In this episode, Claude Etienne Armingaud, Eleonora Curreri, and Camille Scarparo introduce a case regarding a U.S. company’s data privacy breach, the consequences a company may face for being non-compliant with GDPR for companies established outside of the EU, and which steps companies can take to prevent these situations.

First publication: K&L Gates Hub with Eleonora Curreri & Camille Scarparo

Version 2.0 – Adopted 28 March 2023

Version history

Version 1.010 October 2022Adoption of the Guidelines (updated version of the previous guidelines WP250 (rev.01) adopted by the Working Party 29 and endorsed by the EDPB on 25 May 2018) for a targeted public consultation
Version 2.028 March 2023Adoption of the Guidelines following the targeted public consultation on the subject of data breach notification for controllers not established in the EEA.

INTRODUCTION

  1. The GDPR introduced the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.
  2. Obligations to notify in cases of breaches existed for certain organisations, such as providers of publicly-available electronic communications services (as specified in Directive 2009/136/EC and Regulation (EU) No 611/2013). There were also some Member States that already had their own national breach notification obligation. This might included the obligation to notify breaches involving categories of controllers in addition to providers of publicly available electronic communication services (for example in Germany and Italy), or an obligation to report all breaches involving personal data (such as in the Netherlands). Other Member States might had relevant Codes of Practice (for example, in Ireland). Whilst a number of EU data protection authorities encouraged controllers to report breaches, the Data Protection Directive 95/46/EC, which the GDPR replaced, did not contain a specific breach notification obligation and therefore such a requirement was new for many organisations. The GDPR makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors also have an important role toplay and they must notify any breach to their controller.
  3. The EDPB considers that the notification requirement has a number of benefits. When notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed. Indeed, the supervisory authority may order the controller to inform those individuals about the breach. Communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences. The focus of any breach response plan should be on protecting individuals and their personal data. Consequently, breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data. At the same time, it should be noted that failure to report a breach to either an individual or a supervisory authority may mean that under Article 83 GDPR a possible sanction is applicable to the controller.
  4. Controllers and processors are therefore encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. Notification to the supervisory authority should form a part of that incident response plan.
  5. The GDPR contains provisions on when a breach needs to be notified, and to whom, as well as what information should be provided as part of the notification. Information required for the notification can be provided in phases, but in any event controllers should act on any breach in a timely manner.
  6. In its Opinion 03/2014 on personal data breach notification12, WP29 provided guidance to controllers in order to help them to decide whether to notify data subjects in case of a breach. The opinion considered the obligation of providers of electronic communications regarding Directive 2002/58/EC and provided examples from multiple sectors, in the context of the then draft GDPR, and presented good practices for all controllers.
  7. The current Guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these obligations. They also give examples of various types of breaches and who would need to be notified in different scenarios

Go to the full Guidelines.

Well, that’s a wrap on #DPI23 France!

Claude-Étienne Armingaud, CIPP/E, Partner, Data Protection Privacy and Security Practice Group Coordinator, K&L Gates

Gabriela MercuriManaging Director, SCOPE Europe

Jörn WittmannDirector Privacy Legislative Strategy and Public Policy, Volkswagen AG

Codes of conduct overseen by accredited monitoring bodies are one of the breakthrough innovations introduced by EU General Data Protection Regulation. As part of its accountability framework, GDPR not only shifted the onus of demonstrative compliance, but also created the possibility for stakeholders to engage in co-regulatory practices. The goal was to allow the industry to support regulatory implementation by developing workable guidance to concretize the GDPR’s provisions. More flexible than other previously adopted compliance tools, CoCs generated high expectations, particularly in the wake of Schrems II, as a possible solution to address international data transfers and enable legal foreseeability. CoCs have not yet reached their full potential, with only a handful of national CoCs deployed and even less at the pan-European level. However, as the cloud ecosystem leads the way, this panel will explore the background of this sectoral success while highlighting CoC’s benefits, as well as their limitations.

What you will learn:

• How to understand the relevancy of CoCs in a post-GDPR, post-Schrems II era.

• What CoCs can bring to an ecosystem, as well as what they should not be pursued for.

• The future of international data transfers amid emerging data protection systems at global levels.

More information.

K&L Gates ranked “Recommended” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

K&L Gates ranked “Highly Recommended, Band 2/2” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

K&L Gates ranked “Highly Recommended – Band 1” with Claude-Etienne Armingaud.

Source: Leaders League

(more…)

Version 2.0 dated 14 February 2023
Go to the official PDF version.

Executive Summary

The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer:

  1. A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
  2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
  3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

If the three criteria as identified by the EDPB are met, there is a transfer and Chapter V of the GDPR is applicable. This means that the transfer can only take place under certain conditions, such as in the context of an adequacy decision from the European Commission (Article 45) or by providing appropriate safeguards (Article 46). The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation.

Conversely, if the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. Indeed, although a certain data transmission may not qualify as a transfer according to Chapter V, such processing can still be associated with increased risks since it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in the third country. These risks need to be considered when taking measures under, inter alia, Article 5 (“Principles relating to processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of processing”) – in order for such processing operation to be lawful under the GDPR.

These guidelines include various examples of data flows to third countries, which are also illustrated in an Annex in order to provide further practical guidance.

(more…)

In this first episode, we discuss the challenges faced by data controllers in their compliance with Article 5 GDPR following the EU Court of Justice’s Digi Case C-77/21. In particular, we focus our discussion on the purpose and data storage limitations, and how your legal team should be the 3PO protocol droid within your organization for the implementation of GDPR best practices.

May the enforcement be with you!

First publication: K&L Gates Hub with Eleonora Curreri

This program provides timely updates, best practices, and emerging developments in today’s data protection, privacy, and security industry.

Listen to the latest episodes now!