Undoubtedly, like me, your email inbox was inundated last week with notifications from companies regarding their updated privacy policies. Under the EU General Data Protection Regulation (GDPR), which took effect on May 25, 2018 organizations are now required to provide individuals with extensive information about the processing of their personal data. These requirements are more detailed than under the former Data Protection Directive and are geared towards transparency and fairness for the individual.
It is important for data controllers situated outside the EU to know the circumstances in which their processing activities might be governed by the strict EU regime. This is particularly relevant to two types of processing.
First, the GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU regardless of whether the processing takes place in the EU or not (Article 3(1), GDPR). This is likely to be extended to the EEA. This provision reflects that, in contrast to the current regime; data processors are now specifically included within the scope of the Regulation.
Second, the GDPR applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU where the activities relate to either of the following:
- The offering of goods or services to data subjects in the EU, irrespective of whether a payment of the data subject is required (Article 3(2)(a)). In an online context, Recital 23 explains that the mere accessibility in the EU of the controller’s, processor’s or intermediary’s website, or an email address or other contact details, is insufficient to ascertain that intention. However, an online provider that uses a language (with the possibility of ordering in that language) or that prices its goods or services in a currency generally used in one or more member states may make it apparent that the controller envisages offering goods or services to data subjects in the EU. This provision is therefore likely to catch many online services established outside the EU if they are processing data of EU customers in the course of their commercial activities.
- The monitoring of the behavior of data subjects as far as their behavior takes place in the EU (Article 3(2)(b)). This could apply in cases where online providers and advertising networks place cookies or other tracking devices on the equipment of EU data subjects for the purpose of tracking their online behavior. Other indicators include the subsequent use of personal data processing techniques like profiling a natural person with the intention of making decisions about him or her, or for analyzing or predicting his or her personal preferences, behaviors or attitudes (Recital 24).
As well as satisfying the notice requirements under the GDPR by communicating what personal data are processed for what purposes and what disclosures of personal data are made, a GDPR-compliant privacy policy also provides organizations with the foundation for obtaining fully-informed consent from individuals which organizations can rely on as a legal basis for the processing described in the privacy policy.
Articles 13 and 14 of the GDPR set out the content that must be included in a privacy policy. GDPR-compliant privacy policies must include the following:
- Data controller’s identity;
- What personal data are collected;
- How personal data are collected;
- Why personal data are collected;
- When personal data are shared;
- When personal data are transferred outside the European Economic Area (“EEA”);
- What choices individuals have;
- How long personal data are kept; and
- What rights individuals have.
The GDPR defines personal data as “any information relating to a data subject” (Article 4(1)). A data subject is the identified or identifiable person to whom the personal data relates. A person is identifiable if he or she “can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity” of that person (Article 4(1), GDPR).
The GDPR sets out a number of principles with which data controllers and processors must comply when processing personal data (Article 5). These principles form the core of the obligations of the data controller and will usually form the basis of any claim that a data controller has not complied with its statutory duties.
Article 5 includes the following data protection principles:
- Lawfulness, fairness and transparency. Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (Article 5(1)(a)). The specific requirements for lawful processing are set out in Article 6.
- Purpose limitation. Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes. (Article 5(1)(b).)
- Data minimization. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c)).
- Data Accuracy. Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (Article 5(1)(d)).
- Storage limitation. Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed (Article 5(1)(e)). Personal data may be stored for longer periods provided it is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This is subject to the implementation of appropriate data security measures designed to safeguard the rights and freedoms of data subjects.
- Integrity and confidentiality. Personal data must be processed in a manner that ensures its appropriate security (Article 5(1)(f)). This includes protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. In this regard, data controllers and processors must use appropriate technical or organizational security measures.
The GDPR confers a wide range of enforcement powers upon supervisory authorities. Data controllers that fail to present their privacy policies in an appropriate manner, or to include required information, could expose their organizations to potential enforcement action by supervisory authorities.
Supervisory authorities can issue fines for non-compliance, which should be “effective, proportionate and dissuasive”. Fines will be imposed instead of, or in addition to, other measures that may be ordered by supervisory authorities. The level of the fine imposed depends on the type of contravention. A non-compliant privacy policy subjects an organization to a fine of up to EUR 20,000,000 or 4% of global turnover, whichever is the higher.
