Global data protection policy

(PIBR), or global data protection rule

A unified legal framework for the EU as a whole

It is a European regulation, which means that, unlike a directive, it is directly applicable throughout the Union without the need for transposition in the various Member States. The same text will therefore apply throughout the Union. The Regulation shall apply from 25 May 2018. Therefore, the processing operations already implemented by that date will have to be aligned with the provisions of the Regulation.

Extended scope of application

Targeting criteria

he Regulation applies as long as the Supervisor or subcontractor is established in the territory of the European Union or as long as the Supervisor or subcontractor is carrying out processing operations intended to provide goods and services to European residents or to “target” them. In practice, therefore, European law will therefore apply whenever a European resident is directly concerned by the processing of data, including via the Internet.

Responsibility of subcontractors

On the other hand, while the current data protection law mainly concerns “processors”, i. e. bodies which determine the purposes and modalities of processing of personal data, the Regulation extends to processors a large part of the obligations imposed on processors.

A one-stop shop

Businesses will be in contact with a “one-stop shop”, i. e. the data protection authority of the Member State in which their “main establishment”is located. This establishment is either the place of their head office in the Union or the establishment where decisions are taken on the purposes and methods of processing.  Businesses will thus benefit from a single interlocutor for the European Union on the protection of personal data when implementing transnational processing.

Enhanced cooperation between authorities on transnational processing

However, since the processing will be transnational, so that it concerns the citizens of several European States, the data protection authorities of the different States concerned will be legally competent to ensure the conformity of the data processing carried out.

In order to ensure a single response for the whole territory of the Union, the Authority will cooperate with the other data protection authorities concerned in joint operations. The decisions will be adopted jointly by all the authorities concerned, in particular as regards sanctions.

National protection authorities are convened within a European Data Protection Committee (EDPC), which ensures the uniform application of the Data Protection Act. It is intended to replace current G29.

In practice, the authority proposes measures or decisions (observing compliance with a treatment or proposing a sanction). The European authorities concerned by the processing operation then have four weeks to approve this decision or, on the contrary, raise an objection. If the objection is not followed up, the matter is referred to the EDPS, who then issues an opinion. This opinion is binding and must therefore be followed by the authority.

Regardless of whether or not the EDPS is referred to him, the authority must take the decision shared by its counterparts. There will therefore be a joint decision, subject to appeal to the judge of the authority’s decisions.

For example, in the case of a company whose principal place of business is in France, the CNIL will be the one-stop shop for this company and will notify it of the decisions adopted under this coherence mechanism. Its decisions will then, if unfavourable, be appealable to the Council of State.

This mechanism allows data protection authorities to decide quickly on the compliance of a processing operation or infringement of the Regulation and ensures high legal certainty for businesses by ensuring a single response across the Union.

Sanctions

Processing managers and subcontractors may be subject to significant administrative sanctions if they are not aware of the rules.

The protection authorities may in particular:

  • Make a warning;
  • To put the company to rest;
  • Temporarily or permanently restricting treatment
  • Suspend data streams
  • The order to comply with requests to exercise the rights of persons;
  • Order the rectification, limitation or deletion of data.

In the case of new compliance tools that can be used by enterprises, the authority may withdraw the certificate issued or order the certification body to withdraw the certification.

In the case of administrative fines, depending on the category of infringement, they may amount to EUR 10 or 20 million or, for a company, 2% up to 4% of annual worldwide turnover, whichever is higher.

This amount must be based on the fact that, for transnational processing, the sanction will be adopted jointly by all the authorities concerned, and therefore potentially for the territory of the whole European Union.

In this case, a single sanction decision, decided by several protection authorities, will be imposed on the company.

Compliance and Accountability

Although the 1995 Directive is largely based on the notion of “prior formalities” (declaration, authorisations), the European regulation is based on a logic of compliance for which the actors are responsible, under the supervision and direction of the regulator.

A reading key:
Protection of data
Design and default

The controllers will have to implement all technical and organisational measures necessary to comply with the protection of personal data, both product and service design and by default. Specifically, they should take care to limit the amount of data processed at the outset.

