• Slider

Articles





GETTING TO KNOW THE GDPR IN 7 STEPS

by Nicoleta PASLARU and Vlad GORDAN
February 20th 2018


The implementation of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR or the Regulation) is mandatory from the 25th of May 2018 for companies that process personal data and have their headquarters both within the European Union and outside the Union if the personal data processing is related to the provision of goods or services to persons targeted in the Union or the monitoring of their behaviour within the Union. As a result, these companies processing personal data will be required to comply with the GDPR rules, being otherwise subject to sanctions of up to EUR 20,000,000 or 4% of the company’s worldwide annual turnover, whichever is higher of the two being applied1.

Although the volume of information on the Regulation may seem overwhelming, the design of some guidelines or steps to get to know it, as these are referred to below, is intended to clarify the legal requirements and allow for the consistent application of the Regulation. The brief review of the GDPR will focus on highlighting the principles of personal data processing, emphasizing the main actor in applying the principles of the Regulation, describing the audit of the data, listing the instruments demonstrating the compliance of the processing with the provisions of the Regulation, pointing out the rights of the data subject and obligations the controller, and, last but not least, the disclosure of how the controller becomes liable.

STEP 1. The first step in getting familiar with the GDPR is to present the principles related to the processing of personal data, namely: legitimacy, fairness, transparency, determined and explicit purpose, accuracy and, last but not least, a limited and adequate personal data processing. In case of non-compliance with these principles the sanctions are the most severe, as has been shown above.
Perhaps the most important principle is the legitimacy of processing because it includes in its structure the consent of the personal data processing subject, the need for processing for the purpose of executing an agreement or in order to fulfil a legal obligation of the controller, as well as to protect the vital interests of the data subject.
From our point of view, the controllers should pay more attention to the consent of the data subject, as this is one of the paths to the proper compliance with the provisions of the Regulation.
The consent of the data subject means any manifestation of free, specific, informed and unambiguous will of the data subject through which he / she accepts, through a statement or by unequivocal action, that the personal data relating to him / her be processed2.
Among the conditions of consent provided by the Regulation there is the form it must have, namely, it must be presented in an intelligible and easily accessible form, using a simple and clear language. The controllers shall also pay attention to the fact that if the data processing is done for multiple purposes, the consent is to be given for all purposes of the processing. We also have a special situation in the case of minors under the age of 16, such processing being lawful only if the consent is granted or authorized by the holder of parental responsibility for the child.
However, perhaps the most important thing in expressing the consent is that, even after it has been given, it may be withdrawn at any time by the data subject, being informed of this in advance, and this withdrawal shall not in any way affect the legitimacy of the processing carried out until its withdrawal..
Last but not least, the controller must demonstrate that the data subject has consented to the processing of his or her personal data.

STEP 2. This step comes as a complement to the previous step by highlighting the main actor in applying the principles of the Regulation, namely the Data Protection Officer (“DPO”). When?, Where?, Who? and How? are the questions we need to answer in order to create an overview of the main responsibilities of the Data Protection Officer, as follows:
The appointment of a data protection officer shall be made by the controller or the empowered person whenever3:

  • the processing is carried out by a public authority or body, excluding the courts,
  • the processing involves systematic and regular monitoring of large-scale data subjects,
  • the processing consists of special categories of personal data (which reveal racial or ethnic origin, political opinions, religious confession or philosophical beliefs, or membership to trade unions and genetic data processing, biometric data to uniquely identify a person, data on the health or data relating to the sexual life or sexual orientation of a person) or data on criminal convictions and offenses.
In the above cases, in case a data protection officer is not appointed, we are liable to receiving a fine of EUR 10,000,000 or 2% of the company’s worldwide annual turnover4. We can also appoint a Data Protection Officer and, when the law does not oblige us, to ensure the correct application of the Regulation, assuming that we will be subject to more rules and responsibilities than usual. The Data Protection Officer is appointed by the controller or the person empowered by the controller (the DPO may also be appointed by a group of companies) on the basis of the professional skills and specialized knowledge of the personal data protection law and practices. He / she may be a staff member of the controller or the person empowered by the controller, as long as his / her responsibilities within the company do not interfere with those of a Data Protection Officer or he / she may perform his / her duties under a service agreement. The Data Protection Officer is duly and timely involved in all aspects of data protection, with the following tasks:
  • Informing and advising the controller,
  • Monitoring compliance with the Regulation,
  • Providing advice on data protection impact assessment,
  • Cooperation with the surveillance authority.
In performing his / her tasks, the Data Protection Officer shall receive no instructions from the controller regarding the performance of these tasks. Consequently, he / she is not dismissed or sanctioned by the controller or the person empowered by the controller to carry out his / her duties and, last but not least, the data protection officer is bound to observe confidentiality in the performance of his / her duties.
There are advantages in appointing a data protection officer in the organization, namely:
Firstly, this appointment of a DPO saves time spent in search of the person in charge of applying the regulation within the organization (legal department, commercial department, and so on). When the Regulation enters into force, it will create confusion within the organization, coming from the need to find the person responsible for its implementation.
Secondly, by appointing a DPO, it helps protect the organization against the risk of receiving truly drastic fines by properly implementing the Regulation, by creating policies, procedures and training, by the DPO, aiming to support proving the observance of personal data processing with the Regulation.
Thirdly, the appointment of a DPO in its initial phase reduces the implementation costs of the Regulation on the long-term, the organization no longer being exposed to the long line of legal and IT consultations.

STEP 3. This step tells us where and for which personal data we need to implement the Regulation. So, we must to understand where this data is within the company we are running and how that data is used. Companies not only receive personal data from all directions, but also send these data to third parties with whom they work, and these actions determine the need for a data audit.
This data audit is the foundation we need to have to successfully implement the rules set out in the Regulation. Through the audit, we must to find answers to the following questions

  • Where are the data?
  • What kind of data is this or does this data contain (names, addresses, medical information, etc.)?
  • How long do we keep it (days, months, years)?
  • How do we preserve it (paper, electronic format, etc.)?
  • Did we have the consent of the data subject when we processed this data?
  • Where do we send these data (third companies) and how are these data kept?
  • How do we collect these data and how safe is the procedure?
  • Who are the people in the company who have access to these data?
The easiest way to initiate the internal audit is by sending the above questions to the departments that work with this kind of data every day (human resources, sales, legal department, marketing department, etc.).
Each company that is required to implement these new sets of rules should create a questionnaire to help demonstrate the consistency between the processing of personal data and the Regulation. From our point of view, the questionnaire should contain a series of questions similar to the following:
  1. What kind of personal data do we have in the company (names, addresses, personal number, etc.)?
  2. What data do we have about our company employees?
  3. How secure is the processing of personal data in our company?
  4. Where is these data stored (paper, computer, internet, etc.)?
  5. Who has access to this personal data?
  6. How and when does the personal data get deleted?
  7. What kind of information do customers receive on the processing of their personal data?
  8. How are the personal data transmitted within the company?
  9. Do we have the customers’ consent to send data to third-party companies we collaborate with?
  10. Are there policies within the company that determine how to use personal data?
  11. Are there personal data sent outside the European Union?
Subsequently, on the basis of the responses received, the mapping of the personal data flows is carried out, which is essential for ensuring the security of personal data.

STEP 4. In this step, we highlight the tools that the Regulation establishes in support of demonstrating the consistency of the processing of personal data by both the controllers and the persons empowered by them.
The Regulation provides three categories of instruments through which the controller may demonstrate the observance of the personal data processing:

  1. Impact assessment
  2. Codes of conduct
  3. Certifications

I. Impact assessment
The impact assessment on data protection implies an assessment of the impact of the envisaged processing operations on personal data protection, especially in areas that pose a high risk to the rights and freedoms of individuals (especially those based on the use of new technologies).
The impact assessment is mandatory in cases where there is a:

  • systematic assessment of personal aspects of individuals, attained following an automated processing and which may lead to undesirable legal effects on the individual;
  • large-scale processing of special categories of personal data (racial or ethnic origin, political opinions, religious confession, etc.) or personal data concerning criminal convictions and offenses;
  • wide-scale systematic monitoring of an area accessible to the public.
When undertaking the data protection impact assessment study, the controller requests the endorsement of the Data Protection Officer prior to the processing. Furthermore, if the impact assessment reveals a high risk concerning the data processing, it is necessary to consult the surveillance authority. The surveillance authority shall draw up a list of the types of processing operations subject to the requirement to carry out a data protection impact assessment.
The evaluation shall contain both a description of the processing operations and their purposes and the necessity, and proportionality of such processing operations. The risks for the rights and freedoms of the data subjects are assessed, at the same time, in conjunction with the security measures and mechanisms designed to ensure the protection of personal data.
Upon the data processing operations impact assessment the controller or the persons empowered by the controller shall take into account the approved codes of conduct for the purpose of data protection impact assessment. If necessary, the controller must carry out an assessment to verify that the processing is compliant with the data protection impact assessment5.

