Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR

February 25th, 2023 | Posted by Claude-Etienne Armingaud in Data Transfer | Europe | Privacy - (0 Comments)

Executive Summary

The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer:

  1. A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
  2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
  3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

If the three criteria as identified by the EDPB are met, there is a transfer and Chapter V of the GDPR is applicable. This means that the transfer can only take place under certain conditions, such as in the context of an adequacy decision from the European Commission (Article 45) or by providing appropriate safeguards (Article 46). The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation.

Conversely, if the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. Indeed, although a certain data transmission may not qualify as a transfer according to Chapter V, such processing can still be associated with increased risks since it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in the third country. These risks need to be considered when taking measures under, inter alia, Article 5 (“Principles relating to processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of processing”) – in order for such processing operation to be lawful under the GDPR.

These guidelines include various examples of data flows to third countries, which are also illustrated in an Annex in order to provide further practical guidance.

(more…)

, , , ,

Gateway to Privacy: This Is the Way – GDPR Article 5 Compliance

February 25th, 2023 | Posted by Claude-Etienne Armingaud in Case Law | Communication | Europe | Podcast | Privacy - (0 Comments)

In this first episode, we discuss the challenges faced by data controllers in their compliance with Article 5 GDPR following the EU Court of Justice’s Digi Case C-77/21. In particular, we focus our discussion on the purpose and data storage limitations, and how your legal team should be the 3PO protocol droid within your organization for the implementation of GDPR best practices.

May the enforcement be with you!

First publication: K&L Gates Hub with Eleonora Curreri

, , , , ,

Sapin II – What Recommendations Should Be Followed From 2021 Onwards

April 12th, 2021 | Posted by Claude-Etienne Armingaud in France | Privacy - (0 Comments)

The French Law n°2016-1691 of 9 December 2016 relating to transparency, the fight against corruption, and the modernization of economic life, known as the “Sapin II” Act 1)Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016) introduced to legal entities additional compliance requirements to address corruption in order for France to meet the highest European and international standards.

Sapin II has established a general principle of prevention and detection of corruption risks under the control of a national anticorruption structure, the French Anti-Corruption Agency (AFA),  whose main mission is to help economic and public players in the process.

The AFA noted in its 2019 annual activity report 2)French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French).that anticorruption measures implemented by economic and public players were still incomplete.

On 12 January 2021, the AFA published new recommendations entered into force on 13 January 2021 (Recommendations, here in French).

The AFA specifies the practical procedures for implementing an anticorruption system structured around three foundational principles, namely:

  • Governing body’s commitment;
  • Understanding the entity’s exposure to probity risks; and
  • Risk management.
(more…)

References

References
1 Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016)
2 French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French).

, , ,

EU Court of Justice Invalidates Privacy Shield

July 16th, 2020 | Posted by Claude-Etienne Armingaud in Case Law | Data Transfer | Europe | Privacy - (0 Comments)

On the morning of 16 July 2020, in a significant decision of the Court of Justice of the European Union (CJEU), the Privacy Shield was held to be invalid.

What is the Privacy Shield

The Privacy Shield was an agreement negotiated in 2016 between the United States Department of Commerce, the European Commission and the Swiss Administration to provide a mechanism for companies to transfer personal data from the European Union and Switzerland to the United States. The Privacy Shield was designed to enable companies to transfer personal data across the Atlantic in accordance with EU data protection law that pre-dated the GDPR.

(more…)

, , , , , , ,

COVID-19: French Supervisory Authority Provides Guidance on Personal Data Processing by Employers Amidst Post-Lockdown Return to Work

June 9th, 2020 | Posted by Claude-Etienne Armingaud in France | Privacy - (0 Comments)

The current COVID-19 pandemic continues to raise many issues on employee privacy and how employers may balance processing their employees’ data with ensuring safety in the workplace. The French Supervisory Authority (CNIL) has provided guidance on the methods that may be used by employers to collect and process health data from their employees (outside of medical care data) in order to detect possible symptoms related to COVID-19, as well as data relating to travel or events. In addition, more generally, the French Labor Ministry has published a “National protocol regarding the end of the lockdown for companies to ensure health and safety of the employees” (Protocol), in order to help employers manage the various tasks and issues related to the end of the lockdown and employees’ return to work. This document does not have legal force, but sets out the general recommendations and principles of prevention regarding the protection of employees’ health and safety in the context of the current health crisis.

