,

𝗦𝗰𝗵𝗿𝗲𝗺𝘀 𝗜𝗜 𝗶𝗺𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀 𝗲𝗮𝘀𝗶𝗹𝘆 𝗲𝘅𝗽𝗹𝗮𝗶𝗻𝗲𝗱: summary flowchart

In last week pills I shared the full Schrems II decision which invalidates the #PrivacyShield

The judgment has important implications for companies transferring data outside the EU, and potentially on service contracts with non-EU suppliers, in particular contracts for the provision of IT services which provide for the possibility for suppliers’ staff outside Europe to access the data, even if hosted in databases within the European territory.

However, as many struggle to districate within the 63 pages of the CJEU decision to identify what are the actual consequences for their contracts and what happens to the Standard contractual clauses (SCC) which they have in place, here’s a synthetic #flowchart which answers some of the Key FAQs on Scherms II implications.

Shoot me a message for the pdf file

This is just an example of how legal concepts can be made easy, and, as always, make sure to consult your legal advisor to have the full picture.
You can access the full Supervisory Authority FAQs which I used as source here.

We have already been kept really busy this week, and another hot topic we tackled is whether access from foreign personnel to EU databases constitutes a data transfer.

To help organizations identify and manage the privacy risks associated with the transfer of personal data regulated by GDPR to third countries that do not benefit from an adequacy decision by the European Commission, the law firm which I work with has developed an ad-hoc methodology, aligned with the requirements of European legislation following the Schrems II judgment. The methodology provides a basis for exporters and importers of data to assess safeguard measures, taking into account a number of factors, in order to calculate the level of risk of each transfer, and to provide an accurate, consistent, verifiable and defensible basis to support a case-by-case decision to proceed or continue a given transfer. Contact me if you wish to know more.

Get ready to negotiate with your non-EU counter-parties.

, ,

Privacy Shield cracked

Today, 16 July 2020, following the complaint issued by Maximillian Schrems regarding Facebook personal data transfer from EU to US, and the judicial follow-up, the EU Court of Justice issued a decision invalidating the Privacy Shield. Such data transfer mechanism was put in place provide companies on both sides of the Atlantic with a way to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

However the previous Commission decision ( Decision 2016/1250) which enabled such mechanism, was declared not more valid by the EU CURIA.

Why the Shield was cracked

According to the Court:

  • requirements laid down for personal data transfers purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR;
  • the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country;
  • in this respect the Court noted that the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary

Standard contractual clauses are still valid?

The Court examined also the validity of Decision 2010/87 establishing the Standard Contractual Clauses, an alternative safeguard for enabling third country data transfers.

The validity of SCCs, according to the Court, depends on whether it can be adopted an effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.

The Court points out, in particular, that that decision imposes an obligation on a data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former

What can Supervisory Authorites do now

The decision stresses that competent supervisory authorities are required to suspend or prohibit a transfer of personal data to a third country where they take the view, in the light of all the circumstances of that transfer, that the standard data protection clauses are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means, where the data exporter established in the EU has not itself suspended or put an end to such a transfer.

What can you do?

If your company – directly or via its outsourcers – transfers personal data to the US, there are different options to be considered:firstly considering alternative appropriate safeguards under Article 46 of the GDPR to guarantee a safe data transfer, secondly reviewing your Data Processing Agreements with processors who happen to transfer data in the States, and thirdly reviewing the content of your privacy notices to align them with your new structure, and eventually consider moving some services within the EU.

For more info on HOW TO ADAPT DATA TRANSFERS AFTER PRIVACY SHIELD INVALIDATION drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable share it on your #SocialMedia, Be Influent!

Also don’t miss our Telegram channel @TechnoLawgy for the latest #Privacy and #LegalTech news!

,

Email sent to wrong recipient? Avoid getting fined

Sending an email to the wrong recipient can trigger privacy risks, and even sanctions, especially if the email contained attachments or other content with personal data. Here’s a brief analysis on how to limit the risk of sanctions and avoid getting fined in case of an email sent to the wrong recipient.

Recent cases

On 21.05.2020 the Data Protection Supervisory Authority of Romania (ANSPDCP) finalized an investigation with an energy operator who accidentally send an email containing personal data of a customer to the wrong recipient and found that it violated the provisions of art. 32 of the GDPR, regarding the security of the processing.

The operator was sanctioned with a fine of 19368.4 lei, the equivalent of 4,000 EURO.

The investigation was initiated as a result of a complaint issued by a customer who was informed of the violation of security and confidentiality of his personal data, by the data controller. The company accidentally transmitted, via email, the personal data of a client (name and surname, address, e-mail address, client code and eneltel code) to another client, who was not entitled to receive such information.

