Tag: GDPR

Business Advice Spain > B.A.S. BLOG > GDPR
FACEAPP & THE TERRITORIAL SCOPE OF GDPR

FACEAPP & THE TERRITORIAL SCOPE OF GDPR

Posted on by Business Advice Spain

Faceapp

Faceapp has been all over the news recently. The app has been around for a couple of years, but has gained sudden popularity over the last few weeks. With the popularity came the privacy concerns. The company behind Faceapp is based in Russia, or at least so it seems. It however subjects its terms to Californian law and chooses that state as venue for dispute resolution. How will European Data Protection Autorities (DPA) react to Russia based Faceapp & the territorial scope of GDPR.

Faceapp

Russia

Our question is how the EU regulators or the European Data Protection Board (EDPB) will deal with this (Russian) app? The governing body has elaborated on the territorial scope of GDPR and in our opinion this app would qualify to fall within that scope. It seems that Faceapp has all the intention to provide services to European citizens and that it places cookies on their browsers to monitor behavior.

The result would be that it needs to comply with GDPR and if it doesn’t it may be subject to disciplinary powers (including fines) of data protection agencies (“DPAs”).

Paper Tiger

How will European DPA´s enforce any action that it may take against this app and all other apps (or services providers) that fall within the scope of GDPR but are located in countries where enforcement is difficult? If the DPA´s do not take any action, how will that look when other companies do get fined and enforced over similar offences. The GDPR runs the risk that it will become a paper tiger for these kinds of cases.

Contact

If you are interested to know more about the material and or territorial scope of the GDPR and if your activities would fall within that scope and if so, what you should be complying with. Do contact us for further information and counsel or call +34 610 739 364.

No-deal Brexit and Data Transfers. The EDPB issues a note of guidance.

No-deal Brexit and Data Transfers. The EDPB issues a note of guidance.

Posted on by Business Advice Spain

The European Data Protection Board (“EDPB”) has issued a note on how to approach overseas personal data transfers with the United Kingdom in case there would be a no-deal Brexit.

No- Deal Brexit

First of all what is understood under a no-deal Brexit? We explained that in our earlier post: what “a hard Brexit” actually meant. In short: if the UK and the European Union do not reach a Withdrawal Agreement before the 29 March 2019. There will be no transition period for the UK to leave the European Union in an orderly fashion. The UK will leave the EU with all current trading and regulatory links ending immediately as it departs.

EDPB on Data Transfers in case of a No- Deal Brexit

The EDPB distinguishes two possible transfers, those from the EEA (European Economic Area) to the UK and transfers from the UK to the EEA. Where it must be noted that if there is no deal, the EDPB does not have any authority over what the UK government decides with respect to the personal data of its citizens.

The start date for possible safeguards to be in place is 30 March at 00.00 AM.

Data Transfers to The United Kingdom

In case of a no deal, the transfer can only be made under (one of) the following safeguards:

– Standard or ad hoc Data Protection Clauses;
– Binding Corporate Rules;
– Codes of Conduct and Certification Mechanisms;
– Derogations (which can only be used of none of the above are in place).

If you haven´t got any safeguards in place yet, the most likely to use are the Standard Contractual Clauses. Those clauses cannot be negotiated and are therefore very quick and easy to apply.

The rest of the options are, although valid, more time consuming and it is doubtful that you will have these in place on time. However you can rely on these safeguards if you already had them in place.

Derogations are described in article 49 GDPR (the General Data Protection Regulation) and can be used if you don´t have other safeguards in place. But the issue with derogations is that they can only be used for punctual, non repetitive, transfers.

Preparation data transfers to the UK in case of a no- deal

The EDPB has identified five steps organisations should follow if the transfer to the UK:

  1. identify what data processing involves a transfer to the UK;
  2. determine the appropriate safeguard (which at this moment in time will probably be the Standard Contractual Clauses);
  3. Implement that safeguard before the 30 of March (13 working days to go);
  4. Update your internal documents and privacy notice to inform your Data Subjects.

