New Data Protection Obligations

Following the adoption of the new EU General Data Protection Regulation (GDPR) on 27 April 2016, most organisations began the process of re-examining their internal processes and procedures in order to ensure compliance with the new requirements before its entry into force in May 2018.

To assist you in this task, we have identified 10 hot topics which should be handled in priority. We propose to present each of these points of attention separately in a newsflash to be published every two weeks, where we will provide you with practical hints to prepare efficiently.

In this issue, we will discuss the expanded territorial reach of the GDPR, as well as the introduction of the one-stop-shop mechanism.

Although a greater number of businesses, established or not in the EU,  will fall within the scope of the newly adopted GDPR, groups of undertakings carrying out multi-jurisdictional data processing should see their administrative burden reduced by the means of the introduction of a one-stop-shop mechanism.

An extended scope 

The GDPR clearly aims to extend the reach of the EU data protection framework compared to the actual scope set out under Directive 95/46/EC. Indeed, the current EU legislation only applies to the processing of personal data by data controllers established in the EU and data controllers established outside the EU using processing resources (such as technical means) located in the EU.

With the adoption of the GDPR, EU data protection rules will not only apply to (i) the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not, but also (ii) to both data controllers and data processors that are not established in the EU but process personal data of data subjects residing in the EU, where the processing activities relate to the offering of goods or services to or monitoring of behavior of EU data subjects.

Concerned non-EU companies will have to comply with the new EU data protection rules. For example, an e-commerce company based in the US and targeting EU consumers (i.e. offering its services to EU residents) will now be subject to the provisions of the GDPR.

As a result, organisations without an EU presence, but targeting EU individuals, should understand the impact of the GDPR and determine an approach to ensure compliance.

Introduction of a one-stop-shop mechanism

Competencies of the various national supervisory authorities.- National data protection authorities (DPAs) will continue to be competent for processing:

  • carried out in the context of activities of an establishment of a controller or processor on its territory;
  • which affects data subjects on its territory; or
  • carried out by a controller or processor not established in the EU but targeting data subjects on its territory.

Lead supervisory authority.- In cases of cross-border processing in the EU, the GDPR created a “one-stop-shop” system whereby an organisation will only have to deal with one lead supervisory authority in the EU in the country where it has its main establishment.
There is cross-border processing where:

  • the data processing takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; and
  • the data processing takes place in the context of the activities of a single establishment of a controller or processor in the EU but substantially affects or is likely to substantially affect data subjects in more than one Member State.

By way of derogation, each national DPA will still be competent to handle a complaint lodged with it or a possible infringement of the GDPR if the subject matter relates only to an establishment in its Member state or substantially affects data subjects only in its Member state.

On 13 December 2016, the Article 29 Data Protection Working Party (WP29) has issued guidance on how to identify a controller or processor’s lead supervisory authority, in which it provides indications on how to interpret some essential notions such as the concept of “main establishment”. Indeed, where processing is carried out by a group of undertakings that has its headquarters in the EU, the principle is that the place of the central administration of that organisation will be considered as its main establishment. However, if another establishment (i) takes the decisions about the purposes and means of the processing and (ii) has the power to have such decisions implemented, it will be considered, under the GDPR, as the main establishment.

The WP29 has drawn up a non-exhaustive list of criteria, which may be useful for determining the location of a controller’s main establishment (i.e. location where decisions are made about the business activities that involve data processing, where the power to implement such decisions effectively lies, where the director with overall management responsibility for the cross-border processing is located, etc.).

It is up to data controllers and processors to establish clearly where decisions on the purposes and means of personal data processing activities are being made.

Co-operation mechanism.- The new mechanism will allow data controllers and data processors to interact with a single lead data protection authority. However, the lead supervisory authority may have to cooperate with other “concerned” national DPAs, namely when data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing, or a complaint has been lodged directly with that supervisory authority.

The EDPB.- The WP29, will be replaced by the European Data Protection Board (EDPB), which will similarly be made up of the heads of national DPAs (or their representatives) and the European Data Protection Supervisor.

The one-stop-shop principle was one of the key elements of the Commission’s initial proposal for Regulation, aiming to ensure consistent interpretation and application of the EU data protection legislation while providing an effective local channel for complaints.

As a first step, entities should now refer to the above check list in order to assess whether the GDPR will have an impact on their business and whether they will have to adapt their internal organisation and processes to be compliant with new requirements that will be detailed in the coming issues of this Newsflash.