17.12.2015

Finally Agreed – New EU Data Protection Regulation Is Here!

Privacy professionals received a real Christmas present on 17 December when the LIBE committee voted on and confirmed the content of the new General Data Protection Regulation (GDPR). The regulation will be formally adopted early next year and will thus enter into force after a two-year transition period in 2018.

The GDPR sets forth several new obligations for data controllers and processors, e.g. companies who process personal data in their businesses, and enforces them with substantial administrative sanctions up to EUR 20 million. This requires the companies to adjust their activities to the new requirements in the next two years. Since many of the obligations may require establishing new internal processes and positions in the company, we recommend starting the preparations immediately.

Some insights from the regulation’s main obligations:

Applicability of the GDPR: The GDPR applies to all processing of personal data, meaning any operation performed upon identifiable information of an individual (data subject) within the EU. In addition, the GDPR applies to the offering of goods and services in the EU and to the monitoring of data subjects’ behavior within the Union, regardless of the location of the company.

Consent for processing: When the processing is based on the consent of the data subject, the consent must be freely given, specific, informed and unambiguous. A clear affirmative action of the data subject, such as ticking a box themselves, is required. Explicit consent is required for processing special categories, e.g. sensitive data such as political or religious opinions or genetic data.

Children in social media: The processing of personal data of children in information society services requires consent from their parents. The GDPR leaves it up to EU member states to decide at which age between 13 and 16 children are capable to give consent themselves.

Rights of the data subject: Companies have to inform data subjects in clear and plain language about the processing of their personal data. In addition, the data subject is entitled to access data concerning him or her as well as have inaccurate data deleted or completed. Furthermore, data subjects can object to the processing of their personal data, which requires the controller to cease processing if the controller has no compelling legitimate interest to continue processing.

Right to be forgotten: The data subject can have his or her personal data erased if the data is no longer necessary or if legal grounds for processing no longer exist.

Data portability: Data subjects have the right to receive their personal data in a structured and commonly used machine-readable format so that they may transfer the data between service providers.

Profiling: The regulation defines profiling as processing of personal data consisting of using the data to evaluate, analyse or predict the behaviour or other aspects of an individual. Data subjects have the right to not be subject to profiling based on purely automated means when that produces legal effects on them, for example, refusing a credit application online.

Data processors: A written contract specifying the duties of both parties is required between the data controller and processor. Controllers are, thus, advised to review their existing agreements in order to verify their compliance with the GDPR.

Data breach notification: Data controllers have to notify the supervisory authority of data breaches no later than 72 hours after becoming aware of an incident, if the breach likely poses a risk to the rights and freedoms of individuals. A data processor has the obligation to notify the controller on behalf of which it is processing personal data. The controller also has to inform data subjects if it is likely that the breach results in a high risk to their rights and freedoms.

Data protection impact assessment: An assessment of the risks of data processing poses to individuals’ rights and freedoms is required when the processing consists of profiling, concerns sensitive data or includes large-scale monitoring of publicly accessible areas. In addition, national Data Protection Authorities (DPAs) may list other processing operations requiring an assessment.

Data Protection Officer (DPO): The controllers and processors are obliged to designate a DPO if the core activities of the company consist of processing that, by nature, scope or purpose, requires regular and systematic monitoring of data subjects on a large scale or processing of sensitive data and data related to criminal convictions on a large scale. Public authorities are required to appoint a DPO. The DPO needs to have expert knowledge of data protection law and practices and he/she can be either a staff member of the company or the task can be outsourced to a service provider. However, the DPO may fulfil other duties in addition to the position. The DPO’s tasks include monitoring the compliance with the regulation and to fulfill its obligations in the activities of the company.

Transfers of personal data: Transfers of personal data from the EU to third countries can only take place when the destination country is defined as having an adequate level of data protection by the European Commission, if appropriate safeguards such as Binding Corporate Rules or Standard Data Protection Clauses are applied or if specific derogations, such as the data subject’s explicit consent, exist. The grounds for transfers were not changed compared to the current legislation

One-stop-shop: While multinational data controllers are currently obliged to consult national Data Protection Authorities (DPA) in every country it does business, the GDPR launches a one-stop shop system where the DPA of the country where the controller’s main establishment in the EU is located acts as the lead supervisory authority. The lead supervisory authority coordinates the proceedings. However, the supervisory authorities will communicate in cross-border cases, and they may enforce decisions made by the lead supervisory authority. In addition, data subjects are entitled to lodge complaints on data processing in their own member state irrespective of the country where the company is established.

Administrative sanctions: The regulation empowers data protection authorities to impose administrative fines on companies for non-compliance with the regulation. The sanctions come in two categories. A fine up to a maximum of EUR 10 million or 2% of the total worldwide annual turnover of the company, whichever is higher, can be imposed for smaller infringements of the obligations of the controller and processor, for example, not appointing a DPO or not carrying out a data protection impact assessment. A higher fine up to a maximum of EUR 20 million or 4% of the turnover is possible in more serious cases such as infringements of the basic principles of processing, data subjects’ rights or international transfer rules.

The text of the regulation as agreed in the trialogue is available at: http://static.ow.ly/docs/Regulation_consolidated_text_EN_47uW.pdf

We strongly advise you to start reviewing the existing data processing activities in order to be prepared for the new requirements in time. Our data protection and privacy experts have conducted privacy compliance audits over the years for several major Finnish companies in different industries. We have redeveloped our privacy toolkit to assist our clients with the new requirements of the GDPR.

We will have Data Protection breakfast seminars on 14 January 2016 and 16 February 2016 (a separate invitation will follow) where we will discuss the content of the GDPR in more detail.

If you have any questions or concerns, please let us know. We wish you happy holidays! 

 

 

Latest references

We represented Voima Ventures in the Series A funding round of Aisti Corporation. Aisti’s EUR 29 million funding round will support the construction of its first commercial factory in Kitee, Finland, enabling the company to scale production. Other investors include Maki.vc and Valve Ventures Consortium among others. Voima Ventures is a venture capital fund investing in top scientific deep tech ventures in the Nordics and Baltics. Aisti Corporation is an acoustic tiles manufacturer with sustainability and functionality at heart. Aisti’s acoustic tiles are made from highly renewable wood fibres. With the factory in Kitee, the company plans to achieve a production capacity of 2.5 million square meters annually.
Case published 13.12.2024
We are acting as Finnish advisor to Hanza AB relating to its acquisition of all the shares in Leden Group Oy. Hanza AB is a Swedish mechanical engineering and electronics contract manufacturing company listed on the Stockholm Stock Exchange. Founded in 2008, the company has six manufacturing clusters in Sweden, Finland, Germany, Baltics, Central Europe and China and an annual turnover of approximately SEK 4.6 billion. Leden Group is a leading Finnish contract manufacturer specialising in sheet metal, machining and complex assembly. Leden Group has four production sites in Finland and one in Estonia and an annual turnover of approximately SEK 1.1 billion.  The closing of the transaction remains subject to authority approval and customary conditions.
Case published 13.12.2024
We assisted Smarter Contracts Ltd in the process where the Finnish Transport and Communications Agency Traficom confirmed it to be an EU-recognised data intermediation service. Non-EU companies must have a legal representative in some EU country so that they can offer data intermediation services in accordance with the Data Governance Act. Smarter Contracts is based in Great Britain and selected Finland for the task. Smarter Contracts is the first non-EU data intermediation service registered by Traficom. Wayne Lloyd, Founder & CEO of Smarter Contracts, remarked:  The support from the Castrén team was exceptional from start to finish. Pioneering new territory is never without its challenges, and as the first non-EU data intermediation service provider, we faced significant legal uncertainties. Despite these complexities, the Castrén team expertly guided us through each step with remarkable efficiency, providing the certainty we needed. Smarter Contracts leverages its proprietary Pulse Permissions Protocol® to deliver advanced consent and access rights management services. This milestone highlights Castrén & Snellman’s proficiency in navigating intricate regulatory landscapes, whilst recognising the relevance of Smarter Contracts’ innovative approach to secure, compliant data management.
Case published 11.12.2024
We assisted Pharmaca Health Intelligence in its acquisition of Mediaattori Ltd’s PODIUM Connect® and PODIUM Visits businesses. Through the acquisition, Pharmaca Health Intelligence strengthens its extensive service offerings in medical information, data-driven management, and education for both healthcare and pharmaceutical companies. Pharmaca Health Intelligence is a pioneer in digital medical information and a reliable partner for wellbeing services counties, the private healthcare sector and pharmacies. The company invests in the development of technology and service solutions related to pharmaceutical information, also on an international scale.
Case published 5.12.2024