GDPR-CARPA certification mechanism adopted by CNPD

Luxembourg adopted the GDPR-CARPA verification mechanism  becoming the first country to introduce a certification mechanism under the GDPR.

 

The National Data Protection Commission of Luxembourg (CNPD) adopted its GDPR-CARPA (Certified Assurance-Report based Processing Activities) certification mechanism last month. This will be known as the first certification mechanism under the GDPR to be adopted on a national and international level. Companies and other organisations established in Luxembourg now have the opportunity to demonstrate that their data processing activities comply with the GDPR. This provides a high level of compliance to the regulation to controllers and processors for their data processing activities which are  covered by the certification. This GDPR certification mechanism does not certify an organisation but rather specific processing operations.

 

The certification in personal data protection Was developed with the help of professional auditors, and also reviewed by the EDPB.

 

The CNPD, as owner of this certification mechanism, will accredit the entities that will issue the GDPR certification. The accreditation criteria was developed by the CNPD, after numerous exchanges the CNPD has had with audit professionals since the GDPR came into effect in 2018. The accreditation is based on ISAE 3000 (audit), ISCQ1 (quality control of auditing organisations) and ISO 17065 (licensing of certification entities). The accreditation criteria highlights the work done by the certification entity and the professional auditors. After the CNPD released its first version of this certification mechanism, other European data protection authorities examined the criteria under the consistency mechanism and the EDPB then issued a formal opinion on GDPR-CARPA. In general, the CNPD has been a driving force behind the progress made by the EDPB in the field of certification. The authority has acted as rapporteur for the adopted guidance or as a help to the EDPB in issuing formal opinions on this novel subject.

 

The implementation of the GDPR-CARPA certification mechanism will help build trust in the processing of the personal data covered by this mechanism.

 

The implementation of a certification mechanism can help promote transparency and compliance to the GDPR. It can also help data subjects to feel assured in the degree of protection offered by products, services, processes or systems used or being offered by the organisations that process their personal data. A unique feature of the CNPD certification mechanism is that it is based on a ISAE 3000 Type 2 report, with the auditor being formally responsible for the implementation of the control mechanism. This offers a guarantee of a high level of confidence, which is key in having the relevant actors and data subjects to build trust in the processing of any personal data covered by this certification scheme.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Data sharing for charities: guidance from CNIL

CNIL recently published guidance relating to data sharing for charities for the purposes of prospecting.

 

CNIL recently published guidance relating to data sharing for charities for the purposes of prospecting. According to CNIL, these guidelines are geared towards any association or foundation appealing to the generosity of the public to receive donations, which wishes to transmit the data files of its donors or contacts for the purposes of charitable or commercial prospecting. The applicable rules vary slightly depending on the objective of the reuse of the data; whether it be for charitable canvassing or commercial canvassing. This guidance is also geared towards commercial companies that sell or rent prospect files to charities for charitable prospecting. 

 

Organisations collecting prospect data must inform them that their data may be transferred to other organisations for charitable prospecting.

 

The rules applied to prospecting for charitable purposes are a bit less strict than those governing commercial prospecting. An organisation can transmit the data of its donors or contacts to another organisation for charitable prospecting purposes, contingent upon basic conditions under the GDPR. This prospecting may be done by mail, phone calls or electronically. Electronic prospecting includes methods like using  SMS, e-mails, or automated calls. Under the GDPR, the concerned parties (donors/contacts) must necessarily have been informed of the use of the data collected for charitable prospecting purposes at the time of the initial collection of their data by the association collecting their data and offering it to another. Data subjects must, at that time, be informed of the possible transmission of their data to partners for charitable prospecting purposes. 

 

The use of prospect data for commercial prospecting must be consented to at the time of the collection of their data.

 

In some cases, an association or foundation appealing to the generosity of the public may wish to transmit the data of its prospects to another organisation for the purposes of   commercial prospecting. In these instances, these prospects must have given their explicit consent at the time of collecting their contact information, for the use of their data, specifically for commercial prospecting. In addition, prospects or donors must be able to oppose either of these uses beforehand, in a simple and free manner. For example, it should be as easy as checking a box made available to them when the data is collected. They should be able to withdraw consent at any time, in particular during each contact.

 

An organization receiving the data of prospects or donors becomes responsible for processing this data and must comply with governing this under the GDPR.

 

Once an organisation has received the data of donors or contacts from the organisation collecting the donor data, the receiving organisation becomes responsible for processing this data and must comply with governing this under the GDPR. It must provide the data subject with all relevant information, at the very latest during its initial communication with them. This includes, in particular, the source from which their personal data was obtained, as well as all other applicable information provided for under Article 14 of the GDPR.  At the initial contact, as well as at each new solicitation, the data subject must be able to easily opt out of being contacted again.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Google Analytics custom features do not make transfers legal, according to CNIL

CNIL has announced that even with the use of Google Analytics custom features, transfers are still not legal. 

 

CNIL recently announced that even with the use of Google Analytics custom features, transfers are still not legal in the absence of a transfer deal between Europe and the US. This announcement was added in the Q&A on CNIL’s website, as a point of clarification, after numerous businesses hoped that the customization tool could be used to allow data transfers to the US from Europe through Google Analytics. However according to the CNIL, the use of this tool still does not comply with the GDPR despite the precautionary options now available. 

 

While efforts have been made to replace the invalidated Privacy Shield, authorities say there is still a long way to go.

 

Earlier this year, CNIL sent out formal notices to a series of companies after deciding that data transfers to the US via Google Analytics were illegal. This decision was based on the Schrems II decision which invalidated the Privacy Shield two years ago. While a decision to replace the deal was announced, there is still a long way to go. European Commission Vice-President Margrethe Vestager confirmed at the International Cybersecurity Forum earlier this month, that negotiations are “finalised”, however that “a lot of work remains to be done.” 

 

In the absence of the Privacy Shield, CNIL has addressed questions and concerns regarding other solutions that have been offered. 

 

While we await a replacement for the Privacy Shield, CNIL has been very vocal, providing clarification when necessary. The authority addressed a question on the possibility of configuring Google Analytics so as to avoid transferring personal data outside the EU. CNIL’s response to this was an unambiguous “no”, followed by an explanation that “the use of solutions proposed by companies subject to non-European jurisdictions is likely to pose difficulties in terms of access to data.” This remains the case even in the absence of a transfer, as Google has confirmed to CNIL that all data collected by Google Analytics is hosted on US soil.

 

Many of the proposed solutions are not deemed satisfactory as any personal data transferred to the US seems to be at risk. 

 

Google has proposed additional guarantees like anonymisation and encryption but none of these solutions are deemed satisfactory by the CNIL. CNIL acknowledges that Google offers an IP address anonymisation feature. However, this does not apply to all transfers, and Google has been unable to demonstrate that this anonymisation happens before data is transferred to the US. Unique identifiers are also not a great solution as their use can be identified through their association with other data. The CNIL states that the encryption solutions offered by Google were ineffective, as Google offers and saves encryption keys, allowing the company to access personal data if it so wishes. As a result, any companies or organisations who wish to use the tool need to obtain explicit consent from the individuals concerned.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

The concept of “data exporter” clarified by the Danish DPA

In the light of the Schrems II judgment by the CJEU, questions relating to the concept of “data exporter” have been clarified by the Danish DPA. 

 

 Since the CJEU’s Schrems II judgment, the Danish Data Protection Agency has received an increasing number of questions relating to the transfer of personal data to third countries. Many of these questions are geared towards the concept of “data exporter” and who, in practice, is responsible for ensuring that the transfer of personal data takes place according to data protection regulations, especially regarding larger, complex data processing situations. While the term “data exporter” is not defined in the GDPR, the concept is defined in the EU Commission’s standard contract, which is one of the most widely used transfer bases in Chapter V of the GDPR. As a result, the Danish DPA has decided to provide clarification on the role and concept of a “data exporter.”

 

A data controller or processor in a third country to whom data is transferred under a standard contract is considered a “data importer.”

 

A standard contract can be entered into by an EU data controller who transfers personal data to a data controller or data processor in a third country. The third country data controller or processor would be considered the “data importer”. This situation has created a few doubts as to which party is responsible for ensuring the legality of the transfer under the GDPR, particularly in cases where one or more of the sub-data processors are outside the EU / EEA. 

 

The GDPR stipulates that both parties (whether exporter or importer) are responsible for establishing a legal basis for the transfer. 

 

According to GDPR Article 44, “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.” The Danish Data Protection Agency interprets this article of the GDPR to be applicable as an obligation for both the data controller and the data processor. Both parties are therefore obliged to ensure that a transfer basis is provided that is effective in the light of all the circumstances of the transfer. 

Under the GDPR, both the controller and processor are expected to take necessary measures to establish substantial security of the data. 

 

Article 32 of the GDPR states that the controller and the processor must establish an appropriate level of processing security. The Danish Data Protection Agency regards both the data controller and any potential data processors as independent subjects with regard to this obligation. This means that the data controller and the data processor are each expected to take the necessary technical and organizational measures to establish an appropriate level of processing security. In cases where the data processor provides most or all of the technical infrastructure, the task of the data controller is to ensure – and be able to demonstrate to the Danish DPA – that the data processor has established a satisfactory level of security for the data being processed.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.