Tag Archives: GDPR

Commission Nationale de l’Informatique et des Libertés (CNIL)

The passing of the Digital Republic Bill: its implications for organizations

On October 2016, the New Digital Republic Bill (hereinafter, the Bill) passed in France and significant changes for organisations have been implemented.

Now, data subjects have the right to access and control their personal information including: how long their data is stored, how will be used and the right to be forgotten or the right to request that personal data be removed without delay in case of minors.

It also contains the provision for any interested person to obtain, free of charge, a copy of any of his data resulting from the use of a online service provided by a service provider, except for data that has been significantly enriched by the service provider.

In addition, sanctions to be taken by the Commission Nationale de l’Informatique et des Libertés CNIL) have increased from €150,000 up to €3 Million euros in accordance with the new General Data Protection Regulation (GDPR) that will come into force in 2018.

2017 the year of mutual assistance testing

Blog_zJacek Safell, Specialist
Department of Social Education and International Cooperation
Bureau of the Inspector General for Personal Data Protection

The year 2016 came to an end and people are turning their heads towards 2017 with new energy and hope. And as we all know there is significant change on the horizon of European data protection. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; GDPR), is slowly yet unavoidably approaching. It won’t get here quite yet in 2017 but that doesn’t mean this upcoming year will be less important for that. On the contrary, we are facing a year of important decisions and tests. How Europe manages to handle these tasks will have a direct influence on the future of data protection under the GDPR.

In order to prepare data protection authorities (DPAs) for the upcoming changes the Article 29 Working Party (WP29) has been keeping busy, creating guidelines and FAQs that will aid DPAs during the transition. During the December 2016 plenary meeting, WP29 discussed certain critical matters with regard to the implementation GDPR and consistent with its 2016 Action Plan decided in February 2016, the WP29 adopted during the December plenary:

  • Guidelines on the right to data portability (WP 242),
  • Guidelines for identifying a controller or processor’s lead supervisory authority  (WP 244), and
  • Guidelines on Data Protection Officers (DPOs) (WP 243).

 As the PHAEDRA project’s main goal is to identify, develop and recommend measures for improving practical co-operation EU DPAs we believe that the abovementioned guidelines are worth summarising. However, since the issues of DPOs as well data portability don’t relate so directly to DPAs co-operation, we’ll skip it in the following article.

Lead Supervisory Authority

One of the key topics discussed and agreed upon by the WP29 is the issue of cross-border processing of personal data in connection to identifying a lead supervisory authority. As Article 4(23) GDPR clearly states, there are two scenarios in which we’ll be dealing with ‘cross-border processing’. Out of these two cases, one’s “cross-border” character is based on the vague term of “substantial affect”.

A question may arise – what does the Regulation mean by “substantially affects”? Now we won’t find a direct answer in the text of the GDPR so, according to the Opinion WP 244, DPAs will have to determine this on a case-by-case basis. The intention of the wording was to ensure that not all processing activities, with any effect and that take place within the context of a single establishment, fall within the definition of “cross-border processing”. But if we look at a general definition of the word “affect”, we’ll see that there must be influence, that the data processing must impact someone in some way. That way being of “substantial” nature.

So once we establish that we are in fact dealing with cross-border processing, it is mandatory to identify the lead supervisory authority.

Ok, so why do we need this lead supervisory authority? To put it in simple terms, a ‘lead supervisory authority’ is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data and the controller/processor is established in more than one EU Member State. The lead supervisory authority will coordinate any investigation, involving other supervisory authorities, according to the consistency mechanism.

Although Article 56 GDPR gives means of determining the lead supervisory authority, often things won’t be so clear and it might be up to data controllers to establish clearly where decisions on the purposes and means of personal data processing activities are being made, thus allowing the lead authority to be appointed. The process of determining where the main establishment is may require active inquiry and co-operation by the supervisory authorities. Conclusions cannot be based solely on statements by the organization under review. The burden of proof ultimately falls on controllers and processors. They should be able to demonstrate to supervisory authorities where decisions about data processing are actually taken and implemented. Effective records of data processing activity would help both organizations and supervisory authorities to determine the lead authority.

One may ask what about other DPAs? Are they excluded from any operations once the lead supervisory authority is established? Well no, quite the contrary. As Article 4(22) GDPR states, other supervisory authorities can be “concerned”. The concept of a concerned supervisory authority is meant to ensure that the ‘lead authority’ model does not prevent other supervisory authorities having a say in how a matter is dealt with when, for example, individuals residing outside the lead authority’s jurisdiction are substantially affected by a data processing activity.

The GDPR requires lead and concerned supervisory authorities to co-operate, with due respect for each other’s views, to ensure a matter is investigated and resolved to each authority’s satisfaction – and with an effective remedy for data subjects. Supervisory authorities should endeavor to reach a mutually acceptable course of action. The formal consistency mechanism should only be invoked where co-operation does not reach a mutually acceptable outcome.

Mutual acceptance of decisions can apply to substantive conclusions, but also to the course of action decided upon, including enforcement activity (e.g. full investigation, investigation with limited scope, a warning or a press statement). It can also apply to a decision not to handle a case in accordance with GDPR, for example because of a formal policy of prioritisation, or because there are other concerned authorities as described above. The development of consensus and good will between supervisory authorities is essential to the success of the GDPR co-operation and consistency process.

To summarise this post, we would like to point out that although the GDPR creates a framework for co-operation and goals which are to be achieved, success depends solely on the DPAs co-operation. With further guidelines from WP29 and enough time to implement, the GDPR can have a positive impact on the data protection in Europe. We will closely follow the WP29’s work and assist DPAs in their difficult task.



Information Commissioner’s Office (ICO)

Transparency, trust and progressive data protection

The UK’s new Information Commissioner, Elizabeth Denham delivered her initial speech at Ctrl-Shift’s “Achieving Growth through Trust” conference in London. She used the speech to outline her priorities and focus for the coming years, including a focus upon the combination of privacy and innovation and the opportunities that arise from this. Part of the speech focused on the implications of Brexit for UK data protection law and the extent to which the GDPR is likely to apply in the UK context.

French Parliament

French Parliament adapts National Law to take into account CJEU ruling and GDPR

On June 30, 2016, representatives of the French Parliament reached a common position of the French “Digital Republic” bill. This new Law that should normally be adopted in October 2016 amend significantly various aspects of the French Data Protection Act.

More specifically, a Joint Committee of both French legislative chambers (National Assembly and Senate) approved amendments that comply with the latest jurisprudence (the “Digital Rights” case) of the Court of Justice of the European Union (CJEU) and anticipates obligations as set out by EU General Data Protection Regulation (GDPR) in article 13.2.a. The amendments include the obligation for companies to inform individuals of the data retention period. If companies are unable to facilitate this information, they are obliged to inform of the criteria used to determine that period. At the present situation in France businesses are not required to specify data retention periods in their privacy notices.

Information Commissioner’s Office (ICO)

ICO response to the EU Referendum

A short statement presented by the ICO in response to the result of the UK referendum on membership of the EU.

““Over the coming weeks we will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK.

“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”


New checklist prepares organisations for the new EU regulation

<<The Data Inspection Board has developed a checklist as an aid to companies and other organizations that now must prepare for the EU Regulation on data protection of two years replaces the Data Protection Act.

In two years the EU Data Protection Regulation become applicable in Sweden and other member countries. The regulation applies directly to Swedish law and replaces the Data Protection Act. This has major consequences for companies and other organizations that collect and use personal information.

– Ordinance has similarities with the current Data Protection Act but also great differences. It is important to businesses, governments and other already starting to prepare for the new rules, says the Data Inspectorate General of Kristina Svahn Starrsjö.

The Data Inspection Board has developed a checklist that provides support in the preparatory work. The checklist is based on a model from the Data Inspectorate’s sister agency in the UK, The Information Commissioner’s Office.

The checklist includes 13 items including reports on new standards of integrity analyzes, documentation, the legal arguments that can be used when personal information is collected and handled, and what information they must provide to the people whose data it collects.

– The checklist is available and I encourage all organizations that handle personal information to download and go through it, says Kristina Svahn Starrsjö.

The Data Inspection Board has also published some 20 questions and answers about the upcoming EU regulation on data protection and will fall to organize training courses with a special focus on regulation.>>