During the investigation, the National Supervisory Authority found that the operator did not take sufficient security and confidentiality measures to prevent accidental disclosure of personal data to unauthorized persons , violating the provisions of art. 32 of the GDPR.

The operator was therefore sanctioned because it did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of the processing generated especially, by the unauthorized disclosure or the unauthorized access to personal data.

At the same time, the corrective measure was applied to the operator Enel Energie Muntenia SA, according to the provisions of art. 58 paragraph (2) i) of the GDPR.

Thus, the operator was obliged to implement the appropriate and adequate security measures, both technical and organizational, within 30 working days of the communication.

Prevention & Remediation measures

Sending an email to the wrong recipient is one of the most recurring case of databreach, hence chances are it may happen to you too. So here’s a list of suggestions regarding safeguards to prevent the error, and try to limit its risks in case it happens.

1: Technical security measures

  • Recall the email: yes, in theory you can do that if you instantly become aware of the mistake, however based on the timing of the discovery and conditions and procedures of the different email service providers, you may actually not be able to avoid your message getting – wrongfully- delivered. In case you wish to give it a try, here’s a how-to guide. PROS: easy, generally free CONS: might not be effective
  • Adopt a data loss prevention software. Seriously, do it. Although not specifically aimed at preventing material errors by the sender, a Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage). It can feature advanced security measures which employ machine learning and temporal reasoning algorithms to detect abnormal access to data (e.g., databases or information retrieval systems) or abnormal email exchangehoneypots for detecting authorized personnel with malicious intentions and activity-based verification (e.g., recognition of keystroke dynamics) and user activity monitoring for detecting abnormal data access. It can become super useful if the breach is not consequence of a mere error… PROS: effective technology CONS: cannot prevent material errors, expensive.
  • Avoid including personal data in the body of the message and encrypt attachment files, then send the decrypting password through a different email (making the same mistake twice, can happen, less probable though) or a different channel (e.g. SMS message, in app notification). PROS: can effectively limit the risk of a databreach CONS: adds burdens to communication, makes it slower, however you can use in-mail add-ins to make it way faster.

2: Organizational measures

  • Train your employees: yes, that’s so important. The databreach lies between the fingers of your employee ready to send an email without double-checking if the email address is correct. You may wish to give them a proper training, pointing out the risks and pains which can arise from such an inaccurate move.
  • Get in contact with the recipient: once an email has been successfully sent, there is no way to call back or delete it from recipient inbox. Still you can get into contact with the unintentional recipient explaining that the email was a mistake, and ask them to not read the message – if that’s still possible.
  • Take note: study what happened and what fault caused the incident, in order to plan some follow-up action to limit the possibility it happens again. Document this process. It will be an aid to your defense in case of an investigation by the data protection authorities.

In any case, as a data controller you should carry out a databreach severity assessment in order to assess if the incident shall be communicated to the data subjects involved or notified to the supervisory authority. We built an automatic tool to do that for you, taking into account the EU (ENISA + EDPB) standards. If you wish to know more, get in contact here.

***

In the next TechnoLawgy post we will assess how to handle a databreach once it happens and how to evaluate whether it shall be notified to the Supervisory Authority. Meanwhile you may fancy a look here: DATA BREACH NOTIFICATION: NEW PROCEDURE ADOPTED IN ITALY also you can find the dedicated #databreach podcast here.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable share it on your #SocialMedia, Be Influent!

Also don’t miss our Telegram channel @TechnoLawgy for the latest #Privacy and #LegalTech news!

, ,

EDPB letter on contact tracing App privacy issues

The European Data Protection Board has shared its view on contact tracing app privacy issues.

Following a request for consultation from the European Commission, the European Data Protection Board adopted a letter concerning the European Commission’s draft Guidance on apps supporting the fight against the COVID-19 pandemic. This Guidance on data protection and privacy implications complements the European Commission’s Recommendation on apps for contact tracing, published on 8 April and setting out the process towards a common EU toolbox for the use of technology and data to combat and exit from the COVID-19 crisis.

Key takeaways:


💡 no one-size-fits-all solution applies envisaged technical solutions need to be examined in detail, on a case-by case basis


💡 EDPB believes that it is a step in the right direction to highlight the essential need to consult with data protection authorities


💡 development of the apps should take into account Privacy by design and Privacy by Default mechanisms, and the source code should be made publicly available for the widest possible scrutiny by the scientific community


💡 EDPB strongly supports the Commission’s proposal for a voluntary adoption of such apps, a choice that should be made by individuals as a token of collective responsibility


💡 Legal Basis for the processing? the mere fact that the use of the contact tracing takes place on a voluntary basis, does not mean that the processing of personal data by public authorities necessarily be based on the consent; The enactment of national laws, promoting the voluntary use of the app without any negative consequence for the individuals not using it, could be a legal basis for the use of the apps; it appears that the most relevant legal basis for the processing is the necessity for the performance of a task for public interest


