1. Industry 4.0 – New ways of cooperative working – are we prepared?
Michael Schramm, LL.M. (Minnesota); HK2 Rechtsanwälte, Berlin

2. Industry perspective on cooperation
worldwide network of IT systems allows for
collection of large amounts of data (big data)
transmission and sharing of data across borders
processing of data
in the translation industry
machine translation from exisiting translation data (statistical and neural)
use of cloud services (saas, hosting, cooperation)

3. Use of cloud services… cloud user client third party users machine
translation
cloud
user
client
third party users

4. Legal perspective on cooperative working
Caring is not sharing…

5. …of personal data!

6. Personal data art. 2 a) General Data Protection Regulation (GDPR):
‘personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
basic principle: processing is prohibited unless permitted

7. Data protection regulation in the EU
today: Directive 95/46/EC
minimum harmonisation, implementation into national law required
additional sector specific regulation (e.g. telecommunication)
consequence: 28 different national data protection laws with common core
2018: EU General Data Protection Regulation (GDPR)
takes effect on May 25th
single data protection regime for entire EU
applies directly and replaces national data protection laws
full harmonisation, but flexibility clauses for national regulations of member states

8. Why you should care – tougher fines!
GDPR raises fines imposed dramatically
Germany, § 43 BDSG: max. fine – €
Austria, § 54 DSG: max. fine – €
art. 83 GDPR: fines to € or 4 % of total worldwide annual turnover
liablity of directors of a company

9. What’s most important processing personal data under GDPR
legal basis and general principles
sharing of personal data (e.g. when using cloud services)
protection of personal data
new duties of GDPR
designation of data protection officer
rights to information of data subjects

10. limitation information protection principles of data processing
purpose limitation
data minimisation
storage limitation
integrity & confidentiality
lawfulness, fairness & transparency
accuracy
limitation
information
protection

11. Privacy by design and by default, art. 25
implementation of data processing principles through technical and organisational measures
privacy by design: choose measures that best incorporate principles
privacy by default: configurations of measures should be set to highest data protection as default

12. Legal basis of processing
is required for every processing of personal data
legal basis‘ enumerated in art. 6
consent
contract
legitimate interest …
member states can regulate additional national permissions

13. Consent any processing can be based on consent
conditions for valid consent
free from influence or pressure
based on complete information
unambiguous (not in fine print)
higher requirements for special categories of personal data (e.g. financial, health, sexual, religious data etc.)

14. fundamental rights or freedoms
Legitimate interest
Examples mentioned in GDPR
direct marketing
transmission of data within group of undertakings for administrative purposes (not to third countries)
still: no general privilege for group of undertakings
commissioned data processing
fundamental rights or freedoms
data subject
legitimate interest
controller

15. Commissioned data processing
„Outsourcing“ of data processing (e.g. saas)
has to be governed by a separate agreement
processing only according to instructions of controller
no consent needed for transmission

16. The new data processing agreement
necessity for agreement already in directive
GDPR: mandatory content of agreement (based on German § 11 BDSG)
processing only according to instructions of controller
application of necessary technical and organisational measures
conditions on subcontracting
support in fulfilment of data subject‘s rights
duty to inform

17. International data transfer
outside EU: adequate level of data protection in destination country required
sufficient protection through
adequacy decision by commission
EU Standard Contractual Clauses
binding corporate rules
new mechanisms by GDPR
codes of conduct
certifications

18. Data transfers to the United States
economic necessity to allow data transfer to the US
law enforcement agencies have access to personal data without warrant
Safe Harbor Agreement (2000)
self certification of US businesses
was declared void by ECJ in 2015 in light of NSA scandal

19. What to do? EU-US Privacy Shield (2016)
similar construction, similar problems
no legally binding guaranties for EU-citizens obligation, just promise by US government to restrict access to data
protection for Non-Americans has already been reduced under Trump
risk of being declared void
better alternative: EU Standard Contractual Clauses?
suffers from same defects

20. Data transmission after Brexit
Great Britain will leave EU in May 2019
has to adopt GDPR in 2018
might become a „third country“
adequat level of protection?
repeated calls for extensive surveillance of internet traffic
alternative: use of EU Standard Contractual Clauses

21. Technical and organisational measures (tom)
securing the processing of data in relation to risk
should take into account
nature, extent & purpose of processing
likelihood and severity of risk
state of the art of measure
controller evaluates tom of processor

22. Data Protection Officer (DPO)
independent data protection consultant
informs and advices
monitors compliance
interacts with supervisory authority
duty for controllers and processors
can be a staff member
possibility to designate DPO for entire group

23. When do I need a DPO? art. 37 (1): when core activities are
regular or systematic monitoring of data subjects, or
processing of special categories of data
member states can require DPO in additional circumstances
Germany kept its existing rules in new BDSG (regular processing of personal data by more than 9 persons)
Austria (DSG-draft): no specific regulation
DPO in translation industry?
translation ≠ monitoring of data subjects
frequent translation of documents containing special category data

24. Information duties
duty to inform about processing of personal data, art. 13, 14
purpose of processing
legitimate interest (if invoked)
recipients of data
intended transfers to third countries
duration of data storage
right to demand rectification or erasure of data
right to withdraw consent …
similar to privacy policy on website

25. To Dos procession of personal data only on valid legal basis
conclusion of data processing agreement when necessary (e.g. outsorcing, cloud services), reevalute concluded agreements
secure transfer of personal data outside EU
appropriate technical and organisational measures
evaluate obligation to designate data protection officer
obligation to inform data subjects about processing

26. Do you have any questions?
Michael Schramm, LL.M. (Minnesota)
HK2 Rechtsanwälte
Hausvogteiplatz 11A
10117 Berlin
phone +49 (0)
fax +49 (0)