Q&A PERSONAL DATA PROTECTION (GDPR)
In many countries laws on the protection of personal data apply. The regulations in Europe, or more specifically the European Union, are the ones garnering the most attention. This Q&A document addresses questions on personal data protection from an EU perspective. As there have been recent efforts in the EU to update personal data protection regulations in the form of the GDPR, the main focus of this Q&A document is on the GDRP.
GDPR: what is it?
GDPR is the abbreviation of General Data Protection Regulation. The GDRP replaces the European Data Protection Directive from 1995 and will come into force in May 2018. It lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. It is important to note that the GDPR is not a revolutionary departure from existing legislation, but can perhaps better be seen as a “refresh”. As CEBOS has been complying with existing legislation for years, we do not expect the GDPR to have a major impact on CEBOS’s operations.
What are the key concepts of the GDPR?
The key concepts of the GDPR are (definitions copied from the GDPR text):
- ‘personal data‘ means any information relating to an identified or identifiable natural person (‘data subject‘); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- ‘processing‘ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- ‘controller‘ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data …;
- ‘processor‘ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
These definitions are all very broad. Personal data is anything from name and address data to sets of data that, as a set, can be used to identify an individual. The definition of processing is also very wide ranging, for instance, as “storage” is included in the definition, having personal data on a server qualifies as “processing”. Please note, however, that none of these definitions are new. The terminology stems from the 1995 Data Protection Directive.
Does the GDPR apply to CEBOS?
Yes. Depending on the activities CEBOS qualifies as either a controller or a processor. When CEBOS processes personal data in the context of its corporate functions (HR, finance, sales, etc.) CEBOS qualifies as a controller. When CEBOS processes personal data in the context of services engagements with customers, amongst which the provision of cloud services, CEBOS qualifies as a processor. As CEBOS is a global organization and as personal data is shared outside of the EU, the GDPR, just like current privacy regulations, has a global impact on CEBOS.
What are the penalties for not complying with the GDPR?
The possible penalties for non-compliance are fines up to 20,000,000 EUR or 4% of a company’s total worldwide annual turnover of the preceding year (whichever is higher). So the fines can be very substantial and this is used by many law firms and consultancy companies to create a lot of hype around GDPR compliance. It is important to note, however, that the level of any fines will depend on factors such as the gravity of the infringement, the intentional negligent character, the actions taken to mitigate damage, the categories of personal data affected, etc. While companies like Facebook and Google focus on linking personal data of the most “intimate” type and their business model is based on making money of this linked data, CEBOS’s focus is on running our corporate organization and providing services to our customers, which customers are companies in the manufacturing space and not individuals. It is clear that this is a completely different company profile which has completely different risks attached for the data subjects involved. This is not to say that compliance is not important to CEBOS or its customers, of course!
What are the principles that apply to the processing of personal data?
The GDPR lists a number of principles that apply to the processing of personal data. The principles are listed below:
- ‘lawfulness, fairness and transparency‘: personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;
- ‘purpose limitation‘: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- ‘data minimisation‘: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- ‘accuracy‘: personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- ‘storage limitation‘: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- ‘integrity and confidentiality‘: personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The controller is responsible for, and should be able to demonstrate, compliance with these principles.
When is the processing of personal data considered ‘lawful’?
The processing of personal data is considered lawful when there is a ground for processing. Several grounds for processing are documented in the GDPR:
- the data subject has given its consent;
- processing is necessary for the performance of a contract to which the data subject is party;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
What are the obligations of a controller?
The controller is obligated to implement technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. The measures should take into account the nature, scope, context and purposes of processing as well as the impact this processing has on the data subject. This means that a controller must determine which personal data it is processing and that the controller should then assess what the impact of that processing is on individuals. Depending on the type of personal data and the impact of the processing the technical and organizational measures should be decided upon. This means, for instance, that different requirements apply to simple contact data (name and address) as compared to medical data used to determine whether someone is eligible for medical insurance.
