Europe’s General Data Protection Regulation (GDPR) comes into effect on May 25, 2018 in the European Union (EU). This regulation is well known for its strict rules on personal data protection of natural persons and especially for the implementation of large fines in case of non-compliance.
Infringements shall be subject to administrative fines up to 20, 000, 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
A. When does GDPR affect Non-Eu Companies?
GDPR does not only affect organizations, located within the European Union! Following the aim to protect personal data of data subjects as a fundamental human right and in the light of an increasingly global and interconnected world, the territorial scope was set up a lot broader.
There are three different cases of global activities, which make Non-EU organizations subject to the GDPR:
1. Data-Processing in the context of the activities, of an establishment of a controller or a processor in the EU
Establishment implies the effective and real exercise of activity through stable arrangements. Already the mere presence of only one representative within the EU can be sufficient to constitute an establishment, if there is a certain degree of stability.
Incorporation or the legal form of such arrangements, is no determining factor.
If data of EU-data subjects is processed, while having an establishment in the EU, the GDPR applies, regardless of whether the processing takes place in the EU or not.
If a Taiwanese Company has a subsidiary or an office on the soil of an EU member state, this subsidiary/office will likely be considered an establishment within the EU. Each processing of personal data of data subjects even out of the EU, which is related to this establishment will be under the scope of GDPR!
2. Data- Processing, by a controller or processor in the Union, where the processing activities are related to the offering of goods or services to such data subjects in the Union
Contrary to the first case mentioned, there is no establishment within the EU needed here. The GDPR however shall apply and affects particularly companies, which offer goods or services online (even if they are for free).
Aspects such as the language of a website, the type of currency used in the offer of goods or services or any mention of customers or users in the EU within an offer, have an indicative effect that European Residents are targeted by that offer.
The mere accessibility of a website, or the usage of languages which are also used outside of the EU (like English) are not sufficient to prove that Europeans are a target group of that site.
A Taiwanese Company has a website, that provides the following services:
option to pay in Euro
price list in Euro or Hungarian Forint
option to view website in traditional European languages - such as German or Swedish
Hotline with EU telephone numbers
use of a EU top-level domain name
offers Discounts for specific groups (members of European organizations) etc.
These Examples, are likely to indicate, that EU Data-Subjects are targeted and subsequently, the GDPR will apply.
3. Data- Processing, by a controller or processor not established in the Union, where the processing activities are related to the monitoring of EU Data Subject’s behavior
In order to determine whether a processing activity can be considered to monitor the behavior of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviors and attitudes.
The scope of this rule is limited to Data Subject’s behavior, which takes place within the EU. Therefore, the monitoring of EU data- subjects behavior, while for example living/ traveling in Taiwan will not fall under the scope of GDPR.
A Taiwanese Company monitors EU Data- Subject’s behavior, in case of:
Online behavioral based advertising
Profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring establishment of insurance premiums, fraud prevention, detection of money-laundering)
Location tracking, for example, by mobile apps
Monitoring of wellness, fitness and health data via wearable devices
These Examples, are likely to indicate, that EU Data-Subjects are monitored and subsequently, the GDPR will apply.
B. General obligations
In accordance to the GDPR, processors/regulators will have the main obligations to:
have a legal basis (such as data subject’s consent, etc.) for processing of personal data. The purpose of the processing shall be determined within that legal basis.
collect and process personal data only for lawful purposes; having the general earmarking rule in mind.
implement appropriate technical and organizational measures (= such as pseudonymisation and encryption of data etc.) to ensure a level of security of processing (level depends on the outcome of a risk/impact assessment).
go through a due diligence procedure, when designating a Processor.
carry out a privacy impact assessment of the envisaged processing operations on the protection of personal data prior the processing, if processing is likely to result in a high risk to the rights and freedoms of natural persons
Designate a data protection officer (in most cases compulsory).
Implement appropriate measures to mitigate risk and consult supervisory authority prior processing, if the assessment of impact indicates high risk potential for personal data
maintain records of processing activities (has to include specific information) – Exception for specific SME (Small and Medium Sized Enterprises).
report data breach to supervisory authority within 72 hours
report data breach (in most cases) to the “endangered” data subject without undue delay
C. Special obligations regarding processors/controllers, without an establishment within the EU
In both above (refer to A.2.a and A.2.b) the controller or the processor shall designate in writing a representative in the EU.
There are few exceptions to this general rule and therefore for example no representative needed, if occasional processing does not include, on a large scale, processing of special sensitive categories of data (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, sexual orientation etc., ...).
The representative shall be established in one of the Member States where the data subjects, whose personal data are processed, are located. The representative shall particularly function as a contact person for supervisory authorities and act on behalf of the controller/processor. The designation of such representative does not affect the responsibility or liability of the controller/processor under the GDPR.
D. Cross-Country transactions
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country, including onward transfers of personal data from the third country to another third country, needs to be in compliance with the GDPR at any time. This rule does also apply for transmittal of personal data within a group of undertakings.
Taiwan is not yet designated by the Commission as a “third country”, which ensures an adequate level of protection, for the transferred data. Therefore, a controller or processor may transfer personal data to a third country only if there are appropriate safeguards provided and enforceable data subject rights and effective legal remedies for data subjects are available. Safeguards that can possibly be implemented are:
Binding corporate rules, after being approved by the competent supervisory authority
Standard data protection clauses adopted by the Commission in accordance with a specific examination procedure
Approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards and data subject’s rights
Approved Certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards and data subject’s right
E. What do you need to do to get ready?
As the deadline is coming closer, it is crucial, to start with the implementation of GDPR- complying policies. Therefore, make sure to check the following points:
Is my company under the scope of GDPR?
Is our ongoing data processing fair, lawful and allowed?
Have we already adopted sufficient privacy policies?
Did we appoint a data protection officer yet?
Do we need to appoint a representative within EU?
How will we respond to data subject’s requests, as our responding time will be very limited?
How will we proceed regarding risk assessments?
How can we reduce/ remediate security risks?
On which proceedings do I need to carry out an impact assessment, and how will I do that?
Will I draw up for a code of conduct or certification?
Disclaimer: all information enclosed hereby shall not be interpreted as any legal opinion, but is intended only to provide general information to their intended recipients. They shall not be used to create any legal effect without consulting a professional legal professional. Any use against these guidelines shall not bind the author(s) of this presentation in any way.
Copyright 2018. All rights reserved.