How subcontractors can reuse data: CNIL outlines specific conditions

How subcontractors can reuse data: this is possible only under specific conditions, which CNIL has outlined with specific context.

 

Under the GDPR, there are several conditions which need to be met in order for subcontractors to reuse data provided to them by the data controller. French regulator; CNIL has outlined the context under which the reuse of data is allowed by the subcontractor. A data processor is typically meant to process data at the request of the controller, and never for their own purposes. However, in some cases a subcontractor may wish to reuse that data for a specific purpose such as improving its products or services. In these cases, a controller may authorize a subcontractor to reuse the data for its own purposes, only if several conditions are met. CNIL has outlined these conditions in a recent article. It is important to note that the processor would become responsible for this new processing once authorised to reuse this data for its own purposes. 

 

Before processing by a subcontractor can begin, a compatibility test must be run.

 

Before any “subsequent processing” or processing which follows the collection operation (and for purposes other than that of the initial collection) can take place, the data controller must run a compatibility test. The purpose of this test is to determine whether this further processing is compatible with the purpose for which the data was initially collected. In testing this, the data controller would consider the possible existence of a link between the purposes for which the personal data was collected and the purposes of the subsequent processing intended. Other relevant factors include the context in which the personal data was collected as well as the nature of the personal data. It is also necessary to consider the use of appropriate safeguards, which may include encryption or pseudonymization. This compatibility test must be carried out for a specific processing operation, taking into account the purposes and characteristics of each processing operation for which the subcontractor wishes to reuse the data. The data controller is then free to give consent or not, only if the results of the test were satisfactory. 

 

Authorization for the reuse of data must be in writing, and the data subjects must be informed by the controller.

 

The GDPR dictates that a contract or any other written legal act must be drawn up to regulate the processing implemented by a subcontractor. This includes electronic format. In addition, the controller must ensure that data subjects are adequately informed of the reuse of their data for new purposes. In particular, the controller must indicate whether it is possible to oppose it. In practice, it is recommended that the initial data controller provide, if possible, all the information on the processing. The controller may delegate this task if the subcontractor already has the contact data of the persons concerned. 

 

The responsibility of ensuring the compliance of the subsequent processing rests on the subcontractor. 

 

The subcontractor is responsible for ensuring that the new processing is compliant with the GDPR. If this subcontractor fails to do so, they may be sanctioned by CNIL. They must ensure that the data is processed within regulation, and also only for the intended, and compatible purposes for which the written consent was given. As the controller of further processing, they must ensure that it meets a well-defined purpose and is based on a legal basis adapted specifically to this purpose.

 

CNIL’s article made specific mention of defining an adequate retention period and ensuring that data subjects are provided with information on any indirect collection that has not already been provided by the initial controller (subject to applicable exceptions). Also particular attention needs to be paid to ensuring appropriate security measures, data minimisation and overall maintaining the protection of the rights of data subjects. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Memorandum of understanding

A Memorandum of Understanding has been Signed Between the UK’s ICO and the Office of the Australian Information Commissioner

A Memorandum of Understanding has been signed between the UK’s ICO and the Office of the Australian Information Commissioner (OAIC), to facilitate cooperation and collaboration.

A memorandum of understanding has been signed between the UK’s ICO and the Australian Information Commissioner, due to the fact that the two share similar functions and duties in their respective countries. The two parties have realised the need for increased cross-border enforcement and cooperation, with the nature of this modern global economy, and the rate at which personal data crosses borders. With the signing of this memorandum of understanding the parties involved have set out the broad principles of their collaboration and a legal framework, which governs the exchange of irrelevant information and Intelligence between the two.

Overview of the Scope of the Memorandum of Understanding.

This memorandum of understanding that the parties signed last month should not be seen as a requirement on the part of any of these two parties to cooperate with each other. There is no legal requirement to cooperate in circumstances that would breach their individual responsibilities. This is simply a way for the two parties to deepen their existing relations and develop them further, in an effort to promote exchange and assistance with the enforcement of laws protecting personal information. The intent is to work together by sharing expertise, experiences and best practices, cooperating on specific projects and investigations and also, sharing information and Intelligence to support their individual and collective work. This collaboration is made without the intent of sharing any personal data. If the parties do wish to share personal data they will consider compliance with their own data protection laws which may require entering into a written agreement or arrangement regarding the sharing of that personal data. Based on section 132(1) of the DPA 2018, the UK commissioner can only share certain information if she has the lawful authority to do so.

Review of the Memorandum of Understanding.

The UK’s ICO and the OAIC will monitor the operation of their memorandum of understanding and biennially review it. Either of the parties do have the right to request a review sooner. There is a designated point of contact for each of the parties in the event that any issues arise in relation to this memorandum of understanding. In addition this agreement may only be amended by the parties in writing and signed by each of them.

