European Gaming Lawyer magazine EGL_Spring2017_opt - Page 12

• the existence of the right to withdraw consent at any time , without affecting the lawfulness of processing based on consent before its withdrawal ;
• the right to lodge a complaint with a supervisory authority ;
• whether the provision of personal data is a statutory or contractual requirement , or a requirement necessary to enter into a contract , as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data ;
• the existence of automated decision-making , including profiling , as well as the significance and the envisaged consequences of such processing for the data subject ;
• Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected , the controller shall provide the data subject prior to that further processing with any relevant information .
It will be a challenge to comply with all information and transparency requirements under the GDPR in a concise , transparent , intelligible form , using clear and plain language . However , a failure to do so may not only constitute a breach of the GDPR but may also question the consent of the individual granted pursuant to Art . 7 .
5 . Changes for Data Processors : Direct Applicability and Liability Already under the old regime it has been differed between Controllers and Processors of data ( Art . 2 ( d ) and ( e ) of the Directive ). However , responsibility and liability mainly were related to the Controller . Under the new Regime the position of the Processor has changed substantially . Many provisions are directly applicable to Processors . Moreover , a joint liability of Processor and Controller has been established ( Recital 146 , Art . 82 ). Therefore , the risk for Processors of data has increased substantially .
6 . Agreements between Data Processors and Controllers The requirements for processing personal data by a Processor on behalf of a Controller have been strengthened substantially . Such processing inter alia requires a written contract or other legal act under Union or Member State law , that is binding on the Processor and that sets out the subjectmatter and duration of the processing , the nature and purpose of the processing , the type of personal data and categories of data subjects and the obligations and rights of the controller . Additional requirements for the agreement and relationship between Controller and Processor are specified in Art . 28 and 29 . The legislation of some Member States already comprises similar obligations . However , from May 2018 the obligations are applicable to all data processing by Processors on behalf of Controllers within the extended reach of the GDPR ( see above Sec . II 3 ).
7 . Obligation to appoint a Data ���������������� Under the old Data Protection Directive there was no obligation for Member States to require the appointment of Data Protection Officers . Nevertheless , the legislation of many States ( like Germany ) already comprises a respective obligation . In future , all companies processing personal data as core activity as well as Public Authorities are obliged to appoint a Data Protection Officer ( Art . 27 ). Art . 28 sets forth strict provisions for the position of a Data Protection Officer ( like independence , no conflict of interests , etc .). The Data Protection Officer shall report to the highest management level of the processor or controller . He particularly shall have the task to inform and advise the controller or processor and the employees of their obligations , to monitor compliance with the Regulation and national data protection law and to communicate and to cooperate with the Supervisory Authority ( Art . 39 ). Given the risks involved with such position including the new sanction regime it might be hard to find third party providers who act as Data Protection Officer .
8 . Transfer of Data outside the Union Already under the old regime the transfer of personal data to third countries has been a substantial hurdle unless a third country has been accepted by the European Commission as having an adequate level of data protection ( like Argentina , the Isle of Man , Israel , or Switzerland ). The new regulations ( laid down particularly in Art . 44 – 50 ) emphasize that the transfer of data is only allowed if additional requirements are met . Options for transferring data outside the Union include the Consent of the individual ( which will be harder to validly obtain ), Standard Data Protection Clauses , Binding Corporate Rules ( Art . 47 ), Codes of Conduct ( Art . 40 ) or an accepted Certification ( Art . 42 ). There is not enough room here to go into details . Anyhow , the transfer of data in third countries remains a difficult task and all respective processes should be reviewed in detail in order to be compliant with the new regime . The legislation of some Member States already comprises similar obligations . However , from May 2018 the obligations are applicable to all data processing by Processors on behalf of Controllers within the extended reach of the GDPR ( see above Sec . II 3 ).
9 . Data Security The obligation of Controller and Processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk is not new . However , Art . 32 . Includes more details and measures for data security . Moreover , it establishes the obligation to demonstrate compliance with data security requirements and refers to respective measures like Codes of Conducts and Certifications ( Art . 40 , 42 ).
���������������������� In the case of a personal data breach , the controller shall without undue delay and , where feasible , not later than 72 hours after having become aware of it , notify the personal data breach to the competent supervisory authority , unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons . Where the notification to the supervisory authority is not made within 72 hours , it shall be accompanied by reasons for the delay . Further details of a breach notification and the obligation to document data breaches are set forth in Art . 33 . The obligation to inform the Supervisory Authority is accompanied by an obligation to inform the individual ( Art . 34 ).
