Industry 4.0 – New ways of cooperative working – are we prepared? Michael Schramm, LL.M. (Minnesota); HK2 Rechtsanwälte, Berlin

Industry perspective on cooperation worldwide network of IT systems allows for collection of large amounts of data (big data) transmission and sharing of data across borders processing of data in the translation industry machine translation from exisiting translation data (statistical and neural) use of cloud services (saas, hosting, cooperation)

Use of cloud services… cloud user client third party users machine translation cloud user client third party users

Legal perspective on cooperative working Caring is not sharing…

…of personal data!

Personal data art. 2 a) General Data Protection Regulation (GDPR): ‘personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person basic principle: processing is prohibited unless permitted

Data protection regulation in the EU today: Directive 95/46/EC minimum harmonisation, implementation into national law required additional sector specific regulation (e.g. telecommunication) consequence: 28 different national data protection laws with common core 2018: EU General Data Protection Regulation (GDPR) takes effect on May 25th single data protection regime for entire EU applies directly and replaces national data protection laws full harmonisation, but flexibility clauses for national regulations of member states

Why you should care – tougher fines! GDPR raises fines imposed dramatically Germany, § 43 BDSG: max. fine – € 300.000 Austria, § 54 DSG: max. fine – € 25.000 art. 83 GDPR: fines to € 20.000.000 or 4 % of total worldwide annual turnover liablity of directors of a company

What’s most important processing personal data under GDPR legal basis and general principles sharing of personal data (e.g. when using cloud services) protection of personal data new duties of GDPR designation of data protection officer rights to information of data subjects

limitation information protection principles of data processing purpose limitation data minimisation storage limitation integrity & confidentiality lawfulness, fairness & transparency accuracy limitation information protection

Privacy by design and by default, art. 25 implementation of data processing principles through technical and organisational measures privacy by design: choose measures that best incorporate principles privacy by default: configurations of measures should be set to highest data protection as default

Legal basis of processing is required for every processing of personal data legal basis‘ enumerated in art. 6 consent contract legitimate interest … member states can regulate additional national permissions

Consent any processing can be based on consent conditions for valid consent free from influence or pressure based on complete information unambiguous (not in fine print) higher requirements for special categories of personal data (e.g. financial, health, sexual, religious data etc.)

fundamental rights or freedoms Legitimate interest Examples mentioned in GDPR direct marketing transmission of data within group of undertakings for administrative purposes (not to third countries) still: no general privilege for group of undertakings commissioned data processing fundamental rights or freedoms data subject legitimate interest controller

Commissioned data processing „Outsourcing“ of data processing (e.g. saas) has to be governed by a separate agreement processing only according to instructions of controller no consent needed for transmission

The new data processing agreement necessity for agreement already in directive GDPR: mandatory content of agreement (based on German § 11 BDSG) processing only according to instructions of controller application of necessary technical and organisational measures conditions on subcontracting support in fulfilment of data subject‘s rights duty to inform

International data transfer outside EU: adequate level of data protection in destination country required sufficient protection through adequacy decision by commission EU Standard Contractual Clauses binding corporate rules new mechanisms by GDPR codes of conduct certifications

Data transfers to the United States economic necessity to allow data transfer to the US law enforcement agencies have access to personal data without warrant Safe Harbor Agreement (2000) self certification of US businesses was declared void by ECJ in 2015 in light of NSA scandal

What to do? EU-US Privacy Shield (2016) similar construction, similar problems no legally binding guaranties for EU-citizens obligation, just promise by US government to restrict access to data protection for Non-Americans has already been reduced under Trump risk of being declared void better alternative: EU Standard Contractual Clauses? suffers from same defects

Data transmission after Brexit Great Britain will leave EU in May 2019 has to adopt GDPR in 2018 might become a „third country“ adequat level of protection? repeated calls for extensive surveillance of internet traffic alternative: use of EU Standard Contractual Clauses

Technical and organisational measures (tom) securing the processing of data in relation to risk should take into account nature, extent & purpose of processing likelihood and severity of risk state of the art of measure controller evaluates tom of processor

Data Protection Officer (DPO) independent data protection consultant informs and advices monitors compliance interacts with supervisory authority duty for controllers and processors can be a staff member possibility to designate DPO for entire group

When do I need a DPO? art. 37 (1): when core activities are regular or systematic monitoring of data subjects, or processing of special categories of data member states can require DPO in additional circumstances Germany kept its existing rules in new BDSG (regular processing of personal data by more than 9 persons) Austria (DSG-draft): no specific regulation DPO in translation industry? translation ≠ monitoring of data subjects frequent translation of documents containing special category data

Information duties duty to inform about processing of personal data, art. 13, 14 purpose of processing legitimate interest (if invoked) recipients of data intended transfers to third countries duration of data storage right to demand rectification or erasure of data right to withdraw consent … similar to privacy policy on website

To Dos procession of personal data only on valid legal basis conclusion of data processing agreement when necessary (e.g. outsorcing, cloud services), reevalute concluded agreements secure transfer of personal data outside EU appropriate technical and organisational measures evaluate obligation to designate data protection officer obligation to inform data subjects about processing

Do you have any questions? Michael Schramm, LL.M. (Minnesota) HK2 Rechtsanwälte Hausvogteiplatz 11A 10117 Berlin phone +49 (0) 30 27 89 00-0 fax +49 (0) 30 27 89 00-10 e-mail schramm@hk2.eu www.hk2.eu