Under the General Data Protection Regulation (GDPR) framework, the CNIL guidance available here in French) reiterates a number of core principles:

Respective Obligations to Ensure and Maintain Health and Safety in the Workplace

Obligations Incumbent On Employers

In the private sector, Articles L. 4121-1 and R. 4422-1 of the French Labor Code (FLC) provide for a safety obligation incumbent on employers, which must implement occupational risk prevention, information and training actions. The company and its legal representatives are criminally liable for the employee security obligation. Employers that fail to provide employees with safe and appropriate working conditions would face a court risk and could be held liable for not ensuring the employees’ safety and security on the workplace. Since 2015, the French Supreme Court has held that the employer’s obligation with regard to employees’ health and safety is an enhanced best efforts obligation (obligation de moyen renforcée). Therefore, the employer can avoid liability by proving that preventive measures have been implemented. French Supreme Court case law holds that the employer has complied with this legal obligation to take the necessary measures to ensure the safety and protect physical and mental health of employee when it is demonstrated that he has taken all measures to prevent, adapt and provide information on the risks, in accordance with Articles L. 4121-1 and L. 4121-2 of the FLC.

In the context of the current pandemic, the employer’s safety obligation is more topical than ever. In order to comply with this mission, employers have the right to process personal data, albeit only when strictly necessary to foster that purpose. In this respect, the CNIL encourages employers to regularly consult the information and recommendations published by the French Labor Ministry, in order to better understand their obligations in this period of health crisis.

According to the CNIL’s position, employers are entitled, in this context, to:

  • Remind their employees, when working in contact with other individuals, of their obligation to report to their employers or the competent health authorities in the event of actual or suspected contamination, for the sole purpose of enabling working conditions to be adapted in consequence;
  • Facilitate the transmission of this feedback by setting up, if necessary, dedicated and secure channels; and
  • Promote remote working methods and encourage the use of occupational medicine.

Obligations Incumbent On Employees

On the other hand, Article L.4122-1 FLC provides that each employee has a safety obligation which requires them to preserve not only their own health and safety, but also, the health and safety of other individuals with whom they may come into contact in the course of their professional activity, be it other workers or customers. However, in practice, employers might be in a delicate situation if they were to take disciplinary sanctions against these employees, and they might face labor court actions.

While French employees are usually only required to provide an illness certificate, which does not provide any specifics on the health status other than inability to work, the CNIL understands that the contagiousness of the COVID-19 pandemic mandates self-reporting be more specific to enable employers to take any measure required to ensure the safety in the workplace.

However, this reinforced duty to provide information does not extend to individuals working in isolated conditions, e.g. without contact with other individuals and/or working remotely. For such “isolated” workers, the classic rules of labor law apply and employers are not allowed to mandate such disclosure of personal data.

The Processing of COVID-19 related Personal Data by Employers

When organizing the return to work, employers are encouraged to facilitate dialogue with its employees and employee representative. Employers may require certain information, and may ask employees to inform the company’s management of, in particular, any travel to risk areas and risk factors related to their health or relatives. However, this organizational requirement must be compliant with the GDPR for the processing of employees’ personal data.

In any case, employers may only process elements related to (i) the date, (ii) the identity of the person, (iii) the contamination status reported by the employee, and (iv) the data related to the organizational measures to be put in place.

The CNIL emphasizes the particular sensitivity of health-related data, which is considered a “special category of personal data” under Article 9 GDPR, and thus requires processing under robust conditions of security and confidentiality, as well as limited access to authorized personnel. Consequently, employers wishing to take steps to ensure the health of their employees must rely on their occupational health service.
Processing operations pertaining to such special category of personal data is, by principle, prohibited under GDPR, unless they fall within one of the exceptions provided under GDPR, namely:

  1. Consent of the individuals, which is always a difficult basis when processing employees’ personal data;
  2. Necessity to carry out the obligations in the field of employment and social security and social protection law in so far as it is authorized by Union or Member State law;
  3. Necessity to protect the vital interests of individuals when physically or legally incapable of giving consent;
  4. Legitimate activities of nongovernmental organizations and other associations;
  5. Processing relating to personal data that is manifestly made public by the individuals;
  6. Necessity in the context of legal claims;
  7. Necessity in the context of substantial public interest;
  8. Necessity for the purposes of preventive or occupational medicine, for the assessment of the working capacity of employees, medical diagnosis, the provision of health or social care, or treatment or the management of health or social care systems and services;
  9. Necessity for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices; or
  10. Necessity for archiving purposes in the public interest or scientific or historical research or statistical purposes.