Additionally, a controller should maintain a record of processing activities under its responsibility. The record should contain:
- the name and contact details of the controller;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers to countries that do not have an “adequate level of protection” (see the question on export of personal data), the documentation of appropriate safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the implemented technical and organisational security measures.
What are the obligations of a processor?
A processor may only process data when this is documented in an agreement. The agreement must address certain topics:
- the subject-matter and duration of the processing;
- the processing should be based on the documented instruction from the controller;
- the personal data should be kept confidential;
- the processor should implement adequate security measures;
- when a sub-processor (a datacenter does, for instance, qualify as a sub-processor) is engaged, this is either subject to prior approval or, if general approval is given, the processor should be clear on who the sub-processor is and when a change is made. A sub-processor must be bound by the same restrictions as the original processor;
- assistance of the controller in complying with the GDPR requirements with regard to a data subjects rights (e.g. the right of the data subject to access its data);
- assistance of the controller in complying with certain other requirements, such as implementing security measures and dealing with notifications of breach to a supervisory authority and to the data subject;
- delete or return of all personal data at the end of the engagement;
- making available information necessary for the controller to demonstrate compliance with the GDPR;
- allow for and contribute to audits to determine controller’s compliance with the GDPR.
- If processors are used (e.g. Workday and Concur) this should be documented (contact details, type of processing carried out, countries involved, technical and organizational measures).
A controller may only use a processor that provides sufficient guarantees around the required technical and organisational measures required under the GDPR. This means that our offerings and our contracts should address and meet the above requirements.
What are the so-called “special categories of personal data”?
A more strict regime applies when processing special categories of data. The categories are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The processing of such personal data is prohibited unless an exception applies. Relevant exceptions are, for instance, processing when required under employment and social security and social protection law. Please note that while a photograph does contain data on ethnic or racial origin, just taking or displaying a photograph does not qualify as the processing of a special category of data, unless this is done through specific technical means aimed at extracting this type of data. From this we can learn that the fact whether processing is done systematically and with a specific purpose in mind is important.
Which security measures should CEBOS implement?
The answer to this question depends on the type of personal data and the risks associated with processing those data. The GDPR puts this as follows: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
In general, for systems containing contact data the requirements are low. For systems containing HR data the requirements will be higher and for systems containing special categories of data even higher requirements apply. Please note that the required measures evolve with the state of the art; what is adequate today may not be adequate tomorrow. As a general note, CEBOS does not maintain systems containing special categories of data. Our focus is on contact data (e.g. in Sales Force, our customer focused systems, such as the systems used by GCA, Support, etc), managing internal processes (scheduling consultants, but also managing CEBOS IT, etc.) and on HR data. Please also note that, with the exception of our HR systems and perhaps our IT systems in so far as they are used to monitor users behavior, the disclosure of personal data from any of the systems where personal data is limited to contact data will have a very limited, if any, impact on the data subjects concerned as this is mostly public data.
The GDPR states that adherence to approved codes of conduct or approved certification mechanisms can be used to demonstrate compliance. While no specific codes of conduct or certification mechanisms have been named, ISO certifications and specifically ISO27001 are likely to be relevant here.
What are the rules surrounding the export of personal data from the EU to other countries?
Personal data may only be exported to a third country outside of the EU if an adequate level of protection of the personal data is ensured. At the moment only a limited number of countries are deemed to provide an adequate level of protection through their respective legislative frameworks, namely Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. This means that personal data may not be exported from the EU to third countries unless some other method has been deployed to ensure an adequate level of protection. The main methods available to companies are:
- Standard Contractual Clauses (see under “What are the Standard Contractual Clauses?”)
- Binding Corporate Rules (not relevant to CEBOS, not further discussed)
- Privacy Shield (US only, see under “What is the Privacy Shield Framework?”)
What are the Standard Contractual Clauses?
