Business Legal is a regulatory compliance firm assisting businesses with general regulatory compliance. All businesses are
subject to compliance with Employment Law, Data Protection Law and Health and Safety. In addition, businesses may also be subject to sector specific compliance regulations, such as insurance industry regulations, food standards regulations et
cetera.
Business Legal provides expert support and assistance the 3 main compliance areas of Employment Law, Data Protection
Law and Health and Safety Law, and can provide specialist consultants in more specific areas.
SMEs often don’t have an in-house legal function, and to assist in ensuring cost – effective, competent advisers are retained we also provide a General Counsel service to SMEs whereby we source legal services for our clients from niche specialists in each area.
The Public Services Card (PSC)
The Data Protection Commission (DPC) has determined that the PSC may not be used on a mandatory or compulsory basis by government departments other than the De- partment of Social Protection, which is the Department which issued the card. This
means that it is not lawful for a PSC to be demanded in a driving licence or passport
application, or any other application to any department other than the Department of Social Protection.
More problematically, the DPC has ordered the destruction of 3.2 million data subjects’ records on the basis that there are no longer required once the primary purpose for gathering that data was achieved, namely the identification of the individual.
The government appears to be inclined to try and retrospectively legislate to legitimise its unlawful actions, rather than to
take on board the criticism of data protection practitioners, and the DPC with regard to its actions over the last number of
years. There are very strong legal objections to this approach, as Article 5.1.b of the GDPR requires that personal data be
“collected for specified, explicit and legitimate purposes”, and the data has already been collected. Any attempt to retain the personal data held in respect of the PSC, or to respectively legitimise its collection would likely be resisted by recourse to liti- gation. The PSC has put a 21 day stay on its order for the destruction of the personal data, so we will be reporting on further developments in our September edition of this newsletter.
Privacy Notices/Policies
With the prospect of increased GDPR regulatory activity ahead, it is important for organisations to ensure their Privacy Notices are compliant.
You must provide clear, intelligible and easily accessible information to individuals about the collection and use of their personal data.
This must be provided at the time personal data is obtained from individuals (or within one month when ob-
tained from another source).
The categories of information to be provided include the purposes of processing, the legal basis for processing, the legitimate interest of the company which the company claims legitimises the processing (if applicable), any data sharing, any international transfers, and the data retention periods which apply to each processing.
Working this out, with documentation to meet the requirements of accountability, can be challenging. You may need to re-
fresh data mapping or review justifications for legal basis. Privacy Notices should also align with your Records of Processing
Activities (as required by Article 30). You may need more than one Privacy Notice depending on the individuals involved
(customers, staff, etc.). Privacy Notices are not a once-off exercise and must be kept under review to reflect processing activi- ties. They are part of your GDPR transparency obligations. It should be transparent to individuals that their personal data is
being processed and to what extent.
We can help you with your Privacy Notice which is the shop window for your organisation
How do you verify the identity of an individual requesting access to their data or that data be deleted? The Dutch Data Protection Authority, Autoriteitpersoonsgegevens, has provided guidance
If at all possible, refrain from asking for a copy of a formal ID
Some alternatives may be:
1. Via an existing login system.
2. A form of two-factor authentication. For example:
• after receiving a request via e-mail request a confirmation by SMS. This mobile number
must then match the customer data from your administration.
• request confirmation of the telephone request by e-mail. This e-mail address must match
the customer data from your administration.
• ask for the last 3 digits of the account number, the date of birth and / or the customer
number for verification.
• ask someone to come by and show you his/her ID proof without making a copy. Note,
however, that this cannot be used to set up a threshold to allow access and should only
offered as an alternative
GDPR fine in Romania.
UniCredit Bank was fined €130,000 for not applying adequate technical and organizational measures to protect personal data. Customers’ ID number and address were exposed in bank statements for payments made to other persons. If a customer was transferring funds or making a payment to an account the beneficiary would see this data.