Data Transfers from the UK

It is up to the UK government to decide on what measures should be taken when transferring personal data to the EEA. At the moment transfers may be effectuated as previously when the UK was still a member of the Union.

The entire note can be found here: EDPB on Data Transfers in case No-Deal Brexit.

If you would like to discuss what our Data Protection Officers can do for you, please contact us.

Territorial scope of GDPR – Representative or DPO?

Territorial scope of GDPR – Representative or DPO?

Posted on by Business Advice Spain

Territorial scope of GDPR. Representative or DPO? We help answering that question for many of our clients. It is an important one because of the considerable fines that maybe imposed if a company gets it wrong.

Article 3 of GDPR sets out the territorial scope of the Regulation:

  • If the processing of personal data takes place in the context of the activities of an establishment or organization in the EU, regardless of whether the processing itself takes place in the EU.
  • If the personal data of individuals who are in the EU is processed by an organization not established in the EU and the processing concerns the offering of goods or services to individuals in the EU, or  monitoring the behavior of individuals that takes place in the EU.

In November 2018, the European Data Protection Board (the “EDPB”) issued guidelines on the territorial scope of General Data Protection Regulation. According to the EDPB, this new scope represents a significant evolution of the EU data protection law compared to the framework defined by the old Directive.

For example, if your company is not caught under the establishment principle of 3.1 GDPR it still mighty fall within the extraterritorial reach of 3.2 GDPR. Therefore your company will have to appoint a representative in the EU.

In practice, the function of representative in the Union can be exercised based on a service contract concluded with an individual or an organisation. It can therefore be assumed by a wide range of
commercial and non-commercial entities, such as law firms and consultancies. Such entities however need to be established in the European Union. A representative can also act on behalf of several non-EU controllers and processors.

It is interesting to note that the representative is different from the data protection officer. The first should have a written mandate to represent the company. The second should be in a position to perform their duties and tasks in an independent manner.

Representative or DPO? We serve as the data protection officer for various of our clients. And we are also the representative for another set of clients. Please contact us if you would like information on the various possibilities we offer.

The new Spanish Data Protection Act 2018

The new Spanish Data Protection Act 2018

Posted on by Business Advice Spain

In November 2018 Spanish Parliament adopted the new data protection act with a 93% positive vote. It adapts the Spanish legal framework to the General Data Protection Regulation and develops its topics.

The Spanish Data Protection Agency issued a press release on the contents of the new Act. It further regulates issues like the rights of data subjects. For example it demands that the means to exercise such rights are easy to access.

It also regulates in more detail the right to be forgotten, for example, there is no obligation to suppress such data when they had been obtained through a third person who processed them for domestic or personal activities.

If you would like to know more, please contact us.

Almost 60,000 Data Breaches since May 2018

Almost 60,000 Data Breaches since May 2018

Posted on by Business Advice Spain

Almost 60,000 Data Breaches Reported since GDPR Implementation in May 2018

In the Netherlands 15,400 data breaches have been reported up to 29 January 2019; in  Germany – 12,600; in the UK 10,600; and in Spain 670(!).

To date, 91 reported fines have been imposed under the new GDPR regime. The highest GDPR fine imposed to date is €50 million, by the CNIL to Google, notably not relating to a personal data breaches.

Many organizations have taken notice the new breach notification rules, no doubt in part due to concerns about the high sanctions for not notifying. It has lead to more than 59,000 personal data breaches being notified across Europe in the eight months since GDPR’s introduction. Not notifying data breaches has become a risky strategy under GDPR.

If you want to understand all about data breaches and or need a DPO, contact us, here.

The study was performed by DLA and can be found here.

Art. 27 GDPR – Representatives of companies not established in the Union

Art. 27 GDPR – Representatives of companies not established in the Union

Posted on by Business Advice Spain

Do I need a representative?

For many companies outside of the European Union it is not clear whether they need to appoint a representative for data protection purposes.

You will NOT need to fulfill this requirement when:

  1. processing which is occasional, and does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10 And is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
  2. you are a public authority or body.