💡 Contact tracing apps do not require location tracking of individuals users. Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimisation. In addition, doing so would create major security and privacy risks


💡 the main function of such apps is to discover events (contacts with positive persons), such events can be stored both at local level (within the device of the user) and centralized level; according to the EDPB the decentralised solution is more in line with the minimisation principle


💡 these apps are not social platforms for spreading social alarm or giving rise to any sort of stigmatisation. a mechanism should ensure that whenever a person is declared as COVID-positive, the information entered in the app is correct, since this may trigger notifications to other people concerning the fact that they have been exposed


💡 once this crisis is over, such emergency system should not remain in use, and as a general rule, the collected data should be erased or anonymised.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable, repay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #LegalTech news!

,

Privacy: come prepararsi alla Brexit

La Brexit potrebbe comportare cambiamenti sostanziali nella strategia di compliance privacy delle società, soprattutto quelle con sedi nel Regno Unito o che scambiano dati personali con società basate in U.K. . Il Garante privacy lo scorso 18 febbraio 2019 ha reso noto che il Comitato Europeo per la Protezione dei Dati (EDPB) in una recente nota informativa ha chiarito quali conseguenze potrebbe avere su tale flusso di dati personali l’ uscita del Regno Unito dall’UE senza accordo. Ormai è ufficiale, la Brexit avverrà il 31 marzo 2020, per di più senza un accordo (cosiddetto “No Deal”). Vediamo i principali impatti operativi per le aziende e come prepararsi allo scenario di Brexit senza accordo con l’Ue (“Hard Brexit”) anche alla luce dei suggerimenti del Garante. Continua a leggere

, ,

Cyprus GDPR implementation: local peculiarities

The implementing Law and the interplay with GDPR

by Christiana Markou

Another EU country has adopted a GDPR implementation law: the Law on the Protection of Natural Persons with regard the Processing of Personal Data and on the Free Movement of such Data, Law 125(I)/2018 ( “the Law”) was published in the Official Gazette of the Republic of Cyprus on the 31st July 2018.

The purpose of the Law is the effective application (or implementation) of some of the provisions of the General Data Protection Regulation (GDPR). The Law responds to Recital 8 of the GDPR, which allows Member States to implement elements of the Regulation into their national law and to provisions in the GDPR allowing or obligating Member States to expand upon, adapt or deviate from the rules of the Regulation. It only comprises thirty-seven (37) provisions and must be read together with the Regulation, which remains the main piece of legislation governing data protection in Cyprus.

Key features and peculiarities of the Law

Data Processing by Courts & judgements databases

There are a few provisions in the Law that deserve to be highlighted. One of them is Section 5(a), which specifically renders the data processing performed by courts in the exercise of their duties for the purposes of the administration of justice (including the processing necessary for the issuance and publication of their judgements) permissible and lawful. This however does not cover the processing inherent in the operation of databases of judgements by private parties who offer a service to lawyers or the public at large. These entities must ensure that the processing they perform can come under one of the lawful bases of processing listed in Article 6(1), GDPR.

Minors lawful consent

Additionally, the Law, through Section 8(1), takes a rather liberal approach in relation to children deeming them as capable of offering valid consent at a younger age than the one specified by the GDPR, which is 16 years. Notably, the chosen age of 14 years in the Law coincides with the age over which children can be criminally liable in Cyprus as per Section 14 of the Cyprus Criminal Code, Cap. 154.

Biometric data processing

Another provision of the Law, namely Section 9(1) explicitly introduces a prohibition for the processing of genetic and biometric data for the purpose of health and life insurance and also clarifies that when the processing of such data is based on consent, separate consent must be secured for any further processing. This mirrors the Cypriot legislator deeming genetic and biometric data of increased sensitivity. Notably, the Insurance Association of Cyprus has suggested the inclusion in the Law of another derogation from the prohibition of Article 9(1) GDPR, specifically one permitting the processing of special categories of personal data for the purposes of conclusion and performance of insurance contracts. The particular suggestion has not been taken up by the Cypriot legislator and it seems that the GDPR places significant restrictions; insurance companies have to be secure the explicit consent of data subjects in order to process health data concerning them (despite the fact that such processing is strictly necessary for the conclusion and performance of the insurance contract requested by the data subject). Explicit consent entails significant administrative burden, which insurance companies would prefer to avoid. Most certainly, the GDPR is eligible to an interpretation that achieves a fair balance between the interests of the insurance companies and sufficient data protection, yet this requires the co-operation of all relevant stakeholders.