EU Standard Contractual Clauses (SCCs) and EU-US Privacy Shield
The major case of C-311/18 – Data Protection Commissioner (Ireland) v Facebook Ireland Limited & Schrems has now been
heard by the CJEU. At issue is the validity of two key international data transfer mechanisms: the EU Standard Contractual
Clauses (SCCs) and EU-US Privacy Shield, both widely-used mechanisms by EEA businesses to legitimise the transfer of personal data to countries outside the EEA (e.g. the US). A decision is expected on December 19th 2019.
While we can’t pre-empt the decision of the CJEU, if the SCCs and/or Privacy Shield were invalidated that would mean that
businesses that have heretofore been relying on these mechanisms would need to consider alternative mechanisms for trans- ferring their personal data to third countries.
These include:
• Binding Corporate Rules (BCRs)
• Derogations
• Consent
Given the lack of any practical alternatives, should the SCCs and/or Privacy shield be struck down, the European Data Protec-
tion Board will come under significant pressure to allow for some kind of moratorium during which no enforcement action will
be taken by a national regulator, as happened previously when the precursor to Privacy
Shield (Safe Harbour) was deemed invalid.
• educate senior management on the implications of a
declaration of invalidity;
• analyse data flows outside the EEA, what mechanism(s)
underpin these transfers and how important these
transfers are;
• assess the potential impact of having to stop transferring
data abroad and how any fall out may be mitigated. E.g
cease certain data processing activities or cross-border
transfers, bring the personal data back into the EEA or
continue processing outside of the EEA;
How should companies plan for BREXIT?
If Brexit proceeds on the 31st October next the UK will be-
come a third – country, and it (and by extension its companies processing data in the UK) will no longer be considered a safe destination for EU personal data.
Although the UK has passed a Data Protection Act 2018, with roughly equivalent provisions to the GDPR, in the absence of a Withdrawal Agreement being concluded between the EU and the UK the transition from being a member of the EU, to being an unsafe third – country destination for EU personal data will be immediate.
Existing contractual provisions between controllers based in the EU, and processors based in the UK.
Currently, when a controller based in the EU (including in the UK) proposes to retain a processor based in the UK, they are
required to put in place an agreement complying with Article 28.3 of the GDPR (often called a controller – processor agree- ment). This requirement will remain, but it will become more important, as the UK will now be considered an unsafe third – country destination for EU personal data.
In addition however, the EU-based controller will have 2 legiti- mise the transfer of personal data from the EU to the UK.
There are a number of ways of doing this, but the most com-
mon, and most practically useful method is the execution of
Standard Contractual Clauses (SCCs), often also called Model Clauses.
In simple terms, every EU-based controller who has a UK
based processor, will have to ensure that in addition to a con- troller – processor contract, they also have in place a Model
Clause contract between themselves and that UK based pro-
cessor.
This is not as simple as it sounds, as processors often refuse to sign controller – processor contract, or Model Clause con-
tracts. In the absence of both these agreements being signed, the controller has no legal option but to sever the relationship with the processor. This can create contractual difficulties in
itself, as there can be contractual or statutory consequences from terminating the contract with the processor.
Article 27 Representatives
in circumstances where a UK based company is targeting EU residents for the offering of goods or services, or is monitoring the behaviour of EU-based residents, such as behavioural advertising, then it will be subject to the EU GDPR, and will have to ap-
point an EU-based representative in accordance with Article 27 of the GDPR. Business Legal can assist with the provision of a
specialist Article 27 Representative service, with specific Article 27 Representative liability insurance.
UK arrangements are similar
The UK has put in place similar provisions with regard to the transfer of UK data to third – countries, and there are require- ments for third – country based controllers and processors to have a UK Representative appointed.
Miscellaneous
in circumstances where a UK company is the lead controller for a group of companies, then it will be necessary for an alterna- tive group company in an EU jurisdiction to take over this role.