Understanding GDPR: Frequently asked questions
Frequently asked questions regarding the new EU General Data Protection Regulation (GDPR) which is coming into effect in May 2018
|My business operates in Italy as well. Do I still have to get advice on how the GDPR is implemented in Italy?||It depends on what processing you carry out. There still are national variations in some areas, which will require review under Italian law. One example is processing of information about employees: MS can introduce additional protections for employees. There is also overlap with national labour laws and there may be differences in the way the rules are interpreted and enforced. The differences will narrow over time, and the GDPR contains a consistency mechanism to help do that.|
|As I operate in Malta and Italy do I need to nominate a supervisory authority?||Given that you operate from both Malta and Italy the lead supervisor will be the competent authority were you have the ‘main establishment’ located. The ‘main established’ is determined by considering where the central administration is, where the decisions on processing personal data are taken, and where the main processing activities take place. If the main establishment is located in Malta then the lead supervisory authority is the IDPC in Malta.|
|Does the ‘one stop shop’ mean I am just subject to the supervision of my home regulator?||If you carry out cross border processing, you will be primarily regulated by supervisory authority based in the jurisdiction of your main establishment. The “one stop shop” does not apply where processing is based on the legal obligation or public function condition and other supervisory authorities can ask to take control where the processing mainly relates to their jurisdiction. The lead supervisory authority can refuse to cede control, but must co-ordinate its activities closely with other ‘concerned’ supervisory authorities.|
|Has the GDPR changed at all from the DPA 2001 (CAP 440)?||The core rules are broadly the same. The GDPR looks familiar to experienced privacy practitioners. This does not mean that there is no change. Rather, there are some significant changes. The GDPR adds a number of important new obligations. Finally, there is a significant increase in the sanctions for getting it wrong.|
|Do I have to get consent from an individual?||Not necessarily. Consent is only one of a number of justifications for processing the individual’s personal data. Other justifications, such as the so-called legitimate interests condition, are available.|
|What happens if someone withdraws consent?||It is likely that you will have to stop processing that individual’s personal data, although in some cases you may be able to rely on an alternative processing condition. Withdrawal of consent may also give the individual the right to be forgotten, i.e. have their data erased. Withdrawal of consent does not affect the lawfulness of any processing that takes place prior to that withdrawal.|
|A customer has asked to be “forgotten” and for all his data to be deleted. Do I have to comply?||It depends. Assuming the customer is an individual, they do have a right to be forgotten but that right is not absolute. In particular, you would need to confirm a range of issues such as whether you were just relying on consent to process his or her data and whether you have a continuing need to hold the relevant personal data. In some cases, you may need to quarantine his or her personal data rather than delete it. The position is complex. You need to put a process in place to manage these requests.|
|What does the right to portability mean?||Individuals already have a right to access their personal data through a subject access request. The data portability enhances this right, giving the individual the right to get that personal data in a machine readable format. Individuals can also ask for the data to be transferred directly from one controller to another. There is no right to charge fees for this service.
The right only applies:
a) To personal data “provided to” the controller. This will clearly apply to photos posted to a social network or content stored on a cloud service.
b) Where the controller is processing personal data in reliance on the processing conditions of consent or performance of a contract.
|Is consent given under the DPA 2001 (CAP440) still valid?||Where consent is given under the DPA2001 (CAP440), it will continue to be valid under the SDPR if it also meets the requirements of the GDPR.|
|Will the definition of consent under the ePrivacy Directive remain the same?||The ePrivacy Directive currently defines consent by reference to the 45/96/EC Directive. This will automatically be superseded by a reference to the GDPR from May 2018 onwards. In other words, obtaining consent to market by email will become a whole lot harder as well.|
|The need for consent doesn’t just arise from the GDPR but also in a number of other laws. Will this result in confusion?||Correct. If you are subject to bank secrecy laws, it is very likely you will need consent to disclose customer information. You may find that you ask for, and obtain, a valid consent for the purposes of bank secrecy laws, but that consent is not valid for data protection purposes (e.g. because it is tied to performance of the banking contract). You must, therefore, make it clear which processing condition you are relying|
|Can a customer object to direct marketing?||When an individual exercises the right to object to direct marketing, you must not only stop sending direct marketing material to the individual, but also stop any processing of that individual’s personal data for such marketing. For example, if you receive an objection, you should stop profiling that individual to the extent related to direct marketing. The ePrivacy Directive contains additional restrictions on marketing and in some cases requires the consent of the individual. The ePrivacy Directive will continue to apply in parallel with the GDPR.|
|Our school sends and requests coursework from its primary and secondary students on line – which means all students must have access to email and the Internet?||The SDPR contains specific protections for children. You can only get consent from a child in relation to online services if it is authorised by a parent. A child is someone below the age of 16, though MS can reduce this age to 13 years.
The GDPR does not apply this restriction when obtaining consent from a child offline, but given the tight controls on consent, you may still wish to obtain parental authorisation.
The GDPR adds:
1) Privacy policies must be very clear and simple if they are aimed at children.
2) Profiling and automated decision making is not to be applied to children.
3) The right to be forgotten applies very strongly to children.
|Is the right not to be subject to profiling and automated decision making a blanket one?||An customer has the right not to be subject to decisions made automatically that produce legal effects or significantly affect him / her. This right, however, does not apply where the decision is:
- Based on explicit consent from the individual, subject to suitable safeguards including a right for a human review of the decision.
- Necessary for a contract, subject to suitable safeguards including a right for a human review of the decision.
- Authorised by EU or MS law.
|What policies do I need?||It depends on your business. You would expect a large business to have a general data protection policy and policies that address the data protection issues arising out of marketing, data security, recruitment, record retention and monitoring. These do not have to be stand-alone policies and the data protection issues might be built into a wider policy.|
|How can I “demonstrate” I am complying with the GDPR?||You will need to update or create suitable policies that set out how you process personal data. You should also consider other compliance measures, including setting up a clear compliance structure, allocating responsibility for compliance, staff training, and audit. It might also involve technical measures such as minimising processing of personal data, pseudonymisation, giving individuals greater control and visibility, and applying suitable security measures.|
|Is it mandatory to appoint a DPO?||The GDPR establishes the appointment of a DPO if:
- You are a public authority – a government entity, authority, or body other than a court.
- Your core activities consist of regular and systematic monitoring of data on a large scale.
- Your core activities consist of processing sensitive personal data on a large scale (including criminal offences).
- The national MS law may establish the appointment of a DPO as mandatory. No such notice has been given to data by the IDPC.
|What is the role of the DPO?||The DPO is a means to ensure accountability and compliance with the GDPR without external intervention by the IDPC. The DPO monitors compliance, provides information and advice, and liaise with the IDPC. The DPO must report to the highest level of management within your business. The DPO must be able to operate independently and not be dismissed or penalised for performing their tasks.|
|Should the DPO form part or lead a company’s privacy compliance function?||The DPO is responsible for monitoring compliance with the GDPR, providing information and advice, and liaising with the IDPC. There are good arguments for the DPO to be separate from the compliance unit and instead operates as a form of third line of defence. This avoids the risk of the DPO “marking their own homework”.|
|A person must be qualified to assume the role of DPO and if so what qualification should s/he hold?||The DPO must have the right professional qualities and expert knowledge of data protection law. There is no express requirement for them to hold any particular qualification or certification. However, obtaining appropriate qualifications will be an effective way to demonstrate expert knowledge (and may help them to do their job properly).|
|Does the breach notification obligation relate to the obligations in the Cyber Security Directive?||The obligations in the GDPR apply in parallel with those in the Network and Information Security Directive and the ePrivacy Directive.|