The Standard Contractual Clauses are standard contracts (i.e. they may only be completed where blanks are left; the content cannot be modified) created by the European Commission which impose the various requirements from the GDPR (or actually the European Data Protection Directive, as no updated versions are available yet) on the parties by using the mechanism of an enforceable contract. The contracts contain a third-party beneficiary clause allowing the data subject to enforce the contracts directly against the contracting parties. CEBOS has deployed this method to deal with personal data transfers, e.g. in the context of performing its corporate function, between the various CEBOS entities globally.
What is the Privacy Shield Framework?
The Privacy Shield Framework has been developed by the US Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States. There are actually two Privacy Shield Frameworks, one for transfers from the EU and one for transfers from Switzerland (as Switzerland is not a member of the EU). The mechanism used is one of (self-)certification. A company has to commit to complying with the Privacy Shield principles, which are basically the principles outlined in the GDPR. If the company does not comply with the framework enforcement is possible via the FTC (unfair and deceptive trade practice), via the various European data protection authorities or via various other dispute resolution mechanisms. More information is available on http://www.privacyshield.gov/.
How does the GDPR impact the provision of (cloud) services by CEBOS?
The CEBOS solutions are focused on manufacturing companies. As such, there is no focus on personal data. However, this does not mean there is no personal data stored in the customer cloud environments. The main categories of data present in CEBOS cloud environments are access data (user names, tracking of modifications to the data base) and contact information (names and addresses of our customer’s customers and suppliers). Neither of these categories of personal data imposes a high risk to the rights and freedoms of the data subjects involved. As our customers have to comply with applicable data protection laws, and as there is a lot of publicity and focus on personal data protection, the topic comes up in nearly every cloud contract negotiation where a customer has a link to the EU.
Talking points in contacts with customers are:
- The type of personal data stored in the cloud environment (limited data, see above);
- CEBOS does not check what data a customer stores in the cloud environment and does not access the data unless required to deal with, for instance, a support issue;
- CEBOS’s contracts make it clear that CEBOS only uses customer data to provide services to the customer. In doing so CEBOS complies with applicable data protection regulations (see also “Has personal data processing been addressed in CEBOS customer-facing contracts?”);
- CEBOS maintains various certifications, including ISO27001, these certifications may help the customer in proving that it has taken the security requirements under the GDPR seriously;
- CEBOS has data centers in the EU, i.e. there is no need to store data outside of the EU;
- Maintenance of the cloud applications is separate from the database containing the data, i.e. there is no need to access personal data when updating the cloud applications.
Has personal data processing been addressed in CEBOS customer-facing contracts?
Yes. All CEBOS services agreements, including the cloud services agreement, have various clauses in them to address personal data processing. There is a clause on personal data processing as such and additionally there are clauses on confidentiality, return of data after termination, etc. Even though our contracts address the requirements of the GDPR and its predecessors, some customers ask for a separate data processing agreement. We do not have a problem with this in principle, as long as such separate agreements do not impose additional obligations and liabilities on CEBOS.
We may need to be more clear on the right to audit in the context of CEBOS’s cloud services offering. As our current experiences with customer audits of our cloud environments (none of them specifically related to personal data processing) have been that they put a heavy burden on the cloud team and that they come at a considerable cost to CEBOS, current thinking on this topic is that audits should be limited to (1) situations where there is a regulatory requirement for the customer to audit, (2) situations where there is a good reason to believe that CEBOS does not comply with the agreement. An audit should be seen as a payable services engagement.
Does CEBOS need a Data Protection Impact Assessment?
The GDPR mentions the possibility of conducting a Data Protection Impact Assessment. The GDPR states the following: “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” We do not believe CEBOS carries out any personal data processing, either as a controller or a processor, that is likely to result in a high risk to the rights and freedoms of natural persons and, consequently, a Data Protection Assessment is not required.
Does CEBOS need a Data Protection Officer?