In the context of the pandemic, the CNIL highlights that (2) and (8) would be the only relevant bases to ensure the safety in the workplace.

In that regard, the coordination with health authorities, as potential recipients of the data, is authorized, to ensure the medical care of the exposed person. Nevertheless, the identity of the individual, effectively or presumably infected, must not, under any circumstances, be communicated to other employees.

Considering that GDPR and its French implementation only apply to automated processing (particularly computer processing) or to non-automated processing where a physical file is materialized, this means that the simple verification of temperatures prior to access to premises would not trigger application of GDPR insofar as no trace of this check is kept and if no other operation is carried out. On the other hand, any automated temperature verification, such as through use of thermal cameras, would be subject to GDPR. Given that other less intrusive methods to achieve a similar purpose exist, they may not pass muster for the data minimization tenet of GDPR.

ACTION POINTS

Based on the CNIL and French Labor Ministry guidance, the following could be considered by employers in order to effectively and efficiently organize their employees’ return to work:

  • Transparency: Employers must remain fully transparent with regard to the processing operations implemented and provide the relevant information through dedicated or amended privacy notice;
  • Temperature tests: In principle, temperature logs pertaining to personnel, visitors and customers, as well as automated temperature verification (e.g. through thermal cameras) are not authorized. Indeed, the Protocol published by the French Labor Ministry provides that systematic monitoring of employee temperatures is not recommended. However, if the employer is willing to set up temperature controls at the entrance of the company, it is necessary to (i) post an information note for the employees, and (ii) provide employees with sufficient guarantees (i.e., prior information regarding to the maximum temperature allowed in the premises and the consequences of a positive control, compliance with the GDPR, etc.). Such controls of temperatures could be implemented within the framework of a more global policy stating safety measures in order to preserve the employee’s security and safety when returning to work ;
  • Screening test: The Protocol considers that screening tests at the entrance to the company’s premises are not authorized (several groups had announced that they would provide screening tests for their employees);
  • Access: Only relevant departments within the company may access the health data collected in the context of COVID-19. Notably, for larger companies, only aggregated and deidentified data, which may not allow any identification of the individuals, can be shared more broadly within the organization;
  • Continuity plan: Any continuity plans considered by a company must include specific measures aiming at protecting the safety of employees and identify the essential activities and individuals that must be maintained in order to ensure continuity of service, with such continuity plan, or any professional travel authorization, containing only the personal data necessary to achieve this objective; and
  • Transfer: Employers may only communicate such data to qualified health authorities upon request. While no direct communication to health professionals is authorized, employers should direct their personnel to engage with these health professional directly. Similarly,

First publication: K&L Gates Hub in collaboration with Christine ArtusSarah ChihiAnne RaguClara Schmit

, , , ,

The Privacist – Volume 1

October 8th, 2019 | Posted by Claude-Etienne Armingaud in Communication | Europe | France | Press | Privacy - (0 Comments)

Brexit: Deal Or No-Deal? Data is the Question
With the Brexit deadline looming ahead on 31 October 2019, the situation seemingly reaches new levels of uncertainty every day. Last week, the U.K. Supreme Court’s eleven judges unanimously ruled that Prime Minister Boris Johnson’s decision on 9 September 2019, to prorogue Parliament was “unlawful and void.” Parliament will therefore carry on its Brexit discussions…with now only thirty days left to finalise a deal. Although Parliament, while still in session, passed a law to extend the Brexit deadline, such an extension would still require approval by the EU.

So how should companies prepare, on either side of the Channel (and beyond), in the coming months for the more-likely-by-the-day-scenario of No-Deal?

(more…)

, , , ,

Leaders League Ranking 2019 – Technologies, internet & telecommunications – Data protection law – France

June 1st, 2019 | Posted by Claude-Etienne Armingaud in Communication | France | Privacy - (0 Comments)

K&L Gates ranked “Excellent” with E. Drouard & Claude-Etienne Armingaud.

