In her article (listed in the Menu of this blog) entitled GDPR is Coming: 7 Steps Processors Need to Take to be Compliant (12 December 2017), Alisha sets out mandatory provisions (concerning data processors), which must be inserted in data processing agreements (art. 28 GDPR). Consequences of contractual breaches or non compliance with GDPR are not discussed in any detail.
“Limiting financial liability under GDPR has been made much more complex than under the Data Protection Act 1998, both because the nature of the obligations placed on both parties has changed and because the consequences of breaches are much more serious. Parties looking to limit their exposure should be realistic and not assume that it will be either possible or desirable to simply pass liability to the other party under the contract in all circumstances, instead, they will need to take a more balanced approach to liability, based on the terms of GDPR and who has caused the loss in question to arise.”
What would we do without modern day commercial search
engines? For starters it would take us much longer and require much more effort
to find answers to everyday questions. Search engines allow us to find the
proverbial needle in a haystack.
At first glance this may seem like a good thing, but what if the search results produce links to incriminating information about us. What protection if any do private individuals have?
Google vs Spain
This question was considered in a landmark case of Google v. Spain (C‑131/12). The case involves an individual who requested the removal of a link to a digitized 1998 article in La Vanguardia newspaper about an auction for his foreclosed home, for a debt that he had subsequently paid. He asked the news organisation to remove the article and Google to remove any links to it. The Spanish Data Protection Agency said that the news organisation should be left alone but that Google should remove any links to the article.
On appeal the European Court of Justice affirmed the
judgment of the Spanish Data Protection Agency i.e. it upheld press freedoms by
rejecting a request to have the article concerning personal bankruptcy removed
from the web site of the news organization. However, the Court ruled that
European citizens have a right to request that commercial search firms, such as
Google, that gather personal information for profit, should remove links to private information when asked, provided
the information is no longer relevant.
The Court found that the fundamental right to privacy is greater than the
economic interest of the commercial firm and, in some circumstances, the public interest in access to information.
(It’s worth mentioning that in November 2018 Google held an 89.1% market share in the UK.)
Google subsequently set up an online removal-of-links-from-its-search-results
for customers to use. It has also published a useful guide entitled “Fix
problems & request removals” on Google Search Help. The guide explains the few instances Google will remove
content from Search which includes sensitive personal information, like your bank account
number, or an image of your handwritten signature, or a nude or sexually
explicit image or video of you that’s been shared without your consent.
Interestingly the guide does not refer to data that is “inadequate, irrelevant or excessive in relation to the purposes of the
processing” (para 92 Google
Right to erasure (“right to be forgotten”) (art. 17 GDPR)
Two years after the Google v. Spain judgement, the General Data Protection Regulations (GDPR) 2016 were published which included a right to erasure (art. 17). This is also know as the right to be forgotten and has been described as “the right to silence on past events in life that are no longer occurring.” It is distinct from a private right (which involves information which is not publicly known) because it involves removing information that was publicly known at a certain time and not allowing third parties to access the information. Although referred to as a new right it isn’t; it existed to an extended degree in EU law, and in the first data protection laws enforced in Europe.
Under GDPR, we have the right to have our personal data
erased in six circumstances:
if the organisation no longer
needs our data;
we initially consented to the use of our data,
but have now withdrawn our consent;
we have objected to the use of our data, and our
interests outweigh those of the organisation using it;
the organisation has collected or used our data
the organisation has a legal obligation to erase
our data; or
the data was collected from us as a child for an
Exemptions to the right to erasure (art. 17(3) GDPR)
Our right to erasure does not apply if processing is necessary for one of the following reasons (GDPR art.17(3)):
to exercise the right of freedom of expression and information;
to comply with a legal obligation;
for the performance of a task carried out in the public interest or in the exercise of official authority;
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
for the establishment, exercise or defence of legal claims.
In summary our right to erasure is limited and is trumped by certain exemptions; freedom of expression and information (or the right of the public to have access to information) being one of them. This is demonstrated in the 2015 court ruling in the Manni case (C-398/15), which clarifies that an individual seeking to limit the access to his/her personal data published in a Companies Register does not have the right to obtain erasure of that data, not even after his/her company ceased to exist.
Mr Manni requested his personal data to be erased from the
Public Registry of Companies after he found out that he was losing clients who
performed background checks on him through a private company that specialised
in finding information in the Public Registry. This happened because Mr Manni
had been an administrator of a company that was declared bankrupt more than 10
years before the facts in the main proceedings. In fact, the former company
itself was removed from the Public Registry. The court concluded that Mr Manni
did not have the right to obtain erasure from the Companies Register, but he
did have a right to object.
Case law shows that the web and search engine results impact individual’s reputation and not always in a positive way. Privacy law does protect us.
The right to be forgotten under GDPR gives us the right to have our personal data erased but only in limited circumstances (listed above) and not if any of the exemptions (listed above) apply. One of these exemptions is freedom of expression. The effect of this is to exempt companies listed as “media” companies.
The Google v. Spain case gives us a right to request that commercial search firms, that gather personal information for profit, should remove links to private information when asked, provided the information is no longer relevant.
So, what practical steps should we take if searching our name on the internet brings back a link to information about us, and this is having a negative effect on our privacy?
The first step we should take is to ask the publisher to remove the personal data from its website; that way it will no longer appear in search results. Should the publisher refuse to do so and we are satisfied that one of the six circumstances mentioned above applies, and none of the exemptions mentioned above apply, we should complete the Information Commissioner’s Office (ICO) online complaint form so that ICO can pursue the matter further on our behalf.
If we are not satisfied, that one of the six circumstances mentioned above apply we could ask the publisher to use the robot exclusion standard to inform web robots or crawlers not to process or scan the page with the personal data. This will stop any links appearing in search results. However, the publisher may well reject this request on the basis that its freedom of speech trumps our right to privacy.
Search result links to personal data
If the publisher refuses to remove the personal data from its website, the next step we should take is to complete Google’s an online removal-of-links-from-its-search-results form. Although the personal data shall remain on a website it will be less visible if links are removed. Should Google refuse to remove search result links we should complete ICO’s online complaint form but only if we are satisfied that the personal data is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed” and that our right to privacy is greater than the economic interest of Google and the public interest in access to information.
If we are unsuccessful on all of these fronts, it may be worth writing an article in rebuttal or an article which others may find useful. Although searching our name on the internet will continue to bring back a link to information about us which has a negative effect on our privacy, it will now bring back our positive article as well. The more meaningful articles we publish the better.
The European Union’s General Data Protection Regulations (GDPR) impose many obligations on anyone who processes personal data, with substantial fines (art. 83) for any breaches. Although some of these obligations are not altogether new, they are much more extensive: having an extra material and territorial scope (art. 3), extending to data processors, (art.28) and giving data subjects enhanced rights (ch.III). The definition of personal data (art. 4) is much broader too. There is much more to worry about!
you are non-complaint, what should you do, particularly if you do not have a budget
to spent on making amends? Perhaps the starting point is for you to view privacy
compliance, as the end destination of an ongoing journey. Your focus should be
on travelling in the right direction and being able to demonstrate this. This way,
regulators are more likely to focus less on you, and more on those who don’t
comply or won’t comply. So where should one start?
most visible starting point, for most organisations, has been the publication
of a privacy notices before GDPR came into force. Less visible is the appointment
protection officers (DPO) (art.37) which is required under the new regulations
if you carry out certain types of processing activities. DPO’s can now report
to one lead
supervisory authority in instances of multi cross border processing
which is a welcome change.
Preparing a privacy notice, is a good place for you to start, for a variety of reasons. Firstly, the content (art.13) of the privacy notice is regulated, which means you will have to find answers to the following questions, to prepare it correctly:
Who is collecting the data?
What data is being collected?
What is the legal basis for processing the data?
Will the data be shared with any third parties?
How will the information be used?
How long will the data be stored for?
What rights does the data subject have?
How can the data subject raise a complaint?
find the answers you will need to update exiting data maps or prepare new
ones. Data maps must reflect the current situation on an ongoing
basis. You will need to show that you have at least one of the legal
bases (art. 6) for processing. If you are
relying on old consents, you will need to refresh them, so that they fall into the
new definition of consent
(art 4); if you are relying on
legitimate interest you should complete a legitimate
interest assessment. Checking your legal bases will help you better understand how
you are using personal data.
will also need to find out if the personal data you are processing is shared
with others and mention this in your notice. Under the new regulations you are
obliged to have a data
processing agreement with every data processor you use. (Revising
existing data processing agreements and/ or agreeing new ones, is an item to put
on your things-to-do-next list).
The position regarding restricted transfers of personal data outside non EU countries has not changed that much: transfers continue to be restricted. There is however the thorny issue of Brexit looming. Have a look at the Information Commissioners Office guidance to help you decide if you will be effected.
