Let’s be clear about GDPR
1. GDPR IN EXTREME SYNTHESIS:
- Clears the rules regarding the reporting and consent
- Defines limits for personal data automated processing
- Prepares the foundations for the exercise of new rights
- Establishes strict criteria for their transfer outside the EU
- Establishes strict rules for Data Breaches.
2. GDPR APPLIES TO:
Art. 2 GDPR: Material scope of application
“This Regulation applies to the wholly or partially automated processing of personal data and to the non-automated processing of personal data contained in an archive or intended to be included…”
One of the main features of the Regulation is its impact on all companies which uses European citizens’ personal data, whether it operates in the EU territory or not.
All companies, wherever they are established, will have to comply with the new rules.
Companies and public entities will have more responsibilities, and in case of non-compliance to the rules, will risk heavy penalties.
Art. 3 GDPR: Territorial scope of application
The Regulation applies to the company that has:
- an establishment in the European Union, if the treatment concerns the activity carried out inside the establishment. In this case, the nationality of the data subject does not count, nor does it matter whether services or goods are offered in the Union;
- an establishment outside of the European Union, that carries out the activity (e.g. monitoring or profiling) or offers goods and services in the Union, to subjects located even temporarily inside the Union. The nationality of the latter does not count.
It is important to note that the Regulation considers as an “establishment” of the company, the presence of a company representative, or the performance of certain activities (such as “consumer tracking”) inside of the Union.
3. THE REGISTER OF DATA PROCESSING: WHAT IT CONTAINS AND WHEN IT IS NECESSARY?
The Article 30, of the European Regulation 2016/679, provides an important corporate compliance tool for personal data: the register of personal data processing activities.
Held also in electronic format by the data processing Owner, this register must be made available to the Guarantor Authority when required, as stated by the par. 4 of Art. 30: “upon request, both the data processing Owner and Officer, and where applicable their representative, should make available the Register of data processing to the supervisory authority.”
4. WHAT SHOULD CONTAIN THE REGISTER OF DATA PROCESSING?
- The name and contact details of the data processing Owner and Officer, and of their representatives.
- The purposes of the processing.
- The description the data subject categories and personal data categories.
- The categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries.
- The transfers of personal data to third countries and their identification, if present.
- The final deadline for the cancellation of different data categories.
- A general description of technical and organizational security measures.
This register therefore represents one of the changes and one of the most important fulfilments concerning the processing activities.
The data processing Owner is required to document the compliance of its organization with the measures; this obligation also applies to the data processing Officer, for the processing that he carries out on behalf of the data processing Owner.
5. WHO SHOULD IMPLEMENT THIS TOOL?
The obligation to create and adopt the Register is not generic: in fact, par. 5, Article 30 specifies that it is not obligatory for “companies or organisations with fewer than 250 employees, unless the data processing they carry out could adversely affect the rights and freedom of the data subject, is occasional or includes the processing of special categories of data referred to in Article 9, paragraph (1), or personal data relating to criminal convictions and offences referred to in Article 10”.
Moreover, the adoption of the Register should not be considered as a mere obligation; in fact, its drafting could also have further purposes, spreading information, awareness and internal sharing, become the tool for planning and monitoring of the data security policy and databases.
6. DATA PROTECTION OFFICER
The Data Protection Officer (DPO), is a figure introduced by the new European Data Protection Regulation.
The DPO is the evolution of the “privacy officer”, a figure provided for by European Directive 95/46 where, in art. 18, allowed the EU member states to provide simplifications or exemptions in cases where an independent entity was appointed to ensure regulation enforcement.
The DPO is therefore an expert consultant, who supports the Owner in the management of issues regarding the processing of personal data, which guarantees that the issue is addressed exclusively by a qualified professional who is updated on risks and security measures, given the growing importance and complexity of the sector.
The role of the DPO, may be entrusted to one of the employees of the company, but may also be outsourced to a service provider (freelancer or company) through a specific service contract, in which case the data controller must also be appointed.
The DPO is designated (Article 37) by the data Owner or data Controller based on a specific contract. The designation should be communicated to the National Supervisory Authority.
Such designation is mandatory in only three cases:
1. For public administrations and entities (except judicial authorities in the exercise of their functions).
There is no definition of “public authority” in the European Regulation, so the indication should be interpreted according to the national law. Particularly, the Article 29 Working Party has recommended the appointment of the DPO also for private bodies entrusted with the performance of public functions or exercising public powers (e.g. electricity supply, public transport).
2. Where the main activity of the Owner or the Officer is the processing of data which, because of its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale.
The Article 29 Working Party recommends considering various factors, such as the number of data subjects (in absolute terms or as a percentage of the reference population), the volume of data, the different types of data processed, the duration of the processing, and the geographical scope of the processing. Regular and systematic control (or monitoring) is defined as a control that takes place continuously or within a well-defined time frame, if repeated at constant intervals or in an organized and methodical manner, or if carried out based on strategic planning (e.g. telecommunications services, marketing, geo-localization, retention, monitoring of health and fitness data through wearable devices, redirection of e-mails).
3. If the main activity is the processing on a large scale of sensitive, health, sex life, genetic, judicial and biometric data. The monitoring of personal behaviour includes all forms of Internet monitoring and profiling, for behavioural advertising as well.
Benedetta Fantauzzi – OmnitechIT Governance, Risk & Compliance Team