Reducing red tape
and stakeholder empowerment

In order to ensure optimal protection of personal data which they process on a continuous basis, processing managers and processors will have to put in place appropriate data protection measures and demonstrate this compliance at all times.

The consequence of this empowerment of stakeholders is the removal of reporting obligations when wages do not constitute a risk to the privacy of individuals. As regards the processing operations currently subject to authorisation, the authorisation regime may be maintained under national law or will be replaced by a new procedure focusing on privacy impact assessment.

New compliance tools:

  • Maintaining a file of the processing operation implemented
  • Notification of security breaches (to authorities and data subjects)
  • Processing Certification
  • Compliance with codes of conduct
  • The DPO (Data Protection Officer)
  • Privacy Impact Assessments (PIAs)

«Privacy Impact Assessments» (PIA)

For all risk treatments, the supervisor will have to carry out a full impact assessment, showing the characteristics of the treatment, the risks and the measures adopted.  These include the processing of sensitive data (data revealing racial or ethnic origin, political, philosophical or religious opinions, trade union membership, data on health or sexual orientation, but also new, genetic or biometric data) and processing based on “systematic and thorough evaluation of the personal aspects of natural persons”, in particular profiling.

In the event of a high risk, it should consult the data protection authority before applying this processing. The CNIL may oppose the processing in the light of its characteristics and consequences.

A security obligation and notification of personal data breaches for all processing managers

Personal data must be processed in such a way as to ensure appropriate security and confidentiality.
Where the Supervisor finds a violation of personal data, he/she must notify the Data Protection Authority of the violation within 72 hours. Information of data subjects shall be required if this violation is likely to create a high risk to a person’s rights and freedoms.

Data Protection Officer (Privacy Officer)

Processing managers and subcontractors must designate a delegate:

  • If they belong to the public sector,
  • While their main activities lead them to regularly and systematically monitor people on a large scale,
  • If their main activities lead them to process (always on a large scale) with so-called “sensitive” data or data related to convictions and criminal offences.

Apart from these cases, the appointment of a Data Protection Officer will of course be possible.

Processing managers can opt for a shared or external Data Protection Officer.

The delegate becomes the true “conductor” of data protection compliance within his or her organisation. It is so charged:

  • Inform and advise the controller or subcontractor, as well as its employees;
  • Monitor compliance with the European Regulation and the National Data Protection Act;
  • Advise the organization on conducting an impact assessment (PIA) and verify its performance;
  • To cooperate with the supervisory authority and be its point of contact.

In the meantime 2018, you can already designate a “computer and freedoms correspondent”, who will give you a time in advance and allow you to organize the actions to be carried out.

Unifeyes guarantees,
In accordance with the CNIL guidelines:

Training
and accompaniment
of the data driver

To control the governance of personal data in your structure, depending on the size of your company, it is necessary to appoint a Data Protection Officer (DPO). Unifeyes proposes to train this collaborator, a true conductor who will carry out a mission of information, advice and internal control, and to accompany him daily in the accomplishment of his mission.

Risk management

The Unifeyes solution enables you to identify the processing of personal data that may pose a high risk to rights and freedoms. If necessary, the system carries out a data protection impact assessment (DPIA) for each of these processing operations and provides you with a specific report.

Mapping
your treatments
of personal data

In the Unifeyes solution, your data processing is mapped and your data is perfectly secure. You know when, how, how and by what means personal data have been returned and can easily assess your compliance with European directives. The Unifeyes solution is your data processing registry, as requested by the CIL.

Organization
Internal processes

In order to ensure a high level of personal data protection at all times, the internal procedures that ensure that data protection is taken into account at all times are set up in your dedicated forum, taking into account all events that may occur during the duration of a processing operation (e. g. breach of security, management of requests for rectification or access, modification of collected data, change of supplier).

Priorities
ACTIONS to be carried out

With the BPM (Business Process Management) system integrated into the Unifeyes DRM, actions to comply with current and future obligations are clearly identified and offered to you in a timely manner. Priorities are automatically defined and control the risks posed by your processing operations to the respect of the rights and freedoms of data subjects.

Documentation
compliance

To prove your compliance with the regulations, the system contains all necessary documentation. The actions and documents generated at each stage are regularly reviewed and updated to ensure continuous data protection.