The GDPR applies not only to entities with customers and employees located within the EU, but to the following entities located outside of the EU:
- companies that monitor the behavior of customers or employees located in the EU;
- companies that provide services or goods in the EU; and
- companies with an “establishment” in the EU, regardless of where they process personal data, meaning that cloud-based processing performed outside of the EU for an EU-based company is covered by the GDPR.
Data processors as well as data controllers are directly liable under the GDPR
Overview of Key Provisions of the GDPR
The key provisions of the GDPR are as follows:
- Definition of personal data. Unlike U.S. law, which protects sensitive data that could result in financial harm if disclosed, the GDPR protects any personal data that identifies a natural person. For example, an individual’s name, photo, email address, IP address, or physical description constitutes protected personal data because the individual can be identified by this information. Further, the GDPR provides special protections for “sensitive data” or “special data,” which include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships, data concerning health or sexual orientation, genetic and biometric data, and criminal history information.
- Single regulatory authority. Generally, companies will have to deal with the data protection authority (DPA) only in their main EU jurisdiction. That DPA will consult with DPAs in other EU countries in which the company has customers or employees. The GDPR also creates an EU-wide regulator, the European Data Protection Board (EDPB), which includes the head of each national DPA, the European Data Protection Supervisor, or their respective representatives. The EDPB will issue guidance and resolve disputes among national DPAs.
- Data Minimization and legal basis for processing. The GDPR provides that companies and employers may collect only that data on individuals that is necessary for carrying out their business purposes. Additionally, companies and employers must demonstrate and document a legal basis for their business purposes. For example, companies may collect information regarding an individual only if the individual provides express consent, the information is necessary to form or perform a contract such as an employment contract, the information is necessary to comply with EU legal obligations, or the company has a legitimate interest in collecting the information that outweighs the individual’s right to privacy.
- Limitations on customer consent. If consent is used as a legal basis to collect personal data, the consent must be freely given, specific, and informed. Importantly, if consent is required, it has to be express—”clear affirmative action by the data subject.” However, there are limitations on the use of consent as a legal basis for collecting information. Customers cannot be asked to agree to any unfair contractual terms in exchange for their consent. Similarly, consent is not valid where there is “a clear imbalance [of power] between the [customer] and the [company].”
- Transparency. Companies and employers must provide detailed notices to customers, employees, and applicants regarding, among other things, the types of data collected, the purposes for collection, the legal basis for collection, the right of the individual to access the data collected, the right of the individual to file complaints regarding the collection of the data, the types of third parties to whom the data may be disclosed, and the contact information regarding the company or employer.
- Internal controls. The GDPR requires companies and employers to implement and document internal data protection policies and procedures to protect personal data, which may have to be produced to the relevant DPA in the event of a complaint.
- Privacy by design. The GDPR requires “privacy by design” in information management systems, which means that security measures need to match the risk of a data breach and potential harm to customers and employees. In addition, data privacy impact assessments are required to be performed when a proposed data processing activity poses a “high risk for the rights and freedoms of individuals.”
- Data protection officer. Companies must hire or retain a data protection officer if they process sensitive data on a large scale, have large scale customer databases, or monitor the behavior of EU customers or employees.
- Individual access. Customers and employees will be entitled to access the data collected on them by companies and employers and to correct any inaccurate data.
- Data portability. Individuals have the right to transfer certain personal data to other companies or employers.
- Right to be forgotten (erasure). Customers and employees will be able to delete their personal data if there are no legitimate grounds for retaining any of it.
- Breach notification. Companies are required to notify the relevant DPA of all data breaches within 72 hours unless “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.” Breaches must also be disclosed to the affected individuals “without undue delay if the personal data breach is likely to result in a high risk” to their “rights and freedoms.”
- Cross-border transfers of data. Entities within the EU cannot transfer personal data outside of the EU unless the country to which the data is transferred has adequate data protection laws (the United States is not such a country) or the transfer is made pursuant to a recognized legal mechanism such as standard contract clauses, binding corporate rules, or a certification program such as the EU-U.S. Privacy Shield.
- Issues unique to HR data. Article 88 of the GDPR provides that EU member states may implement stricter or additional requirements regarding the processing of HR data through their national data privacy laws, labor and employment laws, and collective agreements. Thus, a “one size fits all” approach is not applicable to the processing of HR data, and employers should implement GDPR compliance programs for their HR data that comply with the privacy and labor laws of each EU member state in which they employ employees and recruit applicants. Further, the EU Article 29 Working Party, which consists of the data protection authorities from the 28 EU member states, has indicated that employees cannot provide valid consent to permit their employers to process their data because of the unequal bargaining power between employees and employers. Consequently, employers must rely upon and document another legal basis to process HR data, i.e., to perform an employment contract, to comply with obligations under EU law, or to further a legitimate interest that outweighs the privacy rights of employees.
- Significant fines. DPAs will be given increased powers to enforce the GDPR, including fines of up to 20 million euro or 4 percent of worldwide revenue of the offending “undertaking”—essentially, a corporate group—whichever is greater.
Conclusion
The GDPR will have a significant impact on companies doing business in the EU and employers with employees in the EU, both in terms of additional obligations regarding the processing of personal data and the seriousness of the penalties that will be imposed for noncompliance. Thus, it is essential that covered entities begin their compliance programs as soon as possible to meet the May 2018 effective date.
Written by Grant D. Petersen of Ogletree Deakins