General Data Protection Regulation Guide - jonesday.com

1 General data Protection Regulation GuideDisclaimer: Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for General information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. The mailing/distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the OF CONTENTSI ntroduction 1 Scope 2 Legal Bases for data Processing 3 Rights of Individuals 5 Accountability and Governance Mechanisms 7 data Processor Obligations and Agreements 9 data Security and Personal data Breach Notification 11 Codes of Conduct and Certifications 12 Cross-Border Transfers of Personal data 14 Supervision by DPAs 16 Remedies, Liabilities and Sanctions 17 Glossary 19 Contact Information 211 INTRODUCTIONIn May 2016 the european union ( EU )

2 Published the EU General data Protection Regulation ( GDPR ). This major piece of legislation represents the most significant change in EU data Protection law since 1995. It will apply in all EU Member States as of 25 May GDPR is a far-reaching legal instrument that will have a significant impact on all companies involved in the processing of personal data , including many outside the EU. It will increase the penalties for noncompliance, with fines of up to 20 million or 4 percent of annual worldwide turnover. In addition, supervisory authorities will have a number of broad should review the GDPR and begin preparing for compliance with the new legal framework for data Protection in the Guide , by providing a brief overview of the new rules imposed by this legislation and the key changes it will make, will help users prepare for the GDPR.

3 The Guide also includes a short glossary of terms used in the GDPR, and each section sets out a short to-do list for compliance. The Guide will shortly be followed by further guidance, brief-ings and practical checklists on the GDPR. We hope that you find this Guide a useful tool. Please contact any of the lawyers listed on page 21 if you would like to receive further 2 AND 3 Quick OverviewThe GDPR applies to the processing of personal data that is automated or part of a filing system. The application and territorial scope of the GDPR are both broader than those of the european data Protection Directive ( Directive ).Application The GDPR applies to both data controllers and data processors.

4 The GDPR does not apply to a limited number of areas, such as processing for purely personal or household activity. Territorial scopeThe GDPR applies to processing: In the context of an establishment in the EU; and By a data controller or data processor not established in the EU of data subjects in the EU that relates to: - The offering of goods or services to such data subjects; or - The monitoring of the behavior of data Steps Identify relevant processing of personal data . Confirm which establishments in the EU process personal data and where pro-cessing relates to situations in which goods or services are offered in the EU or data subjects in the EU are monitored.

5 Assess whether processing is done as a controller or processor. Determine whether an EU representative is on page 4 LEGAL BASES FOR data PROCESSINGARTICLES 6, 7 AND 8 Quick OverviewThe legal bases for processing personal data under the GDPR are largely the same as those under the Directive. However, the GDPR sets new restrictions for consent, for pro-cessing based on legitimate interests and for processing for additional bases for processing personal dataThe legal bases for processing personal data under the GDPR are: When the data subject consents; and When processing is necessary: - For the performance or negotiation of a contract with the data subject; - To comply with a legal obligation; - To protect the vital interests of the data subject or another person when the data subject is incapable of giving consent.

6 - For the performance of a task carried out in the public interest or the exercise of official authority; and - For the purposes of legitimate interests (but subject to fundamental rights and freedoms).New restrictions for consent, processing based on legitimate interests , and processing for additional purposes For processing based on consent, the controller must be able to prove that con-sent has been freely given by the data subject, and the request for consent must be clearly discernible. The GDPR provides clarification on when legitimate interests can be relied upon as a basis for processing ( , direct marketing, preventing fraud, sharing personal data within a group of companies for internal administration, ensuring network and information security) and requires the controller to inform the data subject when it is relying on the legitimate-interests basis for processing.

7 The GDPR provides a list of criteria to be considered when determining whether the processing of data for a new purpose is compatible with the original purpose for which the data was Steps Assess the legal bases for current processing and check that they remain valid under the GDPR. Ensure that consent has been given in accordance with the new requirements and that the controller can demonstrate this. When relying on legitimate interests , ensure that: - The balance of the interests against the data subject s rights is documented; and - When a controller relies on legitimate interests as the basis for processing, this fact is included in the information provided to the data subject.

8 Ensure that internal governance processes document the reasons behind deci-sions to use data for further processing BASES FOR data PROCESSING5continued on page 6 RIGHTS OF INDIVIDUALSARTICLES 12 TO 17, 19, 20 AND 21 Quick OverviewData controllers must be more transparent with data subjects, who have increased rights to access their data and important new rights to require rectification or erasure of their personal data and to restrict further noticesIndividuals must be given information about how their data will be processed, including details pertaining to: The controller s identity and contact information; Any data Protection officer; The purposes and legal basis for processing; Any legitimate interests relied upon as the basis for processing; Any international transfers and applicable safeguards; The retention period or criteria for determining it; The right of data portability and the rights to object to processing, to require restric-tion and to withdraw consent to processing; The right to complain to a supervisory authority; and Any statutory or contractual requirement to provide data , as well as the consequences of not providing information must be concise, transparent and intelligible.

9 Must be in an easily accessible form; and must use clear and plain wording, particularly when addressed to data is obtained directly, the controller must explain what information is man-datory and the consequences of not providing it. When data is obtained indirectly, the controller must give the source of the information, including publicly accessible right data subjects have the right to obtain copies of their personal data , along with key details about how the data is processed. Individuals have increased rights to access their data . Controllers cannot charge a fee but can make a reasonable administrative charge for additional OF INDIVIDUALS Individuals must be given details concerning international disclosures; retention peri-ods; the rights of rectification, erasure, and restriction of processing; and the rights to object to processing and to complain to a supervisory authority.

10 Controllers must disclose any third-party source of data and the significance and consequences of any processing based on automated subjects rightsData subjects have important rights in relation to their personal data , including the following: The right to require rectification of personal data without undue delay and the right to have incomplete personal data completed; The right to erase personal data ( right to be forgotten ) when processing is no longer necessary, consent is withdrawn, legitimate interests no longer apply, processing is unlawful, or erasure is required by law, and the controller must take reasonable steps to inform other controllers if it has made such data public.