II. Codes of conduct
The Member States, the surveillance authorities, the committee and the Commission support the creation of codes of conduct designed to help ensure the proper application of the Regulation, of course, in conjunction with the specific needs of companies, while taking into account the specificities of the different processing sectors6.
The code of conduct is a voluntary instrument whereby the controller may demonstrate the conformity of the data processing in accordance with the specific characteristics of the various processing sectors.
The codes of conduct, if these concern processing activities from more than one Member State after these have been carried out, are sent to the surveillance authority, which in turn sends these to the committee where such codes are subject to endorsement, with regard to compliance with the Regulation. As an alternative, if these are not related to processing activities from several states, the surveillance authority issues an endorsement on compliance with the Regulation, and then registers and publishes the code.
The advantages for implementing a code of conduct by the large controllers (at the industry level) are practical, namely: demonstrates compliance and offers clarifications, a transfer may be implemented between Member States and, in addition, is a positive factor in the impact assessment.

III. Certifications
Based on the Regulation, it is encouraged to establish data protection certification mechanisms, as well as seals and trademarks in this area, to demonstrate that the processing of personal data is in accordance with the Regulation. The certification is voluntary and available through a transparent process, but does not reduce the responsibility of the controller or of the person empowered by the controller to comply with the Regulation.

STEP 5. As part of this step, we shall also explain the Regulation from the perspective of the data subject, by exemplifying both the rights of the data subject and the obligations corresponding to those rights, which fall within the responsibility of the controller.
Consequently, we start with the first right provided by the Regulation, namely the right to information on personal data. If a data subject whose personal data has been processed wishes to know what information has been collected by the controller, then, on the basis of a request addressed to the controller, the following data will be made available to him / her7:

  • Identity and contact details of the controller and, where applicable, its representative;
  • Contact details of the Data Protection Officer;
  • Purposes concerning the processing of personal data as well as the legal basis;
  • Recipients or categories of recipients of personal data;
  • Period for which personal data will be stored;
  • Right to request the controller, with regard to the personal data of the data subject, to notify him / her of the existence of all the rights he / she has;
  • Right to file a complaint with the surveillance authority.
With regard to the second right of the data subject, the right to access8, this is reflected in the right to obtain from the controller, if personal data are processed, the following information:
  • Purposes of processing;
  • Target personal data categories;
  • Categories of persons to whom the personal data is to be disclosed;
  • Period for which personal data will be stored;
  • Right to file a complaint with a surveillance authority.
The third right, which the data subject has, is the right to rectification9, which can be synthesized by the person’s right to obtain the rectification of inaccurate personal data concerning him / her, and by completing these data if these are incomplete, namely through the provision of an additional statement.
The fourth right concerns the right to be forgotten or the right to delete the data/i>10, which may be explained by the right to obtain the deletion of the personal data from the controller, if one of the following reasons exists:
  • The personal data is no longer required for the purposes for which it was processed;
  • The data subject withdraws his / her consent on the basis of which the processing takes place;
  • The data subject opposes processing based on the rights conferred by the Regulation;
  • The personal data has been processed illegally;
  • The personal data must be deleted to comply with a legal obligation incumbent on the controller under the Union law or the national law of the controller;
  • The personal data was collected in connection with the provision of services by the information society in respect of minors.
The fifth right of the data subject is the right to restrict the processing of personal data in relation to his / her own person, namely in the following cases11:
  • The data subject disputes the accuracy of the data for a period that allows the controller to verify the accuracy of the data;
  • The processing is illegal and the data subject opposes the deletion of personal data, asking instead for restriction of its use;
  • The controller no longer requires the personal data for processing, but the data subject requests it to find, exercise or defend a right in court;
  • The data subject opposed the processing of his / her right to oppose for the period of time needed to verify that the legitimate rights of the controller prevail over those of the data subject.
If the data subject decides that the processing of personal data is restricted, such data may no longer be stored, but may still be processed, only with the consent of the data subject or for the exercise of a right in court and for the protection of the rights of a natural or legal person, or on grounds of public interest, in accordance with Union law.
The sixth right is the right to data portability12, which is evidenced by the possibility for the data subject to transmit the personal data that a controller holds to another controller in a structured and automatically readable format. This direct transmission of personal data from one controller to another must be technically feasible.
The right to oppose is the seventh right that the data subject has and may be explained by the possibility of opposing the processing of personal data on grounds related to his / her particular situation, including the creation of profiles. If the data subject takes precedence over this right, then the controller can no longer process such data, unless the controller demonstrates that it has legitimate and compelling reasons justifying the processing13.
The last right of the data subject to the processing of personal data is that he / she is not the subject of a decision based solely on automatic processing, including the creation of profiles, which could produce undesirable legal effects or which affects him/ her in a similar way, to a significant extent14.

