gotopgi

【法律文章】ARE YOU GDPR COMPLIANT? - SOME CONSIDERATIONS FOR TACKLING GDPR COMPLIANCE -

2019-01-07 陳彥嘉 資深法律顧問
The General Data Protection Regulation (the “GDPR”),[1] a European Union (the “EU”) regulation changing the legal landscape of the protection for personal data,[2] is here to stay as it came into effect on May 25, 2018.[3]  Under the GDPR, the term “personal data” refers to “any information relating to an identified or identifiable natural person (“data subject”).”[4]  Companies and organizations who processes or determines the processing of the aforementioned personal data should pay attention to the GDPR because the GDPR not only applies to those established in the EU but also may apply to those who have no establishment in the EU, including Taiwanese companies and organizations.[5]  Also, the consequence of non-compliance is severe.[6]  This article summarizes the application as well as the non-compliance consequence of the GDPR, briefly navigates a few differences between the GDPR and the Personal Information Protection Act (the “PIPA”)[7] in Taiwan, and provides some priorities (inclusive but not an exhaustive list) for companies or organizations that have not been fully GDPR-compliant to consider.
 
I.  Are You Subject to the GDPR?
 
The GDPR is farther-reaching than one might expect and affects more than European companies and organizations since GDPR applies to companies and organizations processing or holding personal data of data subjects residing in the EU, regardless of whether these companies and organizations are based in the EU.[8]  Any enterprises who engages in an economic activity,[9] and “determines the purposes and means of the processing[10] of personal data” (i.e., a data “controller”)[11] or “processes personal data on behalf of the controller” (i.e., a data “processor”),[12] will be subject to the GDPR, as long as the personal data collected or processed belongs to data subjects in the EU, and “regardless of whether the processing takes place in the [EU].”[13] Moreover, the GDPR may apply extraterritorially to the processing of personal data of data subjects in the EU by any controller or processor outside the EU if the processing relates to activities offering goods or services to such data projects, or monitoring the behavior of such data subjects.[14]
 
II.  Consequences of Non-compliance
 
Any controller or processor should be aware of and comply with the GDPR because the consequence of non-compliance is severe and costly.[15]  A controller or processor failing to comply with the GDPR will likely face administrative fines imposed by the data protection authority up to €20 million euro (€20 million) or four percent (4%) of the total worldwide annual turnover, “whichever is higher.”[16]  Moreover, EU Member States may impose additional penalties applicable to the infringement of the GDPR.[17]
 
III.  Some GDPR Compliance Priorities
 
The GDPR has significant implications on the governance, data and privacy management, information technology, communications, personnel, and budget of any controller or processor under the GDPR because it requires the implementation of data protection policies and measures, and the institution of appropriate organizational and technical steps to ensure compliance with the GDPR.[18]  Among all GDPR compliance steps to be taken, the following provides some priorities to be considered (inclusive but not an exhaustive list, and there is no order preference):
  • Raising awareness and helping decision-makers in your company or organization be aware of GDPR and appreciate its impact.[19]
  • Conducting an information audit (i.e., an initial assessment of data processing activities) to know what personal data is held by and how it has been processed within your company or organization (e.g., how it is used, who is using it, using for what purposes, whom it is shared with, etc.).[20]
  • Designating personnel and, if necessary, a data protection officer (“DPO”) to take responsibility for data protection tasks and privacy compliance within your company or organization.[21]  Appointing a DPO is necessary when (1) “the processing is carried out by a public authority or body;” (2) the controller or the processor’s core activities involve processing operation amounting to “regular and systematic monitoring of data subjects on a large scale;” or (3) the controller or the processor’s core activities involve processing of special personal data on a large scale or “personal data relating to criminal convictions and offences.”[22]
  • Checking and reviewing the existing personal data, privacy policies and notices, processing operation, management, and procedures of your company or organization, and updating them for GDPR compliance.[23] For instance, creating or updating a privacy notice (some may call it “privacy policy” or “privacy statement”[24]) in compliance with the GDPR is certainly one of the top priorities for controllers or processors.[25]  Furthermore, it is important to implement or update tools of your company or organization for getting, documenting, refreshing, and managing consent of data subjects, and make sure it meets the GDPR requirements.[26]
  • Identifying and documenting the lawful basis for the personal data processing activities operated by your company or organization, and then explaining it in the privacy notice of your company or organization.[27]
  • Updating the security system of your company or organization and adopting a “privacy by design and by default” approach.[28] The privacy by design and by default obligations introduced by the GDPR requires a controller to implement appropriate measures to safeguard personal data[29] and “ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”[30]
  • Carrying out a data protection impact assessment (a “DPIA”), if so required.[31]  A DPIA refers to inventorying a data processing operation before the carry out of such operation, which helps to indicate whether the data processing is in risk and what measures may be taken to mitigate the identified risks.[32]  Under the GDPR, carrying out a DPIA is required when (1) the processing uses a new technology;[33] (2) many individuals are likely affected by a profiling operation; (3) special personal data is processed on a large scale; or (4) systematically monitoring people in public on a large scale.[34]
  • Developing a data breach response plan and having it in place.[35]  Under the GDPR, a data breach incident may include not only the unauthorized release of personal data but also the unlawful possession or accidental destruction of personal data.[36]  The GDPR requires a controller to report a data breach to the supervisory authority within seventy-two (72) hours after becoming aware of the breach.[37]  If the data breach at issue likely results “in a high risk to the rights and freedoms of natural persons,” the controller shall also notify the data subject of the breach as required by the GDPR.[38]  The GDPR also asks a processor to immediately give a notification to the controller when the processor becomes aware of a data breach.[39]
 