If you concluded that you do need to appoint a representative and you would like that to be an experienced firm in data protection matters, do contact us. We can be your representative in the EU.

Tasks of the representative

The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are.

The representative shall be mandated by the foreign company to act as contact point for supervisory authorities and data subjects. And for all issues related to processing for the purposes of ensuring compliance with this Regulation.

The designation of a representative by the company shall be without prejudice to legal actions which could be initiated against the company itself.

Contact us if you would like to discuss whether you need a representative.

The Data Protection Officer (“DPO”). Do you need one?

The Data Protection Officer (“DPO”). Do you need one?

Posted on by Business Advice Spain

Article 37 of the General Data Protection Regulation entails:

If your company processes special (i.e. health data, religious data, racial data, criminal offences, etc) categories of information on a large scale you must appoint one and communicate the details of that Officer to the authorities. Article 37 of the General Regulation of Data Protection lays down under what conditions exactly you need to appoint a DPO.

You may appoint an external data protection officer. That data protection officer can work on the basis of a free lance contract. If you would like the discuss the possibility of us becoming your DPO, do contact us. We are the DPO´s for healthcare  and insurance companies and as such have experience in the protection of special categories of sensitive data.

The contractual relationship between Processor and Controller

The contractual relationship between Processor and Controller

Posted on by Business Advice Spain

The General Data Protection Regulation (“GDPR”) establishes in its article 28 the rules around the “Processor”. The Processor processes Personal Data on behalf of the Controller.

The Controller has a duty of diligence when selecting the Processor and has to be able to prove it has been diligent in its choosing. It should, logically, only select a Processor that is able to guarantee compliance with GDPR.

The Processor should not subcontract without the written permission of the Controller. This because it is the Controller who is firstly responsible/ liable for the processing done by the Processor and its subcontractors.

The relationship between Controller and Processor should be governed by a contract which details the following obligations for the processor:

  • processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  • ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • takes all security measures required pursuant to Article 32 GDPR;
  • respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
  • taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights;
  • assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
  • at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
  • makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in article 28 of GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

If a subcontractor is engaged by the Processor, the contract between them shall have the same clauses as between Controller and Processor.

The Processor shall be fully liable for its subcontractors.

If the Processor has “official” (quality) certifications or adheres otherwise to an approved code of conduct as mentioned in article 40 GDPR, it will count towards a positive judgment whether the controller has done its due diligence when selecting.

Please bear in mind that this is just a summary of the clause(s) that affect the processor and controller under GDPR. We can help you to determine whether you are a Controller, processor or both and we can help draft and or review legal clauses that govern these relationships.

Contact us.

Data breach – the obligation to inform the authorities

Data breach – the obligation to inform the authorities

Posted on by Business Advice Spain

If the General Data Protection Regulation (“GDPR”) is applicable to you, as of 25 May 2018 you will be obliged to inform the relevant authorities within 72 hours as of becoming aware of a data breach that you committed or your data processors on your behalf, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

These notification must include:

  • description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Contact us if you would like us to consult us, perform an audit with respect this new obligation, or see if the GDPR applies to your business. We will be glad to be of help.

GDPR, the legal obligation to inform your customer.

GDPR, the legal obligation to inform your customer.

Posted on by Business Advice Spain

The General Data Protection Regulation is about to come into force on the 28th of May 2018. We are getting a lot of requests for advice and notice that although companies are willing to comply, a lot of new details are generally not known. For example: you become are aware that you had a data breach. Do you tell the person affected? Or do you have the legal obligation to inform your customer?

Yes, when: 

  1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons*, the controller shall communicate the personal data breach to the data subject without undue delay.

And the notification shall describe in clear and plain language the nature of the personal data breach and contain at least the following information and measures:

  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

No, when: any of the following conditions are met:

  1. the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
  3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

* These are (high) risks to the rights and freedoms of natural persons: The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Are you ready?!

Do contact us if you would like more information on the subject. Business Advice Spain is highly experienced in Data Protection matters. It has helped American companies for the last 15 years establish themselves in Europe.

GDPR – Rules for Privacy Policies

GDPR – Rules for Privacy Policies

Posted on by Business Advice Spain

The GDPR has set a couple of new rules for privacy policies. One of those conditions is a necessary mention that data subjects (the people whose personal data is being processed) can seek support from their local data protection authority when dealing with a data controller or processor who is not being helpful when a data subject asserts his rights with respect to the processing of his personal data.

Contact us if you would like us to review your data protection policy and make it compliant with the GDPR. We have vast experience in data protection matters. When it comes to American companies we have more than 15 years of experience in helping them establishing in Europe.

 

International transfers breaches fines

International transfers breaches fines

Posted on by Business Advice Spain

Transfers of personal data to third countries outside the EU are only permitted where the conditions laid down in General Data Protection Regulation are met.

In contrast to the current regime where sanctions for breaching transfer restrictions are limited, failure to comply with GDPR’s transfer requirements attract the highest category of fines of up to 20 million Euros or in the case of undertakings up to 4% of annual worldwide turnover.

If you would like to understand the grounds and mechanisms that allow you to transfer personal data to countries that do not offer adequate protection, please do contact us. When it comes to American companies we have more than 15 years of experience in helping them establishing in Europe.

Non EU companies should appoint a DPO in Europe

Non EU companies should appoint a DPO in Europe

Posted on by Business Advice Spain

The new General Data Protection Regulation (“GDPR”) that will come into force in May 2018 requires companies that the accessibility of the Data Protection Officer (“DPO”) should be effective for Data Subjects and other players. To ensure that the DPO is accessible, the Working Party 29 (the cluster of European data protection authorities) recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union. However, it cannot be excluded that, in some situations where the controller or the processor has no establishment within the European Union 25, a DPO may be able to carry out his or her activities more effectively if located outside the EU.  You may appoint an external company to be your Data Protection Officer. We can become your DPO and/ or help you find one.

Contact us if you would like us to review your data protection policy and make it compliant with the GDPR. We have vast experience in data protection matters. And when it comes to American companies we have more than 15 years of experience in helping them establishing in Europe.

Germany and The Netherlands, leaders in data protection in Europe

Germany and The Netherlands, leaders in data protection in Europe

Posted on by Business Advice Spain

The Netherlands leads with reporting requirements on data leaks

Germany and The Netherlands are the leaders in data protection in Europe. It means they are the front-runners in terms of reporting requirements on data leaks, Privacy Impact Assessments (an instrument for determining privacy risks of data processing in advance – PIA), the societal debate and information campaigns. The budgets, staffing levels and powers of the supervisory authority (the Personal Data Authority) to impose fines are in line with European norms. The supervisory authority is a familiar institution among Dutch people. If you would like further information on Data Protection in Spain or throughout Europe, we can help. Leiden University, the oldest in The Netherlands, investigated 8 European countries on these topics.

Contact us if you would like us to review your data protection policies and make them compliant with the GDPR. We have vast experience in data protection matters. When it comes to American companies we have more than 15 years of experience in helping them establishing in Europe.

 

The use of Data Breach and other Data Protection Policies

The use of Data Breach and other Data Protection Policies

Posted on by Business Advice Spain

Background

It could happen to anyone a leak, a hack or a loss in their personal data storage system which imposes a risk to the rights and freedoms of natural persons. But how to react to a breach? Although probably everybody advocates transparency in data processing, the majority of reactions to such a breach is to try and hide it. the Equifax case shows that once again. The obligation to report and fines will come into force on May 25, 2018 under the General Data Protection Regulation of the European Union. Data breach and other data protection policies can help counter such issues.

The use of policies

Policies and procedures in general help to identify and to react to situations where action is needed. Once you have a policy, you can make your employees aware and train on how to react, and to resolve or escalate the issues. If you need help defining your personal data breach reporting policy, whistle blowing policy or need to understand when to report and to whom, we will be glad to be of assistance. 

Do contact us if you would like more information on the subject. Business Advice Spain is highly experienced in Data Protection matters. It has helped American companies for the last 15 years establish themselves in Europe.