If you are making international transfers of personal data, you must disclose this (art. 15(2)) and the permissible ground (ch. 5) you are relying on to do so. Grounds include: the European Commission made an “adequacy decision” about the country in which the receiver is based, or the restricted transfer is covered by appropriate safeguards (including binding corporate rules) or the restricted transfer is covered by an exception.
under the Privacy and Electronic Communication Regulation (PECR ) and ensure
that you have a legal base under GDPR for any processing that ensues. (It is worth
taking the time to understand the overlap
between the PECR and GDPR as it can be confusing.)
provides that you must not keep personal data for longer than you need it and
must disclose how long you will store
the information. If you do not already have a data retention policy with a
document schedule you should prepare one.
must notify your data subjects of their enhanced privacy rights and new privacy
rights and be prepared to respond if they choose to exercise their rights. New privacy
rights include data
portability (art. 20), the right
to be forgotten (art.17) and safeguards for data processing
by automated means (art. 22). (Ensuring that you have updated your policies
and procedures to help your staff respond to new rights as well as the old enhanced
rights (e.g., data subject access requests) in a correct and consistent way, is
another item to add to your list).
Obligations with time constraints
publishing your privacy notice, the next thing you should do is to identify any
privacy obligations (whether under the regulations or by agreement) with time
constraint attached. Reputational damage for non-compliance should not be
such obligation is the new duty to report personal
data breaches (art.33) to a supervisory authority and affected individual. An
internal breach register must also be maintained. GDPR requires you to notify the
supervisory authority, without undue delay and not later than 72 hours after becoming aware of it, if the breach
is likely to result in risks to rights and freedoms
of a natural person.
If the data breach is likely to result in high
risk to the rights and freedoms of natural persons the data subject must be
informed too, without undue delay. Questions worth considering include:
Do you have something in place (e.g. an API or web forms to document paper incidents) that facilitates both identifying and reporting on personal data breaches?
Do you have a consistent approach (i.e. risk assessment) to determine whether an incident is subject to a notification obligation or are you possibly over-notifying?
Are you determining jurisdictions impacted and the number of individuals involved on a consistent basis?
Does it make sense to create a diverse team to triage and risk rank to ensure that incidents are being escalated appropriately?
obligation with a time constraint, is revised subject
access requests (art.12 and 15). Now a request can be communicated over
the phone (art 15 (3)) and associated costs can’t be claimed. You must respond without
undue delay and at the latest within one month (as opposed to the old 40 days)
of receipt. The same new time period applies to the right
to rectification (art.16). Again, it is worth checking that you have
sufficient resources and policies and procedures in place to respond.
most helpful way of tackling GDPR compliance is to view it as a journey to an
end destination. Expect to discover compliance weaknesses on your journey and
compile a things-to-do-next list to help propel you forward. To begin with it
may feel l like your end destination is getting further away rather than closer,
but don’t let this bog you down. What’s important is that you continually move
forward in the right direction, are transparent with how you collect and
process personal data and are constantly striving to keep your customer’s
personal data secure.
It has been eight months since the General Data Protection Regulation (GDPR) came into force. But it has been five years in the making. During this time a wealth of online resources have slowly been created in response to the GDPR and people’s queries about it.
However, reviewing all the information on the web takes time, especially if you don’t know where to look. You might, therefore, prefer to use a data specialist. But if you are the-do-it yourself type, or simply do not have the money to spend on a data specialist, I may be able to help. Below is a table of useful links I have used when researching privacy questions of my own. Since January heralds the anniversary of Data Protection Day (28 January) it seems like an opportune time to share this with you .
European Data Protection Board Guidance which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities
National Cyber Security Centre Guidance which was set up to help protect our critical services from cyber-attacks, manage major incidents, and improve the underlying security of the UK Internet through technological improvement and advice to citizens and organisations
In today’s privacy climate, it is easy for companies to rush into signing data processing contracts with their service providers, for a variety of reasons. The most obvious reason is that, no one wants to breach the General Data Protection Regulation (“GDPR”) (art 28(3)) and Data Protection Act 2018 (s 59(5)), which provide that processing done by a processor on your behalf (as data controller) must be governed by a written contract between you and the data processor. The new sanctions under GDPR for breaches are too severe to be ignored.
Another reason for companies rushing to sign is an increased likelihood of breaches; the new definition of processing is all encompassing, and the definition of personal data is much wider. The new regime also requires that certain mandatory provisions be present in data processing contracts, which has meant that old data processing contracts might need to be updated by new ones, if not compliant with the new provisions.