A Data Protection Officer is required when:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
As CEBOS does not meet any of these requirements, CEBOS does not need to designate a Data Protection Officer. The central point of contact for personal data processing questions is the EMEA Regional Counsel (Robert van Kralingen, rbv@CEBOS.com).
We have customers asking for criminal background screening. Is this permitted?
No. The GDPR is quite clear on this: “Processing of personal data relating to criminal convictions and offences or related security measures … shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.” In some countries it is possible to apply for a “declaration on behavior” for specific positions. Such a declaration will only state whether an authority deems a person fit for a certain task and will not contain any details. Examples of sectors where such declarations may be required are child care, certain positions in government bodies, etc. The above does not mean that no background screening is allowed. Asking for references, checking diplomas, etc. is permitted.
When is a notification of breach required?
A personal data breach should be notified by the controller to the supervisory authority without undue delay, but in no event later than 72 hours after it has occurred. The breach should also be communicated to the data subject. However, if a breach is unlikely to result in a risk to the rights and freedoms of natural persons no notification is required. For instance, in case of simple contact data (e.g. contact data for suppliers and customers), it is unlikely that a breach with regard to such data will impact the rights and freedoms of natural persons If a processor becomes aware of a personal data breach the processor should notify the controller.
Which steps has CEBOS taken to comply with the GDPR?
The CEBOS customer facing services agreements contain clauses on personal data processing and address all major areas of compliance. CEBOS will work with customers if customers have additional requirements, such as a separate data processing agreement, if such additional requirements do not impose undue burdens on CEBOS
Contracts between CEBOS and suppliers contain confidentiality clauses and various other restrictions and most important CEBOS suppliers (Workday, Salesforce, Viawest, IBM) are certified under the Privacy Shield Framework (Concur has apparently not done this).
CEBOS maintains various certifications, including various ISO certifications, which may help CEBOS in demonstrating compliance.
In which areas could CEBOS improve?
CEBOS is in good shape when it comes to compliance with the GDPR and its predecessors. As CEBOS’s business model is not focused on making money from the processing of personal data, and as the type of personal data processed by CEBOS does not fall into the category of sensitive or special personal data, the GDPR does not pose many additional requirements over the previous regulations which were based on the 1995 European Data Protection Directive. Nevertheless, there is always room for improvement:
- Even though all elements are available in the form of the various documents indicated under “Which steps has CEBOS taken to comply with the GDPR?” above, at the moment there is no overarching record of processing activities under CEBOS’s responsibility (see under “What are the obligations of a controller?”).
- Although we have various policies around use of CEBOS IT in place (acceptable use policy, etc.) it is not completely clear to end users which personal data is collected and for which purposes it is used.
- We should always remain vigilant and be careful when requesting people to cooperate with certain HR or other initiatives (i.e. in situations where processing of personal data is based on “consent”). For instance, does a CEBOS employee freely consent to the processing of his or her personal data in the context of a new initiative or does he or she consent under pressure from a manager or for fear of being regarded negatively if he or she does not participate in the initiative?
- Although our various supplier agreements do contain the main elements required to be compliant with the GDPR, it would make sense to explicitly ask for commitment to the GDPR and its principles around data processing. In the policy on contracts with suppliers that are relevant to CEBOS’s cloud offerings, this has been integrated as part of the standard process (the policy is still under internal review).
- The CEBOS customer facing agreements cover the various requirements under the GDPR. Some further focus on audits and audit language is required though (see under “Has personal data processing been addressed in CEBOS customer-facing contracts?”). Another area of attention is notification of data breaches and cooperation with customers to ensure a customer’s compliance with the GDPR. Both topics are currently not specifically addressed in our services agreements.
- Our communication on sub-processors CEBOS uses to provide services to customers, such as data centers, is not fully coordinated. While we share information with customers on request, it is not provided as a standard.
- A solution like encrypting a cloud database at rest and making it inaccessible for people maintaining the cloud applications that operate on the database may further help to put our customer’s minds at rest. It may be possible to implement other IT solutions where access to personal data is further restricted.