STEP 6. In this step, we will highlight some of the controller’s obligations in order to better clarify the relationship between the rights of the data subject and the obligations of the controller who carries out the processing of personal data.
As a result, among the obligations listed in the Regulation is the controller’s responsibility and this means the controller’s duty to implement appropriate technical and organizational measures that guarantee and are able to demonstrate that the processing is carried out in accordance with the Regulation15.
The second obligation the controller has is to ensure data protection from the moment the processing is established, as well as during the processing of personal data itself, by all means required by the Regulation, regardless of the implementation costs. Appropriate technical and organizational measures must be taken to effectively implement the data protection principles and significantly reduce the risk of security breaches. These measures ensure that personal data cannot be accessed, without the person’s intervention, by an unlimited number of persons16.
The third obligation of the controller is to keep records of the processing activities carried out by the controller itself or its representative. The records shall be made in writing, including in electronic form.
These records include the following information17:

  • Name and contact details of the controller, its representative and of the data protection officer;
  • Purposes of processing;
  • Description of target data subjects and categories of personal data;
  • Recipients to whom personal data has been or will be disclosed;
  • Transfers of personal data to a third country or international organization;
  • Expected deadlines for deleting different categories of data;
  • General description of technical and organizational security measures;
  • Name and contact details of the person empowered by the controller, as well as of the controller’s representative;
  • Categories of processing activities carried out on behalf of the controller.
Through this step, we have highlighted the obligations that both the controller and its representative have, but we should also consider as an obligation the cooperation with the surveillance authority, and not only when this is required by the Regulation.

STEP 7. In this final step, we will briefly outline how the controller’s liability can be assumed and what sanctions may be imposed on this if it does not comply with the provisions of the Regulation.
Among the rights that the data subject has is the right to file a complaint with a surveillance authority or the right to seek a legal remedy at law, without prejudice to any other administrative, judicial or non-judicial remedies at law available to the data subject, whereby he / she may dispose of freely.
In so doing, the data subject has the right to file a complaint with a surveillance authority in the Member State where he / she resides or where his / her place of work is or where the alleged violation occurred. The surveillance authority to which the complaint was filed shall inform the complainant of the progress and outcome of the complaint, including the possibility of resorting to a legal remedy at law18. Each data subject shall also have the right to a legal remedy at law if the surveillance authority does not deal with a complaint or does not inform the data subject within 3 months of the progress made or the settlement of the complaint.
The rights of the data subject also include the right to be represented by a non-profit organization, organization or body whose statutory objectives are of public interest and which is active in the protection of the rights and freedoms of data subjects with respect to their personal data. These representatives may file the complaint on behalf of the data subject and exercise his / her rights before the competent institutions, including the collection of damages deserved.
Any person who has been injured as a result of a breach of the Regulation and who has suffered damages shall be entitled to compensation from the controller or the person empowered by the controller. As explained above, the controller or person empowered by the controller is responsible for breaches of the provisions of the Regulation, not only before the data subject, but also before the surveillance authority. The pecuniary liability before the surveillance authority is overwhelming for the controller or the person empowered by the latter due to these administrative fines ranging between EUR 10,000,000 or 2% of the company’s worldwide annual turnover, taking into account whichever is higher, and EUR 20,000,000 or 4% of the company’s worldwide annual turnover, taking into account whichever is higher19.

Concluding, even if, at first glance, getting to know the provisions of the GDPR may seem a daunting perspective, following, in the first phase, the above described steps is meant to raise the vail of intangibility that has come over this regulation, and to ensure that its application not only enhances the security of the personal data collected, while also having the collateral effect of bringing us closer to our customers.