Source: Leaders League

, , , ,

European Data Protection Board Clarifies the Interplay Between the EU Clinical Trials Regulation and the General Data Protection Regulation

April 8th, 2019 | Posted by Claude-Etienne Armingaud in eHealth | Guidelines | Privacy - (0 Comments)

On 23 January 2019, the EU Data Protection Board (“EDPB” – the gathering of all European Union (EU) data protection authorities) adopted opinion no. 3/2019 (the “Opinion”) on the interplay between the Clinical Trials Regulation no. 536/2014CTR”) and the General Data Protection Regulation (“GDPR”). Anticipating the application of CTR (currently expected to occur in 2020) following the implementation of the EU portal and the EU database of the European Medicines Agency, the Opinion provides clarification on (i) the different legal bases for the processing of personal data operations related to a specific clinical trial, from commencement of the clinical trial until the deletion of personal data collected during the clinical trial (“Primary Use”); and (ii) the further use of the same personal data set for any other scientific purposes (“Secondary Use”). Without establishing a legal basis, no one can process the personal data needed to run a clinical trial or to use the personal data for other research.

(more…)

, ,

GDPR – French Data Protection Authority Pronounced Its First Fine Under GDPR (And Biggest So Far)

January 22nd, 2019 | Posted by Claude-Etienne Armingaud in Case Law | France | Privacy - (0 Comments)

On January 21, 2019, the French Data Protection Authority (Commission Nationale de l’Information et des Libertés, or “CNIL”) published its first sanction rendered under the General Data Protection Regulation (“GDPR”).

Barely eight months after GDPR entered into force, and the subsequent group actions that were introduced in France, the CNIL followed in their footsteps its other European counterparts. However, while Portugal in July drew first against a hospital with a EUR 400,000 fines, the Austrian and German follow-ups, respectively for EUR 4,800 and 20,000 underwhelmed in contrast with the EUR 20 million, or 4% of the global turnover of a company (which ever the greatest) maximum fines allowed under GDPR.

Today’s CNIL decision nevertheless set the possible path for upcoming application of GDPR, by striking a EUR 50 million fine against Google LLC.

This sanction followed the group complaints formed by Maximilian Schrems’s association “None Of Your Business” (“NOYB” – already behind the cancellation of the Safe Harbor in 2015 and currently litigating against the Standard Contractual Clauses in Ireland) and La Quadrature du Net (“LQDN”), which received a mandate from 10,000 individuals to refer the matter to the CNIL.

The CNIL grounded its decision on the lack of transparency and inadequate information of the individuals in order to deem the consent regarding the ads personalization invalid.

On the one hand, the CNIL highlighted that the information of the data subjects was diluted in a myriad of documents while applying to a plurality of services at once (e.g. Google search, You Tube, Google Home, Google Maps, Playstore…). This did not allow the user to gain a “just perception of the nature and the volume of data collected.”

On the other hand, the consent-gathering mechanism was deemed inadequate to obtain the “specific” and “unambiguousconsent required for such data processing operations. The CNIL notably criticized the blanket acceptance of “the processing of [users’] information as described above and further explained in the Privacy Policy”, which, according to the Regulator, does not allow the users to opt-it to the each particular processing operation at stake without additional steps for the users to reach the required information.

This decision, in addition to be the first rendered by the CNIL under GDPR, will also in all likelihood be the last under the current Secretary General, Isabelle Falque-Pierrotin, who will be replaced on February 1st, after heading the CNIL since 2011.

, , , , , ,

The New EU-Japan Personal Data Deal: EU and Japan to Each Recognize the Other’s Personal Data Protection System as Equivalent – What It Means For Businesses and Next Steps

August 24th, 2018 | Posted by Claude-Etienne Armingaud in Europe | Privacy - (0 Comments)

On 17 July 2018, the European Union (the “EU”) and Japan reached an agreement to recognize each other’s data protections systems as “equivalent”, and each commits to complete internal procedures by fall 2018 (the “Data Agreement”). Once adopted, this will allow businesses to transfer personal data from the European Economic Area 1)The EEA brings together the EU Member States and the three EFTA (European Free Trade Association) States (Norway, Liechtenstein and Iceland) into a … Continue reading(the “EEA”) to Japan and vice versa without being required to provide further additional safeguards for each transfer.

The Data Agreement concludes the two-year-long dialogue regarding mutual recognition of personal data protection regimes between the two parties, and it was issued along with the EU-Japan Economic Partnership Agreement, a long-awaited EU-Japan free trade deal. Prior to the final Data Agreement, in December 2017, the governments issued a joint statement to resolve issues essentially within the existing personal data protection framework to enable free data transfer between the two parties.
(more…)

References

References
1 The EEA brings together the EU Member States and the three EFTA (European Free Trade Association) States (Norway, Liechtenstein and Iceland) into a single market that seeks to guarantee the free movement of goods, people, services and capital.

, , , ,