your client and assist him in the performance of its own obligations as the entity responsible for processing.
2. Keep a register that lists your clients, describes the processing you perform on their behalf and documents all their instructions. This obligation does not apply to company with less than 250 employees unless the processing performed are likely to represent a risk for the rights of the people whose data you process or the processing are not occasional or relate to special categories of data or data relating to criminal prosecutions. Since processing deemed occasional are very rare, the exception to the obligation of maintaining a register is very limited.
3. Ask for written authorization from your client if you, in turn, resort to data processors yourself.
4. In some cases, appoint a representative in the European Union, who will be the point of contact of the supervisory authorities and the persons concerned.
5. In some cases, appoint a data protection officer, especially if your activity includes processing operations that require regular and systematic large-scale monitoring of the persons concerned.
6. You must guarantee the security of the processed data. In concrete terms, this means that:
- implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
- your employees who process personal data must be subject to a confidentiality obligation; and
- you must notify your client of any data breach as soon as possible.
7. You must alert, assist and advise in the framework of your data processing:
- immediately alert your client if, in your opinion, the instructions received constitute a violation of the rules;
- assist your client on responding to a person's request to exercise his or her "classic" rights (access, rectification, opposition and erasure) and the new right recognized by the GDPR (portability); and
- advise and make available to your client all the information necessary to enable the implementation of a privacy impact assessment or the conduct of an audit.
8. You must provide your client with all the necessary guarantees so that the tools, products, applications or services that you offer to your client incorporate the principles of data protection.
CAN YOU TRANSFER PERSONAL DATA OUTSIDE OF THE EU?
Whether you are a data controller or data processor, you must manage the transfer of personal data outside the EU in countries without adequate protection with tools that provide a sufficient and appropriate level of protection. China is not considered by the European Commission as a country providing a sufficient level of protection. Data transferred outside the EU remains subject to EU law not only for their transfer but also for any further processing and transfer. Thus, you may set up the following safeguards:
- binding corporate rules;
- standard contractual clauses approved by the European Commission;
- standard contractual clauses adopted by an authority and approved by the European Commission;
- ad-hoc contractual clauses, authorized by an authority (in France, the CNIL is the relevant authority).
When the appropriate safeguards are not available, derogations for specific situations are provided by the GDPR if the transfer meets one of the following conditions:
- Explicit consent from the person concerned;
- Contract between the person concerned and the data controller;
- Contract in the interest of the person concerned;
- Defense of rights in court;
- Protection of the vital interests of the person concerned;
- The compelling legitimate interests of the data controller that override the interests or rights and freedoms of the person concerned. The transfer is not repetitive in nature and affects only a limited number of persons concerned.
Your compliance under the new obligations provided by the GDPR and the establishment of sufficient standards in this area may therefore condition the transfer of data necessary for your activity.
WHAT RISKS IN THE EVENT OF NON-COMPLIANCE?
From 25 May, 2018, in case of non-compliance with the GDPR, you may be held liable for the damage caused to the persons concerned even though you are not the person or entity processing the data.
You may also be subject to significant administrative penalties, which may vary depending on the category of the offense and reach in the most serious cases:
- 10 to 20 million euros; or
- 2% or 4% of the previous year's global annual turnover.
Gide's teams are at your disposal to help you implement your new GDPR obligations.
This Client Alert is not intended to constitute legal advice and should not be taken as a recommendation to take action or withhold from taking action.