European Gaming Lawyer magazine EGL_Spring2017_opt - Page 11

For private entities options ( 1 ), ( 2 ) and ( 3 ) are most relevant . However , the requirements for option ( 1 ) have increased . Art . 7 provides that if the data subject ’ s consent is given in the context of a written declaration which also concerns other matters , the request for consent shall be presented in a manner which is clearly distinguishable from the other matters , in an intelligible and easily accessible form , using clear and plain language . Any part of such a declaration which constitutes an infringement of the Regulation shall not be binding .
Moreover , any data processing shall follow the six principles laid down in Art . 5 : lawfulness , fairness and transparency ; purpose limitation ; data minimisation ; accuracy ; integrity and confidentiality .
2 . Sanctions , additional �o�ers for Supervisory Authorities It has been the intention to increase awareness for data protection issues and to make data protection a high-level management issue . Under the GDPR Supervisory Authorities will have the power to issue fines of up to 4 % of the turnover or 20 million € whatever is more ( Art . 82 subsequent ). Regarding group companies , it is likely but not completely clear that the turnover of a group and not of the company involved constitutes the calculation base for the fine ( Art . 4 No . 18 and 19 , Recital 150 ). This substantial amendment is surrounded by additional powers of Supervisory Authorities like the possibility to demand information from data processors and controllers or to perform audits .
processors not established in the Union provided that the data processing activities are related to offering goods or services to individuals in one or more Member States in the Union ( Recital 23 , Art . 3 ). It also applies to controllers or processors not established in the Union when data processing is related to the monitoring of the behaviour of individuals located in the Union in so far as their behaviour takes place within the Union ( Recital 24 ). What is more , controllers or processors established outside the Union are obliged to appoint a Representative in the Union who may be held liable for breaches of the Regulation ( Recital 80 , Art . 4 ( 17 ), Art . 27 with some exceptions ).
4 . Privacy Notices The aim of privacy notices is to inform the individual about how his or her personal data are processed in a way that the individual is in a position to exercise his or her rights . Art . 12 - 14 comprise detailed and extensive obligations on the information of individuals . At the same time there is the obligation to “ provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise , transparent , intelligible and easily accessible form , using clear and plain language , in particular for any information addressed specifically to a child . The information shall be provided in writing , or by other means
, including , where appropriate , by electronic means .”
Art . 13 includes the following information to be disclosed to the individual :
• the identity and the contact details of the controller ;
• the contact details of the data protection officer ;
• the purposes of the processing for which the personal data are intended as well as the legal basis for the processing ;
• the recipients or categories of recipients of the personal data , if any ;
• where applicable , the fact that the controller intends to transfer personal data to a third country ;
• the period for which the personal data will be stored , or if that is not possible , the criteria used to determine that period ;
• the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability ;
3 . Extra-territorial Applicability , Obligation to appoint a Representative Th e extension of the territorial reach of the GDPR constitutes one of the most fundamental legal changes . Under the old Data Protection Directive ( Art . 4 ) and its adoption into national law the applicability of data protection law generally spoken was related to an establishment in the EU and not too clear . 1 The new GDPR clearly provides that it is also applicable to all data processing activities of controllers or
1 ECJ C-230 / 14 – Weltimmo , ECJ C-131 / 12 – Google Spain .
European Gaming Lawyer | Spring Issue | 2017 | 11
For private entities options (1), (2) and (3) are most relevant. However, the requirements for option (1) have increased. Art. 7 provides that if the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of the Regulation shall not be binding. Moreover, any data processing shall follow the six principles laid down in Art. 5: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; integrity and confi dentiality. 2. Sanctions, additional o ers for Supervisory Authorities It has been the intention to increase awareness for data protection issues and to make data protection a high-level management issue. Under the GDPR Supervisory Authorities will have the power to issue fi nes of up to 4 % of the turnover or 20 million € whatever is more (Art. 82 subsequent). Regarding group companies, it is likely but not completely clear that the turnover of a group and not of the company involved constitutes the calculation base for the fi ne (Art. 4 No. 18 and 19, Recital 150). Th is substantial amendment is surrounded by additional powers of Supervisory Authorities like the possibility to demand information from data processors and controllers or to perform audits. processors not established in the Union provided that the data processing activities are related to off ering goods or services to individuals in one or more Member States in the Union (Recital 23, Art. 3). It also applies to controllers or processors not established in the Union when data processing is related to the monitoring of the behaviour of individuals located in the Union in so far as their behaviour takes place within the Union (Recital 24). What is more, controllers or processors established outside the Union are obliged to appoint a Representative in the Union who may be held liable for breaches of the Regulation (Recital 80, Art. 4 (17), Art. 27 with some exceptions). 4. Privacy Notices Th e aim of privacy notices is to inform the individual about how his or her personal data are processed in a way that the individual is in a position to exercise his or her rights. Art. 12 - 14 comprise detailed and extensive obligations on the information of individuals. At the same time there is the obligation to “provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifi cally to a child. Th e information shall be provided in writing, or by other means, including, where appropriate, by electronic means.” Art. 13 includes the following information to be disclosed to the individual: • the identity and the contact details of the controller; • the contact details of the data protection offi cer; • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; • the recipients or categories of recipients of the personal data, if any; • where applicable, the fact that the controller intends to transfer personal data to a third country; • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; • the existence of the right to request from the controller access to and rectifi cation or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability; 3. Extra-territorial Applicability, Obligation to appoint a Representative Th e extension of the territorial reach of the GDPR constitutes one of the most fundamental le v6vW2VFW"FR@FF&FV7FF&V7FfR'BBBG0FFFFrFRƖ6&ƗGbFF&FV7FrvVW&ǒ7Vv2&VFVBFW7F&Ɨ6VBFRUPBBF6V"FRWrtE"6V&ǐ&fFW2FBB26Ɩ6&RFFF&6W76r7FfFW2b6G&W'2 T42#3B( 2vVFT423"( 2vvR7WW&Vv֖rwW"7&r77VR#r