Nota:
1  Art. 83 of the GDPR;  2  Art. 4(11) of the GDPR;  3  Art. 37(1) of the GDPR;  4  Art. 83 of the GDPR;  5  Art. 36 of the GDPR;  6  Art. 40 of the GDPR;  7  Art. 13 of the GDPR;  8Art. 15 of the GDPR;  9  Art. 16 of the GDPR;  10  Art. 17 of the GDPR;  11  Art. 18 of the GDPR;  12  Art. 20 of the GDPR;  13  Art. 21 of the GDPR;  14  Art. 22 of the GDPR;  15  Art. 24 of the GDPR;  16  Art. 25 of the GDPR;  17  Art. 30 of the GDPR;  18Art. 77 of the GDPR;  19  Art. 83 of the GDPR





The relationship between the UK and the European Union, or what happens when reactions dominate reason

by Nicoleta PASLARU
December 16th 2016


Each of us has gone through a relationship that, although it had all the premises of a successful confluence, lamentably failed when we let the judgment be shaded by reactions to the detriment of reason. How many times did we not come out of a conversation slamming the door behind us due the unannounced arrival of the noisy friends of our half spoke to the invasion of our conjugal home, of our intimacy? That fear only needed the pretext of a badly understood reply to lead us irrationally into a tirade of observations that inevitably have shaken that relationship.

As in the case of United Kingdom, the European Union Referendum Act of 2015, which allowed the vote on leaving or leaving the European Union (“EU”) of United Kingdom, was the pretext that led to the verbalization of the deepest fears of the British population on immigrants, on the contributions paid to the EU budget, on the occupation of the local vacant jobs by people other than those holding British citizenship. And given this opportunity, the citizens chose reactions rather than reason. They chose to slam the door of the edifice built in 1972, when the United Kingdom signed the Accession Treaty, following which it joined the Treaties of the European Communities on January 1st 1973, an edifice that was built by intellectual, diplomatic effort and guaranteed membership to a single market, if not to a community.

The citizens could not accept that the EU is a living, interacting, exchanging entity that can undergo transformations, but, like other EU Member States, the United Kingdom could remain open to this ever growing entity. The institutional equivalent of the way of thinking of “I’ll pack my bags and go” or “my way or the highway” has, as we can see, to the least disruptive consequences at the level of British society:

The United Kingdom Supreme Court analysed, for three days, between December 5th and 8th 2016, the issue of the Government’s transmission of a notification based on Article 50 of the Treaty on the European Union on the United Kingdom’s intention to withdraw from the European Union, without an act by the Parliament to give it the prior authorization to do so, following to publicly disclose the decision in the beginning of 2017. This analysis arises in the context in which the High Court of Justice has already decided on November 16th 2016 that the Government needs the approval of the British Parliament in order to trigger the exit procedure from the European Union1.

The British citizens are worried about their right to free movement, just like EU companies wishing to do business in the United Kingdom after it’s leaving the EU. At the same time, the citizens of the other EU Member States wonder whether they will need to get a visa to visit this country as a result of its decision to leave the EU2.

Hence, here is how a moment reaction, based on reactions can destroy a future showing development potential. If immigration was one of the fears, why weren’t internal measures taken to accommodate the newcomers? Would the implementation of the idiomatic expression “throwing the baby out with the bathwater” bring more benefits to both the British and the rest of the European Union? It seems that the whole system was rejected, due to some elements that were not fully understood 3.

If in the case of inter-human relationships, one can wipe out the episode of the stormy outflow of the scene of one of the protagonists hunted down by reactions, with calm, reason and understanding, trusting the real possibilities of being able to be fulfilled with someone else, the discontinued connection may be re-established, then in the case of the United Kingdom this is only possible with the application of Art. 49 of the Treaty on the European Union4.

Pending the decision of the Supreme Court of Justice, the United Kingdom Government is planning to trigger the EU exit procedure by the end of March 20175, which will initiate some two-year rounds of talks that will address the conditions for Britain’s withdrawal from the EU. In these two years, negotiators will use their intellect to safeguard the rights and freedoms guaranteed to any EU Member State, so that the British citizens will be affected as little as possible by this process. What guarantees are there in the sense of keeping the status-quo? None. Let us consider ourselves lucky that the interpersonal relationships have the chance to restore themselves more easily.