2.3.2016

How to Prepare for the Requirements of the EU’s New General Data Protection Regulation

How does the new European General Data Protection Regulation affect our company? How should we prepare ourselves?

Many companies have probably already asked themselves these questions following the political consensus that was reached on the content of EU’s new General Data Protection Regulation in December 2015 .

It’s best to take the new regulation seriously: it gives powers to the national supervisory authorities to impose penalties up to tens of millions of euros for non-compliance with the requirements of the regulation.  Below we have listed the things that every company should take into account before the new regulation comes into effect.

 

Rights of the Individual Will Improve

Almost every company processes personal data. There are a lot of different personal data filing systems, such as customer registers, different kinds of marketing registers and, of course, registers that include employee-related information. A person whose personal data is stored in a filing system is called a data subject.

The current Personal Data Act already provides the data subject the right of access to information related to him or her and the right to demand that the information be either corrected or deleted from the filing system. The new regulation will retain these old rights, but will give the data subject even stronger control to his or her information. In future, companies will have to, for example, provide the data subject with more information in a more transparent and clear form regarding the purpose and the means of processing their personal data.

The regulation will also introduce new rights, such as the right to data portability and the right to object profiling. The right to data portability enables the transmission of the personal data between controllers without intermediaries. In some circumstances, the right to object profiling means that the data subject would have the right to refuse being the object of decisions regarding the evaluation of the personal features of the data subject, if such decision are based solely on automatic data processing—in other words, processes without human intervention. An example of profiling could be an automatic rejection of an online credit application or the use of electronic recruiting without any human contribution in the process.

Assess the Current State of the Personal Data Processing and Related Risks

In a data protection impact assessment (DPIA), the necessity and the risks regarding the processing of personal data as well as the ways these risks could be minimised and managed are assessed. Even though it is not compulsory for all companies to carry out a DPIA, it is still recommended to conduct some kind of an assessment on the present situation in your company due to forthcoming Data Protection Regulation

At a minimum, the following questions should be answered:

1. What kind of personal data we process?

2. Is our processing in line with the new Data Protection Regulation?

3. How do we inform the data subjects of the processing of their personal data?

4. What methods, processes or documents should we amend or create because of the new regulation?

 

Appoint a Data Protection Officer for Your Company

The New Data Protection Regulation obliges some entities to appoint a data protection officer. This obligation applies to the public sector and to companies, whose core activities consist of the large-scale systematic  monitoring of data subjects or the large-scale processing of sensitive data. Even though appointing a data protection officer is not obligatory for all companies, it is still recommended to give one department the responsibility for handling data protection matters and properly monitoring compliance with regulations. Depending on the company, suitable departments could be the legal department, data administration, HR-department or internal control.

A data protection officer needs to have expertise in the field of data protection regulations as well as knowledge on the implementation of such regulations in the company’s activities. The role of the data protection officer within the company is independent and she or he needs to report directly to the company’s highest management. In addition, the tasks of the data protection officer include instructing and training of the personnel, ensuring that the day-to-day activities are in compliance with the data protection regulation and working as the company’s liaison to authorities and data subjects. In an ideal situation, the data protection officer enables and develops business activities.  

Personal Data Breach Notification Now Mandatory

Personal data breaches are a real challenge, and maintaining the trust of clients is ever more important in the digitalising world. The new regulation obliges companies to inform both the authorities and the relevant data subjects of data breaches. The time for making the notification is relatively short: the notification should reach authorities within 72 hours from the detection of the data breach and the data subjects should be informed without undue delay. Therefore, companies need to have the ability to detect data breaches, notify them to the relevant parties and minimise the damage.

Review Agreements with External Data Processors

The data Protection Regulation requires that written agreements be made with  external service providers who processes personal data. The regulation sets certain content requirements for such agreements. If your company has outsourced data processing to a third party, it is recommended that you check these agreements and make sure that they are in line with the new regulation. Such external data processors can, for example, include the company’s payroll administration, cloud service provider or an external sales company.

‎Act Now!

The General Data Protection Regulation will come into effect once it has been formally adopted by the European Parliament and has been published in the Official Journal of the European Union. That will be followed by a two-year transition period, after which companies will have to comply with the requirements of the regulation. The regulation is expected be applicable as of spring 2018. As the regulation establishes new obligations for companies, it is advisable to start planning compliance with them as soon as possible. Evaluating the legality of the present condition is a good starting point. 

To find out more about the data protection regulation and the following key changes, please read our previous publication on the matter.

