The Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) which entered into force in May 2018 provides for the possibility for the EU Member States to adopt additional rules and provisions with respect to certain specific matters. In that respect the Luxembourg legislator has adopted the Law of 1 August 2018 on the organisation of the Commission Nationale pour la Protection des Données and the general data protection regime, meaning Luxembourg complements GDPR with its new Law.
The Luxembourg GDPR Law (i) provides for more details about the mission, procedure and competences (including regarding sanction powers) of the CNPD in its capacity as national supervisory authority, as well as provisions on its internal organisation and (ii) introduces provisions regarding certain specific processing situations, in particular with respect to:
Processing and freedom of expression and information where Luxembourg applies an exception for personal data processing for journalistic purposes and the purposes of academic, artistic or literary expression.
Processing for scientific or historical research purposes or for statistical purposes. The Luxembourg GDPR Law provides that where the controller implements appropriate additional measures to ensure the safeguarding of the rights and freedoms of the data subject it may process special categories of data in the context of Article 9 2 j) of the GDPR and may derogate from certain rights of the data subject if such rights would prevent or seriously hinder the achievement of the research project. The Law provides for list of the appropriate additional measures.
Processing of genetic data for the purpose of exercising the rights of the controller in respect of labour law and insurance. The Law prohibits such processing.
Processing in the context of employment. The Law amends the current provisions of the Labour Code regarding processing of personal data for monitoring purposes and introduces a prior mandatory information procedure to be completed by the employer towards the professional staff representative bodies other competent bodies. The staff delegation or employees can request the prior opinion of the CNPD on the conformity of the intended processing for monitoring purposes. The Law also provides that employees may lodge a complaint before the CNPD in relation to the proposed monitoring.
The provisions introduced in relation to specific processing situations (see (ii) above) are only applicable to controllers and processors established on Luxembourg territory.
A new Royal Decree-Law on Data Protection has been approved in Spain as part of the GDPR adaptation process. A Royal Decree-Law is a legal rule having the force of a law in the Spanish legal system. This is an important regulatory measure for Privacy in the country since currently, GDPR coexists with the previous and still applicable national data protection law (“Ley Orgánica de Protección de Datos” – “LOPD”); both laws are valid but they contradict each other at some points, which results in difficult situations to resolve, even though GDPR prevails over LOPD in the event of a conflict between them.
The Royal Decree-Law (“RDL 5/2018”) does not cover the whole GDPR; it only standardises the following subjects:
Chapter I. Investigatory powers of the national supervisory authority (“Agencia Española de Protección de Datos” – “AEPD”) and the rules related to joint operations of supervisory authorities.
Chapter II. Conditions for imposing administrative fines, especially:
-Subjects responsible for infraction: controllers, processors, representatives in the EU of non-EU controllers and processors, certification entities and entities supervising codes of conduct. It states that the data protection officer shall not be responsible.
– Limitation periods for infractions: three years for infringements of article 83.5 and 83.6 GDPR (20.000.000 EUR / 4% of the total worldwide annual turnover of the preceding financial year) and two years for infringement of article 85.4 GDPR (10.000.000 EUR / 2% of the total worldwide annual turnover of the preceding financial year).
-Limitation periods for paying fines (one year up to €40 000, two years from €40 001 to €300 000, three years over that amount).
Chapter III. Conditions for preliminary investigation.
-Procedures where data subjects rights are involved (Articles 15-22 GDPR) shall be settled in six months; the principle of Positive Administrative Silence applies here.
-Procedures related to GDPR infraction shall be settled in nine months.
Provisions that may conflict with the terms of the new RDL 5/2018 are declared no longer in force (especially, articles of LOPD related to investigatory powers and the rules for imposing fines and penalties).
The Royal Decree-Law will be in force until the new Spanish Data Protection Act is declared, which is expected to happen at the end of 2018 or the beginning of 2019. In this regard, it is relevant to note that privacy is a constitutional right in Spain, which means that the new Spanish Data Protection Act requires special majorities inside the Parliament and a lengthy passing process.