12 | European Gaming Lawyer | Spring Issue | 2017
• the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; • the right to lodge a complaint with a supervisory authority; • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; • the existence of automated decision-making, including profiling, as well as the significance and the envisaged consequences of such processing for the data subject; • Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with any relevant information. It will be a challenge to comply with all information and transparency requirements under the GDPR in a concise, transparent, intelligible form, using clear and plain language. However, a failure to do so may not only constitute a breach of the GDPR but may also question the consent of the individual granted pursuant to Art. 7. 5. Changes for Data Processors: Direct Applicability and Liability Already under the old regime it has been differed between Controllers and Processors of data (Art. 2 (d) and (e) of the Directive). However, responsibility and liability mainly were related to the Controller. Under the new Regime the position of the Processor has changed substantially. Many provisions are directly applicable to Processors. Moreover, a joint liability of Processor and Controller has been established (Recital 146, Art. 82). Therefore, the risk for Processors of data has increased substantially. 6. Agreements between Data Processors and Controllers The requirements for processing personal data by a Processor on behalf of a Controller have been strengthened substantially. Such 12 | European Gaming Lawyer | Spring Issue | 2017 processing inter alia requires a written contract or other legal act under Union or Member State law, that is binding on the Processor and that sets out the subject- matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. Additional requirements for the agreement and relationship between Controller and Processor are specified in Art. 28 and 29. The legislation of some Member States already comprises similar obligations. However, from May 2018 the obligations are applicable to all data processing by Processors on behalf of Controllers within the extended reach of the GDPR (see above Sec. II 3). 7. Obligation to appoint a Data Under the old Data Protection Directive there was no obligation for Member States to require the appointment of Data Protection Officers. Nevertheless, the legislation of many States (like Germany) already comprises a respective obligation. In future, all companies processing personal data as core activity as well as Public Authorities are obliged to appoint a Data Protection Officer (Art. 27). Art. 28 sets forth strict provisions for the position of a Data Protection Officer (like independence, no conflict of interests, etc.). The Data Protection Officer shall report to the highest management level of the processor or controller. He particularly shall have the task to inform and advise the controller or processor and the employees of their obligations, to monitor compliance with the Regulation and national data protection law and to communicate and to cooperate with the Supervisory Authority (Art. 39). Given the risks involved with such position including the new sanction regime it might be hard to find third party providers who act as Data Protection Officer. 8. Transfer of Data outside the Union Already under the old regime the transfer of personal data to third countries has been a substantial hurdle unless a third country has been accepted by the European Commission as having an adequate level of data protection (like Argentina, the Isle of Man, Israel, or Switzerland). The new regulations (laid down particularly in Art. 44 – 50) emphasize that the transfer of data is only allowed if additional requirements are met. Options for transferring data outside the Union include the Consent of the individual (which will be harder to validly obtain), Standard Data Protection Clauses, Binding Corporate Rules (Art. 47), Codes of Conduct (Art. 40) or an accepted Certification (Art. 42). There is not enough room here to go into details. Anyhow, the transfer of data in third countries remains a difficult task and all respective processes should be reviewed in detail in order to be compliant with the new regime. The legislation of some Member States already comprises similar obligations. However, from May 2018 the obligations are applicable to all data processing by Processors on behalf of Controllers within the extended reach of the GDPR (see above Sec. II 3). 9. Data Security The obligation of Controller and Processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk is not new. However, Art. 32. Includes more details and measures for data security. Moreover, it establishes the obligation to demonstrate compliance with data security requirements and refers to respective measures like Codes of Conducts and Certifications (Art. 40, 42). In the case of a personal data breach, the controll ȁ͡ݥѡЁչՔ䁅)ݡɔͥЁѕȁѡȁ)ѕȁ٥݅ɔаѥ)ѡͽфɕѼѡѕ)٥ͽ䁅ѡɥ䰁չ́ѡͽ)фɕ́չѼɕձЁɥͬ)Ѽѡɥ́ɕ́Ʌ)ͽ̸]ɔѡѥѥѼѡ)٥ͽ䁅ѡɥ䁥́Ёݥѡ(ȁ̰Ё͡ɕͽ)ȁѡ丁ѡȁх́ɕ)ѥѥѡѥѼյ)фɕ́ɔ͕ЁѠи̸)QѥѼɴѡM٥ͽ)ѡɥ䁥́䁅ѥ)Ѽɴѡ٥ՅиФ