by Shlomo Farkas, Adv. | Partner | Gross, Kleinhendler, Hodak, Halevy, Greenberg & Co. E-mail: firstname.lastname@example.org
The GDPR replaced the antiquated EU data protection regime consisting of the 1995 Data Protection Directive, and the 28 national data protection laws of the EU. The goal of the GDPR is to ensure stronger enforcement of the privacy protection rules and to set global data protection standards. The GDPR is applicable to all EU Member States – and, generally, do not have to be further implemented by national legislation on a country by country basis. As such, the GDPR significantly reduces the need to verify compliance with each set of national data laws which are comprised of varying interpretations of the original EU framework. However, as the GDPR allows Members States to maintain or introduce specific rules with respect to, inter alia, genetic data, biometric data and health data, other than adopting a GDPR compliance program, it is required to examine whether the organization should comply with additional laws, if applicable to the organization’s field of business.
The GDPR applies to organizations established in the EU that process personal data in the context of their activities (regardless of whether or not the processing of personal data itself takes place in the EU), as well as to organizations that are not established in the EU, that process personal data of data subjects who are in the EU, where the processing activities are related to:
(a) the offering of goods or services to such data subjects in the EU; or
(b) the monitoring of the data subject’s behavior as far as their behavior takes place within the EU.
Many terms included in such applicability provisions are subject to interpretation, including the term “established” which was interpreted very broadly. An organization may be considered as “established” in the EU where it exercises any real and effective activity in the EU, even a minimal one through stable arrangement in the EU. For example, the presence of a single representative of an organization within the EU may be sufficient. Therefore, this matter should be examined on a case by case basis. For the purpose of determining whether an organization is “offering goods and services” to EU data subjects, it seems that mere accessibility of a website from within the EU may not suffice in order to have the organization be subject to the GDPR. However, it should be apparent that the organization envisages that such activities will be directed to EU data subjects. For example, use of an EU language or currency on a website, use of a European top-level domain name, inclusion of marketing campaigns directed to data subjects who are in the EU, and which are displayed within the website, etc. may serve as evidence that the goods and services are directed to EU data subjects and as such the GDPR will likely apply. In addition, the scope of monitoring which is required in order for the GDPR to apply is unclear, and potentially tracking individuals online (such as using cookies) to create behavior profiles (including for the purpose of predicting the preferences of users) may subject an organization to the GDPR. Therefore, in many cases, the GDPR applies to Israeli organizations, even those that have no physical presence in the EU. Non-compliance could lead to heavy sanctions. The data protection authorities will be able to levy administrative sanctions of up to 4% of the total worldwide annual turnover of the preceding financial year of the infringing company or 20 million Euros, whichever is higher.
There are various requirements under the GDPR, such as:
- the GDPR sets out certain legal grounds for the processing of personal data in order for it to be lawful, one of which is the data subject’s consent which is highly restrictive under the GDPR. The GDPR requires freely given, specific, informed and unambiguous consent as one of the alternatives which support lawful processing of personal data. For example, consent under the GDPR may only be obtained where the data subject has been informed of the scope and the consequences of the data processing, and the information provided to the data subject must be clear, conspicuous, sufficient and in plain language. Existing consents will be considered applicable, provided that they meet the new requirements. Additionally, GDPR provisions relating to consent include, inter alia: (i) the right of data subjects to revoke their consent at any time, which must be as easy to withdraw as it is to be given, (ii) the organization’s obligation to be able to demonstrate that the data subject has indeed consented to the processing; (iii) a requirement that the consent be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means. This could include ticking a box when visiting an internet website. Silence, pre-ticked boxes or inactivity should not therefore constitute consent; and (iv) specific rules and restrictions regarding the grant of consent by children under the age of 16.
- In addition, the GDPR introduces more extensive rights for data subjects, such as the following: the “right to be forgotten”, allowing data subjects the right, under certain circumstances, to require a data controller to erase personal information relating to them, without undue delay (for example, if there are no legitimate grounds for retaining it) and the right to data portability, i.e., the data subjects have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller. Such right will enable the data subjects to exercise greater control over the transmission of their personal information between service providers and will enable the data subject to better understand how their personal data is processed.
- In addition, pursuant to the GDPR, in certain circumstances, data controllers and processors will be required to appoint a Data Protection Officer (“DPO“). For example, when their core activities consist of processing on a large scale of special categories of data or where their core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale. The GDPR further imposes certain obligations and tasks of the DPO.
- According to the GDPR, under certain circumstances, data processors must notify, without undue delay, data controllers of data breaches, who in turn must notify the competent data protection authority of such data breaches without undue delay (and in certain cases to the data subject themselves), and where possible, within 72 hours of being aware of the breach. Where this obligation is not met, a justification must be provided;
- The GDPR places onerous accountability obligations on data controllers and requires organizations to take all technical and organizational measures to comply with the principles and obligations under the GDPR and to be able to demonstrate and substantiate such compliance. Such obligations include, inter alia, requiring data controllers to (i) maintain certain documentation, including records of processing activities, (ii) conduct a privacy impact assessment (PIA) before processing personal data for operations that are likely to present higher privacy risks to data subjects due to the nature or scope of the processing operation, and (iii) implement data protection by design and by default, e.g. taking privacy risks into account throughout the process of designing a new product or service, adopting technical and organizational mechanisms to ensure that, as a default, only personal data which are necessary for each purpose of the processing are processed, used and retained and to ensure that tools such as pseudonymisation or anonymization, which are designed to implement data protection principles, will be integrated as safeguards into the processing of information.
For further information regarding this matter, please contact Adv. Ella Tevet, Partner, Head of IP and Privacy Practice at GKH, at ellat at gkh-law.com or 03-6074588.