Presentation privacy law Regulation (EU) 2016/679 Jop Fellinger
Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) Will come into effect on May 25, 2018 and replaces all national legislation in the EU. This, together with a system to appoint a single supervisor for multinationals, is a great step forward. Threats: huge implementation and mindset change, even larger fines Opportunities: ongoing and great reason to engage with your customers.
Purpose of this presentation What do we want to achieve with this brief presentation? We will have a global understanding of what personal data are; We will be able to understand the principles behind GDPR; We will be able to see why GDPR has an impact outside the EU.
Definitions Personal Data means any information relating to an identified or identifiable natural person “data subject.” This can be directly or indirectly by reference to an identifier specific to that natural person. Processing means any operation or set of operations which is performed in personal data. Controller means the natural or legal person which alone or jointly determines the purposes and means of the processing. Processor means a natural or legal person which processes personal data on behalf of the controller.
Obligations under GDPR Process personal data taking into account due diligence, transparency and accountability towards the data subjects. Not only via an easy to read privacy statement, but also with a clear reference to lawfulness such as consent, performance under a contract or necessary for the purposes of the legitimate interest pursued by the controller. Maintain a record of processing activities under your responsibility. Be clear about the purpose of the processing. Data minimization: Only process the data necessary for the purpose. Make sure the personal data are not processed longer than necessary.
Accurate. The processed data have to be correct or else be corrected. Integrity and security. Take appropriate technical and organizational measures against unauthorized or unlawful processing use.
New rights of data subjects The right to erasure; The right to rectification; The right of access The right to restriction of processing; The right to data portability; The right to object to direct marketing and automated decison making;
Controllers and Processors will have to be able to respond within 4 weeks to a request based on these rights.
Impact of GDPR outside the EU GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. GDPR applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services irrespective of whether a payment from the data subject is required, to such data subjects in the EU or monitoring of their behavior as far as the behavior takes place in the EU.
Transfer of personal data to third countries: Privacy Shield: www.privacyshield.gov EU Model Clauses as means of processor agreement with controller: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
Disclaimer: Although utmost care has been taken to provide correct information, this presentation cannot replace legal advice. Neither Fruytier Lawyers in Business B.V. nor Mr. J.H. Fellinger can be held liable in anyway or form on the basis of this presentation or the discussion that has taken place in the presentation.
Thank you for your attention! Jop Fellinger Tel: +31(0)6 513 272 11 E-mail: jfellinger@flib.nl