Data transfers outside EU

Section 17(1) is another notable provision. It introduces an obligation for controllers and processors to inform the Commissioner about their intention to transfer special categories of data (such as health data) to third countries (outside the EU) in certain cases. This is important for organisations or businesses in the medical sector which often send blood (or other) samples outside the EU for testing. When the country to which the data is exported is not one for which the European Commission has issued an adequacy decision based on Article 45, GDPR, the Cyprus Commissioner will have to be informed prior to each such transfer. This entails considerable administrative burden, which can be avoided by eliminating the health data exported or through anonymozation, amongst others.

GDPR 1st year implementation report: how is it going?

It is noteworthy that the Cyprus Data Protection Commissioner (“the Commissioner”) has recently published certain statistics on the application of the GDPR during the first year of its life.

According to those statistics, the Commissioner has received 464 complaints (146 of which concerned unsolicited commercial communications) and 55 data breach notifications. The authority has issued 20 decisions, nine of which imposed fines of a total of nearly €37,000 Euros. Furthermore, the Commissioner conducted nine 9 investigations on its own initiative.

These numbers reflect Cyprus as a small Member State of the EU; in other Member States, there have been much more enforcement actions, some of which have led to multi-million fines.

This post is part of TechnoLawgy Guest Post series and has been written by the brilliant  Christiana Markou, Practising lawyer  & Assistant Professor at the European University Cyprus School of Law. For a more in-depth report on Cyprus GDPR implementation click here.

If you are a interested in sharing your expertise with TechnoLawgy international readers hit the Contact button above.   

,

📹First GDPR fine in Sweden: facial recognition at school📹

Facial Recognition under GDPR

For the first time the Swedish Data Protection Authority, Datainspektionen, has issued a fine for violation of the rules introduced by the General Data Protection Regulation, GDPR, towards a school that implemented a facial recognition system to monitor students’ attendance in class.

The GDPR, which was transposed into national legislation by the Swedish Data Protection Act (2018:218), introduces special safeguards and obligations for data controllers who process biometric data, that are used for facial recognition, including for example, the obligation to appoint a Data Protection Officer and to carry out an Data Protection Impact Assessment (Articles 37-35).

The sanction

According to the DPA website, a high school in Skellefteå has used a facial recognition system to monitor students’ attendance at the lessons. The trial has been going on for three weeks and affected 22 students. The Datainspektionen has examined the use of the system and concluded that the High School Board in Skellefteå has processed sensitive personal data in violation of the GDPR (see art. 9 of the Regulation) and it was fined with a sanction of  200.000 SEK (appr 20.000 EURO). The fine is moderate since Skellefteå is a public entity, and that it has only been a limited trial. The maximum fines for public entities in Sweden is 10.000.000 SEK.

In its decision, the DPA finds that facial recognition meant camera surveillance of the students in their everyday environment, which was an intrusion on their integrity and that presence control could have be done in other – less intrusive – ways.

The high school board has stated that they have received the students’ consent to use face recognition for attendance control. However as explained by Ranja Bunni, a lawyer at the DPA who participated in the review, the high school board cannot use consent in this case because the students are in a position of dependence on the board, and therefore the consent cannot be deemed to be valid pursuant to the GDPR.

Conclusion

This fine confirms the EU wide trend of Data Protection Authorities towards biometric data processing, therefore here is my advice:

  1. prior to implementing a facial recognition system all the available alternatives shall be considered adopting a privacy by design and privacy by default approach;
  2. if no alternatives are viable, the data processing shall respect the data minimization principle, collecting as little data as possible and retaining the data for the period of time strictly necessary to pursue the analysis;
  3. when processing biometric data enhanced security measures shall be adopted to guarantee the safety and protection of such precious information;
  4. prior to seeking for data subjects’ consent, you shall consider if consent is a valid legal basis for processing at all in the specific circumstance.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuablerepay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #TMT news!

, , ,

📧#GDPR: come aggiornare la firma delle email📧

Come tutti sappiamo il 25 Maggio 2018 è finalmente diventato direttamente applicabile il GDPR. Si tratta di un aggiornamento molto importante in tema di Privacy e Protezione dei dati personali, un vero e proprio update 2.0. Negli altri articoli parlo di quali sono i cambiamenti principali e come adeguarsi.

Ecco di seguito un utile suggerimento per iniziare ad adeguare la firma della propria email  (anche alla luce del decreto 101/2018 che recepisce il GDPR e modifica il caro vecchio Codice Privacy)

Continua a leggere

, ,

⚕️#Health&Privacy: i dati sulla pelle sono dati sensibili?

I dati sulla tipologia di pelle sono dati sensibili sulla salute che necessitano di un apposito consenso privacy ai sensi del GDPR? Non sempre. Continua a leggere

, ,

🇪🇺 🇬🇧 BREXIT privacy consequences: EU says no adequacy decision is coming

OK, we all know how the GDPR impacts personal data transfer outside EEA, so …will Brexit make it harder to exchange data with U.K.? Continua a leggere