What else does GDPR require?
In this series of articles we have attempted to go through all of the major areas covered by the Regulation. However, there are a few more which did not quite fit into any of the categories discussed so far, and so we will go over them here.
Joint controllers (Article 26)
The Regulation provides for the situation where multiple data controllers work together to determine the means and purposes of processing - in this case they are joint controllers. Data subjects may exercise their rights against and in respect of each of them.
Joint controllers should determine between them their respective responsibilities under the Regulation. The “essence” of this arrangement should be made available to data subjects.
Data protection officers (Articles 37 to 39)
In certain cases, data controllers and data processors are required to designate someone with “expert knowledge” of data protection law as a data protection officer. In all other cases, organizations may decide to do so anyway.
A data protection officer must be appointed where:
- The organization is a public authority or body.
- The organization’s core activities involve regular, large scale and systematic monitoring of data subjects.
- The organization’s core activities involve large scale processing of special categories of data or data relating to criminal convictions and offences (as defined in Articles 9 and 10 - see our article on lawful grounds).
The data protection officer’s job is to be an independent guide to GDPR and other data protection legislation. In particular, they must advise on and monitor the performance of data protection impact assessments (see below). They will also act as the point of contact for the supervisory authority and data subjects regarding data protection issues.
The data protection officer may be an employee or someone working under a service contract. They must report directly to the organization’s highest management level and must be someone to whom the organization and its employees will have easy access. The officer may have other duties but these must not cause a conflict of interests.
If an organization appoints a data protection officer, it must also do the following:
- Ensure that they are involved in all data protection issues.
- Support them in their duties and make sure that they have the necessary resources, training and access to data and processes to do their job properly.
- Refrain from instructing them in how to perform their duties (so that they remain independent) and in particular refrain from penalizing or dismissing them for doing so.
- Ensure that they are bound by confidentiality in the performance of their duties.
- Publish their contact details and communicate them to the supervisory authority.
Impact assessments and consultation (Articles 35 and 36)
Key Point: Before starting any processing which is likely to result in a high risk to people’s rights and freedoms, you must carry out a data protection impact assessment.
Supervisory authorities will start drawing up lists of the kinds of processing activities this covers, but the Regulation makes clear that it will include:
- Processing which is automated and extensive, and which will have legal (or similarly significant) impacts on people’s lives.
- Large scale processing of special categories of data or data relating to criminal convictions and offences.
- Systematic and large-scale monitoring of publicly accessible areas.
At minimum, any appointed data protection officer (see above) should be asked to advise on the impact assessment - in most cases, they are likely to be tasked with drafting it or supervising the drafting. Where appropriate, you should ask for the views of data subjects on the intended processing. The assessment must include:
- A description of the processing.
- Details of the legitimate interest pursued (where appropriate).
- An assessment of how necessary and proportionate the processing is given its purposes.
- An assessment of the rights and freedoms at risk.
- Details of the proposed measures and safeguards to be implemented to address the risks, protect personal data and demonstrate compliance with the Regulation.
Where the assessment finds that the processing would indeed pose a high risk in the absence of measures and safeguards, you must also consult the supervisory authority before starting. You should provide them with the impact assessment as well as details of the means and purposes of the processing, the proposed measures and safeguards to be implemented, the respective responsibilities of data controllers and processors, the contact details of the data protection officer and any other information requested.
If it believes the intended processing will infringe the Regulation, the supervisory authority will provide written advice, and may issue a warning, prohibit the processing or use any of its other powers (see our article on penalties). It should do this within eight weeks (which can be extended by up to six weeks by notice).
Transfers abroad (Articles 44 to 50)
The Regulation imposes specific requirements wherever personal data is to be transferred outside of the EU or to an international organization (even if it is already held outside of the EU). This is to ensure that the data is only sent to places where it is adequately protected.
Such transfers should only take place where at least one of the following applies:
- The EU has decided that the non-EU country, the specific sector of that country or the international organization ensures adequate protection (an “adequacy decision”). This currently covers countries such as the US (under the Privacy Shield framework), Switzerland, New Zealand and Israel.
- The data controller or processor has put in place appropriate safeguards and data subjects have effective legal remedies to uphold their rights. This is a complex area and the standards are rigorous, so you should consult with lawyers if you are interested in relying on this.
- The data subject has explicitly consented to the transfer after being informed of the possible risks in the absence of an adequacy decision or appropriate safeguards.
- The transfer is necessary for performance of a contract with the data subject or pre-contractual measures requested by the data subject.
- The transfer is necessary for important reasons of public interest.
- The transfer is necessary to establish or exercise legal claims or defences.
- The transfer is necessary to protect the data subject’s (or another person’s) vital interests, and the data subject is incapable of giving consent.
- The transfer is from a public register (where permitted under EU or national law).
- The transfer is necessary to protect the organization’s legitimate interests, where these are not overridden by the interests, rights and freedoms of the data subjects. However, see further below.
The legitimate interests’ ground is further constrained by the following requirements: (i) the transfer must not be repetitive and concern only a limited number of data subjects, (ii) the transferring organization must have assessed the circumstances and put in place suitable safeguards, and (iii) the data controller must inform the supervisory authority and data subjects of the transfer, explaining the compelling legitimate interests in question.
Further information on some of these requirements (explicit consent, performance of a contract, vital interests and legitimate interests) can be found in our article on lawful grounds for processing.
Certification and codes of conduct (Articles 40 to 43)
The Regulation encourages and expects regulatory bodies and other associations to create data protection codes of conduct and certification procedures. Hopefully, these will flesh out some of the vaguer parts of the Regulation, although there is a risk that it will lead to substantial differences in different EU countries.
Once they are in place, certification and adherence to codes will go a good way towards demonstrating compliance with the Regulation, but they will still only act as guides. Attempts to comply with codes only in a technical sense while violating the spirit of the Regulation are unlikely to endear organizations to supervisory bodies.
Having gone through the miscellaneous provisions above, we have now covered all of GDPR’s main requirements. We will finish this series with a checklist overview of your responsibilities as a data processor or data controller.
Get all 10 articles in our series about GDPR in our e-book for free by clicking the link below: