policy privacy domo kun log One of the most hotly debated issues of the new General Data Protection Regulation (GDPR) is that of consent. At present, it is unclear to what extent and in what circumstances, a disclosing controller might be held liable for security failings by a receiving controller that is also subject to the DP legislation regime. If there is a written contract in place that includes Standard Contractual Clauses (SCCs) approved by the European Commission; The company to whom the personal data is being transferred has Binding Corporate Rules (BCRs) approved by the European Commission; If an international transfer is to the US and the third party in the US is, If the country that the data is being transferred to has an. that data will not be shared on unencrypted memory sticks and that the organisation has appropriate systems (e.g. It has also issued one set of contractual clauses for data transfers from controllersin the EU to processors established outside the EU or EEA.

City may still be legally responsible for how that personal data is processed, if it determines the manner and the purpose of the processing of such personal data in its capacity as data controller. Data Protection (DP) law requires certain standards and obligations to be met when third parties - such as data processors process personal data and/or special categories of personal data on Citys behalf. privacy examples misuse technology During the drafting process of the GDPR, the Commission and Parliament suggested individuals data can only be processed: (i) for a purpose to which they have consented; or (ii) for such legitimate interests of the controller or relevant third parties as individuals could reasonably expect. This development will undoubtedly have a material business impact. For example: Example of principles / requirements under the GDPR, Example of action to take (where applicable to the party), Principle: Lawfulness, fairness and transparency. The controller should ensure its own processing of personal data and internal processes comply with the requirements of DP law. As far as specific consent was given for the purpose of transmitting the data to other recipients for their own direct marketing, Mrs. A can send the client list to Mr. B. Extra requirements are also set out in relation to obtaining the consent of minors.

Posted on 13 November 2015 (updated 4 March 2016). Environmental, Social and Corporate Governance, Franchising, Distribution, Agency and IP Licensing. in their data protection notices) about the legitimate interests upon which they are seeking to rely. More information about the designation of parties is available on the Information Commissioners Office (ICO)website. With the explicit consent of each individual whose personal data is being transferred. If the objective could reasonably be achieved in a less intrusive way the personal data should not be shared. not on an unencrypted USB stick) so as to minimise the risk of the recipient party being in breach of its own obligations under the DP legislation (e.g. Your company/organisation must also ensure that the list or database is up-to-date and that you dont send advertising to individuals who objected to the processing of their personal data for direct marketing purposes. The controversy arises from the proposed stricter requirements for consent and reforms to the so called legitimate interests grounds. Each party should also consider whether the other parties to the data sharing arrangement are the most appropriate. DP law should not, however, be viewed as a barrier to sharing - you should give equal weight to the consequences of not sharing the data. Establishing this will help the parties decide what data needs to be shared and with whom and to comply with their obligations under the DP legislation. Be aware that City has a higher-level of responsibility under DP law for the data processors actions; We must have a written agreement in place with the data processor, outlining our respective DP obligations (per Article 28 of the GDPR); Ensure that the data processor has appropriate organisational and technical security measures in place to protect the personal data; Consider and document the lawful basis for sharing including any conditions for processing special category data; Put in place a written contract between City and the third party (in the form of a Data Sharing Agreement); Ensure that the written contract outlines the responsibilities for compliance with data protection laws, including responsibility for putting appropriate security measures in place to protect personal data and ensuring that data subjects know how their data is being processed; Consult with the Information Assurance Team via email at. Consider including retention schedules in an agreement setting out how long different types of personal data can be kept. Instead, the explicit consent requirement applies when relying on consent in the context of processing sensitive personal data (as is the case under the Directive today). No data can be sent about an individual who objected to the processing of their personal data. The legitimate interests of the business or the third party must be balanced against any prejudice to the rights and freedoms or legitimate interests of the individual whose data is being processed. The source, data collection methods, accuracy and currency of the data it is considering sharing; Whether it has a lawful basis to share the data; Whether the data sharing will comply with data protection and other laws; Whether the recipient understands the nature and sensitivity of the personal data; Whether appropriate technical and organisational security measures are in place; The adequacy of the recipients other policies and procedures; The extent to which its processes, procedures and IT, protective marking or other systems are compatible with those of the recipient (e.g. One of the most hotly debated issues of the new General Data Protection Regulation (GDPR) is that of consent. Controllers must take into account the state of the art and costs of implementation when determining what measures are appropriate in the circumstances. The data sharing arrangements must be drafted and structured so that each controller can comply with its own obligations under the GDPR (such as having policies and procedures that allow individuals to exercise their data subject rights with ease and responding correctly to requests to exercise those rights). For example, where processing is based on the legitimate interests ground, businesses will need to inform the individual (e.g. Consider a full Data Protection Impact Assessment (DPIA). The controller should take the following steps when sharing or receiving personal data as appropriate to the circumstances: Confirm the purpose of the data sharing and when it should occur. His client database has few entries and not many people walk into his shop. On the other hand, some DPAs have taken a more restrictive approach for example, the Spanish data protection regulator considers that personal data should only be processed for the purposes it was collected, with very limited exceptions. On the other hand, the Council proposed a more business-orientated approach, which would allow controllers and processors alike to process data on the legitimate interests ground even for purposes that are incompatible with the original purposes of the processing, provided that the interests or the fundamental rights and freedoms of the individual are not overriding. Go to the City, University of London home page, What a data-sharing agreement should contain, EU controller to non-EU or EEA controller, Data Protection Representatives (DP Reps), Using a third party to process City personal data on behalf of City (a, Working with an organisation that independently decides the purposes of processing shared personal data (an, Working with a joint controller, who has a common objective with City regarding the processing (a. Data Sharing Agreements (independent and joint controllers). 1 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.07.2002 p.37). explain what to do when an organisation receives a request for access to shared personal data or other information, ensure that one staff member (generally a DPO) or organisation takes overall responsibility for ensuring that the individual can gain access to all the shared data easily, in the case of joint controllers, state which controller is responsible for responding to individuals who exercise their data subject rights (although individuals may choose to contact any controller). The ICO has also issued clause-by-clause guidance on how SCCs work: Data Protection Representatives (DP Reps) are your first port of call for any data protection queries you may have. Each collects data from their respective customers. There are three situations in which you might be sharing data with third parties. Confirm which laws apply to the data sharing. Ensure that data subjects have been provided with all required information regarding the processing of their personal data (eg via a privacy notice). In addition, the GDPR requires companies to demonstrate that they have effectively obtained users consent which could imply a significant practical burden on businesses. Each controller must always document a clear objective or set of objectives and that it would be good practice to document this in a data sharing agreement. If the parties to the data sharing arrangement are undertaking ongoing routine or systematic sharing, then consider agreeing a standard privacy notice / consent form which sets out appropriate fair processing information to allow each party to use the personal data as intended. Each controller should therefore seek to put in place clear, robust and enforceable written contractual provisions (before any processing) to govern the processing of personal data. That controllers must be responsible for, and be able to demonstrate, compliance with the GDPRs data protection principles is one of the most significant changes introduced by the GDPR. Each party must ensure appropriate mechanisms have been put in place to comply with transparency obligations. The relevant (additional) lawful basis for processing must be documented. Knowing whether the parties are joint controllers or independent controllers and if either of them may be a processor (or sub-processor) for any of the data processing activities is vital to understanding the obligations of the parties under the DP legislation regime. Contracts or data processing agreements with processors must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of City as data controller. While data sharing agreements may be drafted as stand-alone contracts (sometimes also called information sharing agreements, data or information protocols, or personal information sharing agreements), it is also common to see data sharing provisions to address such matters incorporated into a broader commercial agreement. Ensure the other controller is only provided with the minimum personal data necessary to achieve the agreed purpose. During the drafting process, the Commission proposed (and the Parliament agreed) that consent should always be explicit, freely given, specific and informed. It also establishes other requirements which include the need for consent to be (i) informed, (ii) freely given, (iii) expressed through a clear affirmative action and (iv) clearly distinguishable from other matters. Consider if it is possible to strip out unnecessary personal data and still achieve the purposes, eg by anonymising the personal data, in which case the data may not be personal data at all and therefore fall outside the scope of the GDPR. How long shared data should be retained should be documented. The controller should consider whether a formal DPIA of the proposed data sharing is required under the DP legislation. a supplier), to process personal data on its behalf. Nevertheless, the Directive offers a business-friendly approach that has been somewhat re-defined by the GDPR. The ICO recommends considering undertaking a DPIA even if that is not strictly required and it is good practice to do a DPIA for any major project that involves the disclosure of personal data or any routine data sharing.