However, is it always necessary to sign data processing contracts? Yes, service providers may have historically preferred to be classified as data processors as opposed to data controllers, in order to benefit from the less onerous obligations imposed on them by pre-GDPR laws. However, since the GDPR is far stricter on data processors, this argument no longer makes sense – and so it’s now necessary to consider whether your service providers really are data processors under this new law. The question is best answered with firstly a clear understanding of GDPR and secondly an understanding of the service being provided.
Starting with GDPR, the official guide from the Information Commissioner’s Office (ICO) (the relevant Supervisory Authority for the UK), although not up to date, is helpful in explaining the difference between the two roles and provides various examples of service providers including a market research company, a payment service company, a mail delivery company, solicitors, accountants, IT services (a vehicle tracking company) and a cloud provider (a storage service provider). In its examples its concludes that only one out of the seven is a data processor: the storage service provider; five out of seven are data controllers: the market research company, the payment service company, solicitors, accountants and the vehicle tracking company; and the mail delivery service is neither a data controller or data processor.
What is interesting is that, if you asked a person with no knowledge of GDPR, to classify each provider as either a data controller or a data processor, they would probably guess that the storage service provider is the data controller and all the rest are data processors! This is because, it seems logical to assume that the first six service provider will be processing personal data on behalf of their clients, and therefore are data processors, and that the storage service provider, which stores and seemingly controls the data, must therefore be a data controller.
IT service providers can be difficult to classify correctly. This is because of the technical complexity involved, and different ways the information technology services are delivered e.g. on-premises (where software is run on your premises) or off-premises (where software is run on the service provider’s servers, which aren’t under your control). There are also many different IT services providers such as hosting service providers, managed service providers, storage service providers and application service providers to name a few.
The only way to come up with the correct answers is to carefully consider the GDPR definitions.
“ ’processor’ means a natural or legal person,……….. which processes personal data on behalf of the controller;”art 4(8) of GDPR
“ ‘controller’ means the natural or legal person,……….. which, alone or jointly with others, determines the purposes and means of the processing of personal data;”art 4(7) of GDPR
Every instance needs to be considered on its own, for example ICO concludes that a vehicle tracking provider is a data controller, which might lead you to conclude that a video conferencing service provider is too, when it is not.
A vehicle-tracking provider installs hardware (devices in cars) and monitors them (on its servers) so that cars can be recovered if they go missing. Although the service it provides, is to track and send back location data in certain circumstances, the vehicle-tracking provider is a data controller in its own right. This is because it has sufficient freedom to use its expertise to decide which information to collect about cars (and their drivers) and how to analyse them for its own purpose i.e. making decisions in relation to purpose and means.
A video conferencing service provider installs hardware (screens and computers) for example in your conferencing suites and uses its own software and technical expertise to allow people to videoconference with each other. Unlike the vehicle tracking provider there is not the same freedom to decide which information to collect and use. This is because all the personal data the service provider holds in connection with the service, would be provided by yourselves- therefore the video conferencing provider has no scope to use the data for any of its own purposes. Unlike a vehicle tracking provider, the video conferencing provider is a data processor.
What about IT Managed Service Providers (MSP’s) which retains responsibility for the functionality of IT services and equipment and allow you to benefit from predictable pricing and the ability to focus on core business concerns rather than IT management chores?
Although a MSP may decide such matters as what IT system to use to collect personal data, and how to store, secure, and transfer it, (all seemingly control functions) these are technical decisions which a data processor is free to make. You would retain exclusive control over the purpose for which the data is processed and the manner in which the processing takes place. As in the example above, all the personal data the MSP holds in connection with the service would be provided by you. Accordingly, the MSP is a data processor.
There are many other examples that can be considered; so long as one is constantly considering who exercises overall control over the ‘why’ and the ‘how’ of a data processing, the distinction between the roles should become clear.
Understanding the services being provided
With regards the second leg namely understanding the services being provided, this is largely dependent on the relationship you have with our service providers. Where service contracts have been agreed some time ago, this can be a real challenge; memories fade, personal may have moved on to another department or company and the service provider is not incentivised to co-operate fully since it has a service contract in place. Accordingly, it is important not to neglect the relationship you have with your service providers.
It is also useful to bear in mind, uncertainty about each party’s role can not only result in unnecessary data processing contracts, but more worryingly, prevents each party from determining where responsibility lies. This is essential to know, for example in the event of personal data being hacked.
In summary, in today’s privacy climate, one should not rush into signing data processing contracts or to update existing data processing agreements without a good understanding of GDPR and an understanding of how the delivery of services impacts the collection and processing of personal data. Since this is not so easy to do on one’s own, it seems prudent to make every effort to forge an open and collaborative relationship with one’s service providers.