• the existence of the right to withdraw consent at any time , without affecting the lawfulness of processing based on consent before its withdrawal ;
• the right to lodge a complaint with a supervisory authority ;
• whether the provision of personal data is a statutory or contractual requirement , or a requirement necessary to enter into a contract , as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data ;
• the existence of automated decision-making , including profiling , as well as the significance and the envisaged consequences of such processing for the data subject ;
• Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected , the controller shall provide the data subject prior to that further processing with any relevant information .
It will be a challenge to comply with all information and transparency requirements under the GDPR in a concise , transparent , intelligible form , using clear and plain language . However , a failure to do so may not only constitute a breach of the GDPR but may also question the consent of the individual granted pursuant to Art . 7 .
5 . Changes for Data Processors : Direct Applicability and Liability Already under the old regime it has been differed between Controllers and Processors of data ( Art . 2 ( d ) and ( e ) of the Directive ). However , responsibility and liability mainly were related to the Controller . Under the new Regime the position of the Processor has changed substantially . Many provisions are directly applicable to Processors . Moreover , a joint liability of Processor and Controller has been established ( Recital 146 , Art . 82 ). Therefore , the risk for Processors of data has increased substantially .
6 . Agreements between Data Processors and Controllers The requirements for processing personal data by a Processor on behalf of a Controller have been strengthened substantially . Such processing inter alia requires a written contract or other legal act under Union or Member State law , that is binding on the Processor and that sets out the subjectmatter and duration of the processing , the nature and purpose of the processing , the type of personal data and categories of data subjects and the obligations and rights of the controller . Additional requirements for the agreement and relationship between Controller and Processor are specified in Art . 28 and 29 . The legislation of some Member States already comprises similar obligations . However , from May 2018 the obligations are applicable to all data processing by Processors on behalf of Controllers within the extended reach of the GDPR ( see above Sec . II 3 ).
7 . Obligation to appoint a Data ���������������� Under the old Data Protection Directive there was no obligation for Member States to require the appointment of Data Protection Officers . Nevertheless , the legislation of many States ( like Germany ) already comprises a respective obligation . In future , all companies processing personal data as core activity as well as Public Authorities are obliged to appoint a Data Protection Officer ( Art . 27 ). Art . 28 sets forth strict provisions for the position of a Data Protection Officer ( like independence , no conflict of interests , etc .). The Data Protection Officer shall report to the highest management level of the processor or controller . He particularly shall have the task to inform and advise the controller or processor and the employees of their obligations , to monitor compliance with the Regulation and national data protection law and to communicate and to cooperate with the Supervisory Authority ( Art . 39 ). Given the risks involved with such position including the new sanction regime it might be hard to find third party providers who act as Data Protection Officer .
8 . Transfer of Data outside the Union Already under the old regime the transfer of personal data to third countries has been a substantial hurdle unless a third country has been accepted by the European Commission as having an adequate level of data protection ( like Argentina , the Isle of Man , Israel , or Switzerland ). The new regulations ( laid down particularly in Art . 44 – 50 ) emphasize that the transfer of data is only allowed if additional requirements are met . Options for transferring data outside the Union include the Consent of the individual ( which will be harder to validly obtain ), Standard Data Protection Clauses , Binding Corporate Rules ( Art . 47 ), Codes of Conduct ( Art . 40 ) or an accepted Certification ( Art . 42 ). There is not enough room here to go into details . Anyhow , the transfer of data in third countries remains a difficult task and all respective processes should be reviewed in detail in order to be compliant with the new regime . The legislation of some Member States already comprises similar obligations . However , from May 2018 the obligations are applicable to all data processing by Processors on behalf of Controllers within the extended reach of the GDPR ( see above Sec . II 3 ).
9 . Data Security The obligation of Controller and Processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk is not new . However , Art . 32 . Includes more details and measures for data security . Moreover , it establishes the obligation to demonstrate compliance with data security requirements and refers to respective measures like Codes of Conducts and Certifications ( Art . 40 , 42 ).
���������������������� In the case of a personal data breach , the controller shall without undue delay and , where feasible , not later than 72 hours after having become aware of it , notify the personal data breach to the competent supervisory authority , unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons . Where the notification to the supervisory authority is not made within 72 hours , it shall be accompanied by reasons for the delay . Further details of a breach notification and the obligation to document data breaches are set forth in Art . 33 . The obligation to inform the Supervisory Authority is accompanied by an obligation to inform the individual ( Art . 34 ).
12 | European Gaming Lawyer | Spring Issue | 2017