Latest references

We advised WithSecure Oyj in the sale of its open source data collection product and business to Patria Oyj. The divested business combining software and services falls outside WithSecure’s current strategy. Through the sale, WithSecure sharpens its focus on the Elements portfolio. WithSecure is a global cyber security company (listed on NASDAQ OMX Helsinki) with more than 35 years of industry experience. WithSecure offers partners flexible commercial models, ensuring mutual success across the dynamic cyber security landscape. Patria is an international company in the defence and security industry offering defence, security and aviation life cycle support services and technology solutions. As a result of the transaction, Patria will open a new office in Oulu and 10 WithSecure experts currently working in the business area will join Patria. 
Case published 30.9.2024
We advised A. Ahlström in establishing a corporate sustainability due diligence process plan which incorporates best practices and tailored solutions based on our expertise within relevant business sectors. Our comprehensive ESG offering also included tailored training for members of the investment team and management team and the board of directors of several portfolio companies. ‘The ESG team at Castrén & Snellman provided us with legal and practical advice around the ESG regulatory tsunami that we need to incorporate in our ESG work,’ comments Camilla Sågbom, Director, Sustainability and Communications, at A. Ahlström Oy. A. Ahlström is a family-owned industrial company, developing leading global specialist positions in Forest & Fiber and Environmental technology sectors.
Case published 5.9.2024
We represented Vapaus Bikes Finland Oy, a company offering employee benefit bikes, in its international EUR 10 million Series A funding round. The investors behind the funding are private equity investors Shift4Good and Superhero Capital Ltd as well as Tesi together with the European Guarantee Fund of the European Investment Bank. The equity-based funding will support the company’s international expansion, software development, platform automation, and the growth of its concept for the second-hand market of bikes. Vapaus Bikes Finland is at the forefront of sustainable mobility services and has been a pioneer in the Employee Benefit Bikes sector since late 2020. It has been ranked among Finland’s fastest growing companies. Shift4Good is an impact venture capital fund focused on the decarbonisation of the transportation sector. Tesi (officially Finnish Industry Investment Ltd) is a state-owned, market-driven investment company that invests in venture capital and private equity funds and directly in Finnish startups and growth companies.
Case published 21.8.2024
We successfully acted for the City of Rovaniemi in a matter concerning offence in public office and damages claims in relation to a significant investment decision made by the city. The defendants were the city’s former municipal corporate officer, who was in an employment relationship, and a city treasurer, who was in a public-service employment relationship and acted as the supervisor of the municipal corporate officer. The criminal matter related to the City Board’s decision to invest EUR 2 million of the city’s funds in bonds offered by a newly established investment company in accordance with a decision prepared by the defendants. A significant part of the company’s operations involved quick loan business. The main legal question in the matter was whether the investment of public funds constitutes an exercise of public authority and whether regulation on offences in public office therefore becomes applicable even to a person in an employment relationship. The municipal corporate officer in an employment relationship was charged with aggravated abuse of public office based on her negligence in the preparation and presentation of the investment decision as well as based on a conflict of interest due to the fact that she had invested her own money in a company that received funding from the investment target presented to the City Board. The charges of an offence in public office against the city treasurer concerned his position as the supervisor and reporter of the city’s investment activities. He was also involved in the preparation and presentation of the City Board’s decision. The processing of the matter started in the District Court of Lapland in June 2022. In its judgment given in August 2022, the District Court stated, based among other things on our argumentation, that the investment of public funds constitutes an exercise of public authority and that regulation on offences in public office can therefore be applied to the municipal corporate officer. The District Court deemed that the conduct of the former municipal corporate officer fulfils the characteristics of abuse of public office and that the conduct of the former city treasurer fulfils the characteristics of violation of official duty with respect to the preparation of the investment decision, but the right to bring charges had become time-barred. Punishments could therefore not be imposed on the defendants, but the defendants were ordered to jointly and severally pay the city approximately EUR 114,000 in damages plus interest for late payment. The city treasurer’s share of the amount was 10%. The prosecutor accepted the judgment but the other parties appealed it to the Court of Appeal. Acting for the city, we pursued claims for both punishment and damages in the Court of Appeal. The Rovaniemi Court of Appeal processed the matter in November and December 2023. In its judgment given in June 2024, the Court of Appeal upheld the District Court’s judgment with respect to the abuse of public office and violation of official duty. The Court of Appeal deemed that the municipal corporate officer had failed in her duty to declare the conflict of interest. In addition, she had failed in her duty to ensure that the prepared decision was in compliance with the city’s investment guidelines and that it had been properly put out to tender. The Court of Appeal also found that the text of the investment proposal was insufficient and misleading and that the municipal corporate officer’s conduct was intentional. As regards the city treasurer, the Court of Appeal held that he had failed in his duty to ensure that the investment proposal to the City Board complied with the investment guidelines, that the presentation was not misleading and that risks were taken into account as required by the investment guidelines. With the judgement, the Court of Appeal took a clear position that abuse in public offices and when exercising public authority is not acceptable. The judgment is also significant as it declares that investing public funds constitutes an exercise of public authority and that the liability for acts in office therefore becomes applicable even to persons in employment relationships. In addition, a key question for the Court of Appeal to assess was defining the amount of economic damage in a matter related to investment activities. The Court of Appeal held based on our arguments that the conduct of the municipal corporate officer and the city treasurer had caused damage to the city. The Court of Appeal increased the amount of damages to EUR 210,000 with the city treasurer’s share limited to 10%. The amount was increased because the Court of Appeal deemed that the city had suffered damage not only in terms of the loss of capital but also in terms of the loss of estimated return on investment. The judgement is not final.
Case published 21.8.2024