In the first part of this mini-guide, I focused on clearing away the doubts that GDPR had created. In this part, we answer some of the questions we have received to add further clarity in specific use cases. These are the more geography-specific topics that can appear confusing, especially when it comes to responsibility and potential incurrence of penalties.
As an evaluation, it is very important to stress again that there are two different positions for a non-EU company where a company would have to comply with GDPR obligations. Either it is based on the activities of the company (in cases 1-3 in the previous article) or the company is a sub-contractor of an EU-based company (case 4 in the previous article). With this in mind, you can read these additional questions on the topic of GDPR applicability. The articles of GDPR that are particularly applicable are 28, relating to the carrying out of a Data Processing Agreement, and 46 and 49, regulating personal data transference between EU and non-EU parties.
What steps should organizations undertake in order to determine whether they are bound by GDPR internationally?
It is necessary to be familiar with the four points raised in the previous article as they deal specifically with non-EU companies conducting business with or performing analytics on visitors/customers from within the EU. Based on these situations, use common sense to see if they apply to you. It is advisable, in most cases, to consult a lawyer to be really sure.
If non-EU firms are only analyzing visitor behavior, do they need to be GDPR compliant in all areas of their business, even if they are not breaching GDPR in those other areas too?
GDPR is valid for personal data processing in all situations specified in the last article. If you do not fall under these conditions that make GDPR applicable, you will still have to comply with your own country’s legislation. Therefore, when analyzing the behavior of a visitor from the EU, the controller is governed by GDPR. However, for other visitors, companies do not need to be GDPR compliant. But, as I have already mentioned, there might be specific rules in the laws of specific non-EU countries, including yours, so be sure to consult your lawyer.
If I have a sub-contractor from outside the EU, what is the legal regime of such a situation?
By sub-contracting to a company from outside the EU, a data controller is granting someone outside the EU access to personal data. It means that the sub-contractor will process that personal data and, therefore, the data controller must satisfy the legal requirements for personal data transfers to third countries.
It means that in the case of a business relationship between an EU-based controller and a processor outside the EU, the parties have to follow one of the options for data transfer specified in Articles 44-50 of the GDPR.
To answer the question: GDPR is the primary regulation for the legal regime of such a situation. However, in order to use such a third-party service lawfully, there might be additional requirements based on the country outside the EU of the data processor.
Therefore, the final answer depends on the specific circumstances of the case.
What are the different types of options for data transfer?
- For some countries, the European Commission issued an “adequacy” decision, and it is possible to transfer personal data without any further authorization (“safe countries”)
- For some countries, a special certification mechanism was implemented, and if the company gets certified, it is possible to transfer personal data in accordance with the certification (in particular with the United States)
- You may transfer personal data, if you implement other appropriate safeguards
- You may transfer personal data under specific situations under Article 49
On the subject of data transference, which countries are considered safe?
Many countries have domestic laws governing personal data protection, and in some cases, these local laws are in fact stricter than GDPR is. However, the European Commission has shortlisted Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, State of Israel, Isle of Man, Jersey, New Zealand, United States, and Uruguay as being safe countries. This list cannot be considered final because it will still be subject to further amendments of GDPR where it could be superseded or, indeed, cancelled altogether. Other countries not on this list are, in particular, bound by Article 46.
What are other appropriate safeguards?
As an appropriate safeguard, you may use one of these mechanisms:
a) a legally binding and enforceable instrument between public authorities or bodies
b) binding corporate rules
c) standard data protection clauses adopted by the Commission
d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure
e) an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
f) an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights
What are the derogations under Article 49?
Derogations can be applied under Article 49 under the following conditions:
a) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request
b) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequate decision and appropriate safeguards
c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person
d) the transfer is necessary for important reasons of public interest
e) the transfer is necessary for the establishment, exercise or defence of legal claims
f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent
g) the transfer is made from a register that, according to Union or Member State law, is intended to provide information to the public and that is open to consultation either by the public in general or by any person that can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
A data controller could incur a penalty if they fail to ensure GDPR compliance. This means companies acting as a processor for a European data controller are duty-bound to protect their customers through the provision of appropriate data transference.
I am grateful to those of you that got in contact with me as it is important that I address those areas that might seem vague but, at the same time, are critical to all of you in ensuring compliance with GDPR. As always, I welcome any comments or questions raised by this article. Are there some areas that you would like explained or explored further? How far are you in making your company ready for GDPR?
STOP PRESS: To help you even further, Kentico has organized a free event in London on September 26, 2017 called “Get Your Business GDPR Ready”. Featuring Digital Clarity Group’s co-founder and principal analyst Tim Walters, the event focuses on the key points you need to know to help ensure your business is fully GDPR compliant. Kentico’s Karol Jarkovsky and David Komarek will also give a presentation on how Kentico 11, the upcoming release of our CMS, can help streamline your company’s GDPR compliance. Both presentations are followed by a Q&A session. The topic of GDPR is one that is dear to our hearts. Check out some of the critical points you should be addressing here.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.