“GDPR deadline” is on 24th May at midnight. Anyone promising GDPR compliance to businesses who start their adaptation process now is likely to be selling them snake oil. But embarking on a serious journey of GDPR compliance is still indispensable – no matter how late one begins it.
During the last year or so, I have been continuously amazed by the imagination of GDPR ‘snake oil’ vendors. We have all been harassed by various ‘tools’ to obtain email consent from your email database of questionable origin (yes – the ICO recently ruled that sending emails to obtain direct marketing consent already constitutes direct marketing, but not as if snake oil vendors ever cared much about empirical evidence). Then we’ve had various ‘GDPR practitioners’ with little understanding of European privacy law (or law in general) proclaiming ‘double opt-in’ as ‘the only way’ to obtain valid GDPR consent.
This type of ‘advice’ neither makes life easier for businesses nor increases privacy standards: while depriving businesses of their right to rely on ‘soft opt-in’ for past purchases based on ePrivacy Directive that will continue to apply after 24th May, a flood of ‘opt-in’ emails hardly complies with the individuals’ ‘right to be left alone’.
It is not going away
Thinking all this would go away as the GDPR deadline approaches would miss the point. Many businesses have not started early enough to be compliant in time. Even businesses who have been preparing for months or even years may find some aspects of GDPR overwhelming considering the complexity of their operations. But as the GDPR panic escalates, the demand for ‘miracle drugs’ increases. And of course, if we cannot be compliant by 25th May, why even bother? Correct?
Not quite. Whereas I refuse to speculate about the ICO and other European data protection authorities taking a holiday right after the GDPR deadline, businesses will have to comply to avoid unwanted consequences, sooner or later. Of course, a decision to embark on the compliance journey at a later stage increases the risk of privacy breaches – and paying fines of up to 4% of the company’s global annual turnover. So if you start now, you are highly unlikely to be able to complete the adaptation before the GDPR deadline. But you must start.
The answer to the question do I need a Data Protection Officer under GDPR is not always straightforward. Here are some tips you can use in order to reach a valid decision on appointing a DPO.
Formal Data Protection Officer or informal Data Protection Adviser?
The question ‘ do I need a Data Protection Officer ‘ comprises a strictly legal component according to GDPR criteria and a less formal component i.e. would it be wise for a company like mine to have a Data Protection Officer (or a regular privacy adviser). If you find that the GDPR and WP29 Guidelines on Data Protection Officers do not provide for a clear answer and that your business model is largely based on processing data about people, you cannot go wrong by appointing a DPO. The truth is, you will require a credible, independent privacy adviser anyway – so giving them the DPO status will be an easy additional step.
Do I engage in ‘regular and systematic monitoring’ ?
Many businesses we interact with the GDPR criterion of ‘regular and systematic monitoring’ as part of the company’s core activities, on a large scale. Businesses sometimes suggest using the criterion as an escape clause: we are processing personal data but do not engage in ‘regular and systematic monitoring’. But is that correct?
WP29 interprets this criterion broadly: providing a telecommunications network or service; email retargeting; profiling and scoring for purposes of risk assessment e.g. in relation to insurance; location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; providing connected devices e.g. smart meters, smart cars, home automation etc. The list may seem limited at first glance but a closer look reveals a few common approaches to doing business.
Behavioural advertising and location-based services are often an integral integral part of web- and app-based services. Loyalty programs are regularly found both online and offline. IoT features are becoming more and more common.
Is it ‘large scale’?
In order to assess this criterion, WP29 suggests one should use not only the number of data subjects concerned – either as a specific number or as a proportion of the relevant population, but also the volume of data and/or the range of different data items being processed, the duration, or permanence, of the data processing activity, and the geographical extent of the processing activity. A neat comparison of a hospital as opposed to individual GP or dentist is further given to differentiate between ‘large scale’ and ‘small scale’.
An extra tip may be that every retail online business needs ‘large scale’ to survive, so if you are not ‘large scale’ now, you definitely aspire to be. And once you reach that point, ensuring GDPR compliance may be more difficult than it is on a small scale. When it comes to compliance, greenfield is easier than brownfield, so getting a credible privacy adviser or DPO soon may save you a lot of frustration and money.