As stated above, the memorandum of understanding between the ICO and the OAIC does not affect the transfer of personal data between both countries. Currently, there is no adequacy decision for data transfers to Australia, so one of the safeguards covered by the GDPR should apply, like Standard Contractual Clauses or Binding Corporate Rules. Furthermore, one should note that an anti-encryption law was approved two years ago in Australia, which obliges Australian companies to construct back access doors to information in such a way that it is available to the Government, while being required not to communicate the existence of such System to the users or customers, therefore directly colliding with GDPR.

Do you have questions about how this new agreement may affect your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Statement on Personal Data

The FCA, ICO and FSCS release a Joint Statement Warning FCA Authorised Firms and IPs to be Responsible with Personal Data

The Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) release a joint statement warning FCA authorised companies and Insolvency Practitioners (IPs) to be responsible when dealing with customers’ personal data.

On February 7th 2020, the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) released a joint statement warning FCA authorised firms and insolvency practitioners (IPs) against the unlawful sale of clients’ data to claims management companies (CMCs). This is because it has come to their attention that some FCA-authorised firms and IPs have attempted to sell clients’ personal data to these CMCs unlawfully. The CMCs may not be acting in consumers’ best interest and may also be unlawfully marketing their services.

While The FCA handbook states that CMCs are required to act honestly, fairly and professionally in line with the best interests of their customers, they may not be acting in the customer’s best interest. As a matter of fact, CMCs that intend to buy and use such personal data must demonstrate their compliance with privacy laws. Although contracts may vary, standard contracts typically do not provide sufficient legal consent for personal data to be shared with CMCs to market their services, and may not be lawful.

Why Selling Customers’ Data with CMCs may not be Lawful.

Apart from the fact that most standard contracts simply do not provide the legal consent for customers’ personal data to be sold to CMCs,companies who pass on customers’ personal information may also fail to meet the requirements of the the Data Protection Act 2018 and GDPR. Thereafter, any direct marketing calls, text or emails carried out by CMCs may breach the Privacy and Electronic Communications Regulations 2003 (PECR).

What are the implications of such breaches in data protection legislation?

Companies are expected by law to abide by the Data Protection Act 2018, the GDPRand the FCA Handbook. In the case of FCA authorised companies and IPs in particular, the CMCOB Claims Management: Conduct of Business sourcebook applies. In cases where the ICO or FCA finds these companies to be in breach of any of these data protection laws, they will take appropriate action,and there could be serious legal consequences.

Time and again,we see fines being imposed on companies for breaches in these data protection laws, and just last week,we reported on the Italian DPA Fining TIM SpA in excess of EUR 27 Million for unlawful data processing.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and UK Data Protection Act? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

ICO Brexit data protection

The UK’s ICO Releases Statement on Data Protection and Brexit Implementation.

The ICO has released a statement on the implementation of Brexit and the implications on data protection.

On January 31, 2020, the UK officially left the European Union and entered a Brexit Transition Period, which runs through December 2020. Prior to that, on January 29th, the UK’s ICO released a statement on the implications of this Brexit implementation on data protection. The ICO iterates that they will continue to act as the lead supervisory authority for businesses and organizations that operate within the UK.

During this transition, the GDPR will steadily apply, and the ICO suggests that businesses that process customers’ personal data continue to follow their guidelines, and the protocol already in place. The GDPR will cease to apply at the end of this transitional period. However, the UK government intends to incorporate the provisions of the GDPR into UK data protection law beyond December 2020.

That said, businesses and organisations that offer goods or services to people in the EU are still expected to follow the EU’s version of the GDPR beyond the transitional period. However, for now, these companies and organizations will not need to appoint a European representative. GDPR transfer rules will apply to any data coming from the EEA into the UK. As a result, these companies  may need help deciding how to transfer personal data to the UK in line with the GDPR.

The ICO has also updated their Brexit FAQs to reflect any recent changes. They will continue to update their external guidance as they regularly monitor the situation.

Does this sound like too much to plan? We have prepared a summary of the ICO guidance below:

During the transition period (until the end of 2020).

After the transition period.

Will the GDPR continue to apply in the UK? Yes It will depend on negotiations. The default position is the same as for a no-deal Brexit. However, the GDPR will be brought into UK law as the ‘UK GDPR’
Is a EU Representative necessary? No Yes, If you are offering goods or services to or monitoring the behavior of individuals in the EEA.
What will the UK data protection law be? Data Protection Act 2018 (DPA 2018). The provisions of the GDPR will be incorporated directly into UK law from the end of the transition period, to sit alongside the DPA 2018.
What role will the ICO have? The ICO will remain the independent supervisory body regarding the UK’s data protection legislation. The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.
Can we still transfer data to and from Europe? Yes From the end of the transition period, GDPR transfer rules will apply to any data coming from the EEA into the UK.

 

 

Does your company process customers’ personal information in the UK? If so, Brexit may affect the way you process personal data. Aphaia’s data protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance.