GDPR-CARPA certification mechanism adopted by CNPD

Luxembourg adopted the GDPR-CARPA verification mechanism  becoming the first country to introduce a certification mechanism under the GDPR.

 

The National Data Protection Commission of Luxembourg (CNPD) adopted its GDPR-CARPA (Certified Assurance-Report based Processing Activities) certification mechanism last month. This will be known as the first certification mechanism under the GDPR to be adopted on a national and international level. Companies and other organisations established in Luxembourg now have the opportunity to demonstrate that their data processing activities comply with the GDPR. This provides a high level of compliance to the regulation to controllers and processors for their data processing activities which are  covered by the certification. This GDPR certification mechanism does not certify an organisation but rather specific processing operations.

 

The certification in personal data protection Was developed with the help of professional auditors, and also reviewed by the EDPB.

 

The CNPD, as owner of this certification mechanism, will accredit the entities that will issue the GDPR certification. The accreditation criteria was developed by the CNPD, after numerous exchanges the CNPD has had with audit professionals since the GDPR came into effect in 2018. The accreditation is based on ISAE 3000 (audit), ISCQ1 (quality control of auditing organisations) and ISO 17065 (licensing of certification entities). The accreditation criteria highlights the work done by the certification entity and the professional auditors. After the CNPD released its first version of this certification mechanism, other European data protection authorities examined the criteria under the consistency mechanism and the EDPB then issued a formal opinion on GDPR-CARPA. In general, the CNPD has been a driving force behind the progress made by the EDPB in the field of certification. The authority has acted as rapporteur for the adopted guidance or as a help to the EDPB in issuing formal opinions on this novel subject.

 

The implementation of the GDPR-CARPA certification mechanism will help build trust in the processing of the personal data covered by this mechanism.

 

The implementation of a certification mechanism can help promote transparency and compliance to the GDPR. It can also help data subjects to feel assured in the degree of protection offered by products, services, processes or systems used or being offered by the organisations that process their personal data. A unique feature of the CNPD certification mechanism is that it is based on a ISAE 3000 Type 2 report, with the auditor being formally responsible for the implementation of the control mechanism. This offers a guarantee of a high level of confidence, which is key in having the relevant actors and data subjects to build trust in the processing of any personal data covered by this certification scheme.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Data sharing for charities: guidance from CNIL

CNIL recently published guidance relating to data sharing for charities for the purposes of prospecting.

 

CNIL recently published guidance relating to data sharing for charities for the purposes of prospecting. According to CNIL, these guidelines are geared towards any association or foundation appealing to the generosity of the public to receive donations, which wishes to transmit the data files of its donors or contacts for the purposes of charitable or commercial prospecting. The applicable rules vary slightly depending on the objective of the reuse of the data; whether it be for charitable canvassing or commercial canvassing. This guidance is also geared towards commercial companies that sell or rent prospect files to charities for charitable prospecting. 

 

Organisations collecting prospect data must inform them that their data may be transferred to other organisations for charitable prospecting.

 

The rules applied to prospecting for charitable purposes are a bit less strict than those governing commercial prospecting. An organisation can transmit the data of its donors or contacts to another organisation for charitable prospecting purposes, contingent upon basic conditions under the GDPR. This prospecting may be done by mail, phone calls or electronically. Electronic prospecting includes methods like using  SMS, e-mails, or automated calls. Under the GDPR, the concerned parties (donors/contacts) must necessarily have been informed of the use of the data collected for charitable prospecting purposes at the time of the initial collection of their data by the association collecting their data and offering it to another. Data subjects must, at that time, be informed of the possible transmission of their data to partners for charitable prospecting purposes. 

 

The use of prospect data for commercial prospecting must be consented to at the time of the collection of their data.

 

In some cases, an association or foundation appealing to the generosity of the public may wish to transmit the data of its prospects to another organisation for the purposes of   commercial prospecting. In these instances, these prospects must have given their explicit consent at the time of collecting their contact information, for the use of their data, specifically for commercial prospecting. In addition, prospects or donors must be able to oppose either of these uses beforehand, in a simple and free manner. For example, it should be as easy as checking a box made available to them when the data is collected. They should be able to withdraw consent at any time, in particular during each contact.

 

An organization receiving the data of prospects or donors becomes responsible for processing this data and must comply with governing this under the GDPR.

 

Once an organisation has received the data of donors or contacts from the organisation collecting the donor data, the receiving organisation becomes responsible for processing this data and must comply with governing this under the GDPR. It must provide the data subject with all relevant information, at the very latest during its initial communication with them. This includes, in particular, the source from which their personal data was obtained, as well as all other applicable information provided for under Article 14 of the GDPR.  At the initial contact, as well as at each new solicitation, the data subject must be able to easily opt out of being contacted again.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

New agreement on EU-US data transfers

For companies which depend on cross border data transfers, some needed relief may come in the form of a new agreement on EU-US data transfers. 

The European Union and the U.S. recently announced that they had reached an agreement  “in principle” on a new framework for cross-border data transfers. This is expected to bring some much-needed relief to tech giants like Meta and Google, which have been severely affected by the invalidation of the Privacy Shield in July 2020. Several companies have faced legal issues over EU-US data transfers, and have had to find alternative ways of doing business which would not require such transfers. This was easier for some companies than others. One in particular, Meta (formerly Facebook) even recently considered shutting down operations in Europe, in the absence of a framework for cross-border data transfers. The new agreement is expected to make a major difference for these companies. It will “enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties,” Ursula von der Leyen, President of the European Commission said recently. 

EU and US officials have been trying to find an appropriate replacement framework since the invalidation of the Privacy Shield in 2020. 

Since the invalidation of the Privacy Shield in July 2020, Facebook and other companies that had relied on the mechanism for their EU-US data flows struggled to adapt their business operations to the restrictions in the EU-US data flows. The CJEU ruled in favor of Max Schrems, a privacy activist who argued that the existing framework did not protect Europeans from US surveillance. Since then, officials on either side of the Atlantic have been trying to negotiate a new deal to replace the previously held Privacy Shield, which allowed firms to share data from the EU to the US.

This update will likely bring much needed relief to large tech companies which have faced legal issues since the invalidation of the Privacy Shield almost two years ago. 

News of the agreement will undoubtedly be welcomed by tech giants like Meta and Google who have been gravely affected by the invalidation of the Privacy Shield. Companies were being urged to find alternatives to Google Analytics, while Meta considered pulling Facebook and Instagram out of Europe. Meta’s president of global affairs, Nick Clegg, said the deal “will provide invaluable certainty for American & European companies of all sizes, including Meta, who rely on transferring data quickly and safely.” He took to Twitter stating that “With concern growing about the global internet fragmenting, this agreement will help keep people connected and services running,” In addition, Google’s president of global affairs, Kent Walker, was also quoted as saying “People want to be able to use digital services from anywhere in the world and know that their information is safe and protected when they communicate across borders,” in a recent report from CNBC. He went on to say “We commend the work done by the European Commission and U.S. government to agree on a new EU-U.S. framework and safeguard transatlantic data transfers.”

Max Schrems, the Austrian privacy activist who initially questioned the level of protection provided by the current framework, says he is prepared to challenge any discrepancies in the new agreement as well. 

Many officials believe that it is too early to say whether the new agreement will stand the test of time. Privacy Shield, which replaced Safe Harbor, an earlier EU-US data pact, was found to offer insufficient protection and was challenged and later invalidated. Schrems, who was instrumental in challenging both the Privacy Shield and Safe Harbor, said that he expects the “final text” of the new agreement to take more time to come together. However, he added he’s prepared to challenge it as well “if it is not in line with EU law.” According to Schrems,“In the end, the [EU] Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision,” 

“While this is a most long-awaited update and a significant step forward, businesses should not forget that there is no agreement officially approved yet, therefore a valid mechanism under the GDPR/ UK GDPR such as the Standard Contractual Clauses and a Data Transfer Impact Assessment are still required for any data transfers to the US, as it is the case with data transfers to any other third-country” points out Cristina Contero Almagro, Partner in Aphaia.

Does your company rely on the transfer of personal data to third countries? Aphaia can help. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, data transfer impact assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Stop using Google Analytics: CNIL gives formal notice to website managers.

CNIL has given formal notice to website managers to come into compliance and to stop using Google Analytics due to illegal EU – US Data transfers. 

 

CNIL has joined several other EU watchdogs in ordering website managers to stop using Google Analytics. As a result of several complaints being filed by NOYB, against a total of 101 companies across the EU, the use of Google Analytics was found to be a violation of the GDPR and Schrems II. The service is commonly used to help business owners with traffic statistics for tracking visitors to their site, however this assigns each visitor a unique identifier, which constitutes personal data, and the visitors’ information is then available to Google Analytics in the US. Currently, data transferred to the US is still not considered adequately protected, and as a result CNIL has given formal notice to the website managers to stop using Google Analytics, according to this recent report

 

EU to US data transfers are currently deemed illegal if appropriate security measures are not applied, as the previously held Privacy Shield was invalidated since the Schrems II judgment. 

 

Since the Schrems II judgement in which the CJEU had highlighted the risk that the American intelligence services could access personal data transferred to the United States, if the transfers were not properly supervised, companies and organisations across the EU have been ordered to stop using various US services, one of which is Google Analytics. In a recent blog, we covered a sanction imposed on the European Parliament by the EDPS for the use of Google Analytics. CNIL, in its recent report stated that in total, 101 complaints were filed by NOYB across 27 Member States of the European Union and the three other States of the European Economic Area (EEA), over alleged data transfers to the US. 

 

CNIL reiterates that in the absence of an adequacy decision, EU – US transfers are not sufficiently protected. 

 

The CNIL has noted that any personal data of Internet users which is transferred to the United States is done in violation of Article 44 of the GDPR. Article 44 covers data transfers to third countries, for which certain conditions must be met in order to ensure the security of that data. In the case of data transfers to the US, in the absence of an adequacy decision for data transfers, any data transferred from the EU to the US is considered unprotected. Due to US laws, this data can be accessed by US intelligence, making these data transfers unsafe, and therefore also illegal, under the GDPR. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.