IV.  Difference Between the GDPR and the PIPA
 
For reference of those who are familiar with the PIPA, the following table presents a few differences (but not an exhaustive list) between the GDPR and the PIPA:
  GDPR PIPA
definition of personal data any information relating to an identified or identifiable natural person[40] any information which may be used to directly or indirectly identify a natural person[41]
application The GDPR applies to the processing or holding personal data of data subjects residing in the EU, regardless of whether the processing takes place in the EU[42] The PIPA applies to a government agency or a non-government agency collecting, processing or using personal information of R.O. C. citizens both in[43]and outside the R.O.C. territory[44]
supervisory authority Each EU Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of the GDPR[45] Instead of establishing a single data protection authority, the PIPA distributes the power to various competent authorities, including a government authority in charge of the subject industry at the central government level, a municipality directly under the central government, or a county or city government
processing of special personal data except for reasons of substantial public interest or necessities,[46] the GDPR prohibits processing of special personal data (including the “[p]rocessing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”)[47] except for six exceptional situations provided by the PIPA, the PIPA does not allow collecting, processing or using personal information of medical records, medical treatment, genetic information, sexual life, health examination and criminal records[48]
cross-border transmission cross-border transmission of personal data is allowed only if complied with the conditions laid down by the GDPR[49] (e.g., subject to appropriate safeguards[50] and approved mechanisms (binding corporate rules))[51] A government authority in charge of the subject industry may limit cross-border transmission of personal data by a non-government agency when (1) it involves major national interest; (2) a national treaty or agreement specifies otherwise; (3) the country receiving personal information lacks of proper regulations; or (4) the cross-border transmission is made in order to avoid the application of the PIPA[52]
individual rights
  • The right to be informed[53]
  • The right of access[54]
  • The right to rectification[55]
  • The right to erasure (the right to be forgotten)[56]
  • The right to restrict processing[57]
  • The right to data portability[58]
  • The right to object[59]
  • Rights in relation to automated decision making and profiling[60]
  • The right to inquire and request for a review of personal information[61]
  • The right to request making duplications of personal information[62]
  • The right to request supplementing or correcting personal information[63]
  • The right to request discontinuing collection, processing or use of personal information[64]
  • The right to request deleting personal information[65]
enforcement and sanctions
  • administrative fines: up to €20 million euro (€20 million) or four percent (4%) of the total worldwide annual turnover, whichever is higher[66]
  • additional penalties: each EU Member State may impose additional penalties applicable to the infringement of the GDPR[67]
  • administrative fines: up to five hundred thousand New Taiwan dollars (NT$500,000)[68]
  • criminal penalties: up to imprisonment for not more than five (5) years or a fine of not more than NT$1,000,000, or both[69]
  • damages: five hundred New Taiwan dollars (NT$500) to twenty thousand New Taiwan dollars (NT$20,000) per person per incident[70]
  • aggregate damages: capped at two hundred million New Taiwan dollars (NT$200 million) per single incident[71]
 
V.  Conclusion
 
In this data-driven era, the protection of personal data and privacy matters.  Processing and protecting personal data in an appropriate manner not only is a compliance matter but also “makes sound business sense.”[72]  If you have not fully implemented or is just beginning your GDPR compliance program, you are way behind fully compliant with the GDPR since the GDPR entered into force on May 25, 2018.[73]  At this moment you are probably not the only one who is not fully GDPR compliant,[74] but your failure to comply with the GDPR could likely cost you a pretty penny.[75]  Implementing GDPR compliance is not likely something that could be done overnight by a few crews and may take your company or organization much more time, effort, and workforce than expected for your company or organization to be fully GDPR compliant.[76]  Please consider putting GDPR compliance as one of the top priorities on the agenda of your company or organization and immediately taking some steps showing that your company or organization is at least making an effort to comply with the GDPR.[77]
 
This article, including the information contained herein, has been prepared only for educational and general information purposes to contribute to the understanding of the General Data Protection Regulation (“GDPR”) of the European Union.  It does not constitute and is not offered as individual legal advice, legal opinion or any other professional advice on any subject matters covered herein.  Please obtain specific legal advice before acting on any information covered herein.  While the author makes every attempt to ensure that the information contained herein is accurate, the author disclaims any liability for any omissions or errors that may be contained in this article.


 
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119, 4.5.2016, at 1–88 (hereinafter the “GDPR”).
[2] Allen & Overy LLP, Preparing for the General Data Protection Regulation 2 (2018), http://www.allenovery.com/publications/en-gb/data-protection/Documents/Preparing%20for%20the%20GDPR%20-%20January%202018.PDF (hereinafter “A&O, Preparing for the GDPR”); bureau Brandeis, GDPR Compliance Roadmap 2 (2017); Jane Finlayson-Brown, Nigel Parker, Charlotte Mullarkey & David Smith, Preparing for GDPR Compliance, Allen & Overy LLP 1 (Mar. 2018), http://www.allenovery.com/SiteCollectionDocuments/Preparing%20for%20GDPR%20compliance%20March%202018.PDF (hereinafter “Jane Finlayson-Brown et al., Preparing for GDPR Compliance”).
[3] GDPR art. 99. 
[4] Id. art. 4(1).
[6] GDPR art. 83, ¶¶4-6.
[7] The Personal Information Protection Act, promulgated by Presidential Decree Ref. No. ROC-President-(I)-Yi-5960 dated August 11, 1995, and amended on May 26, 2010 and December 30, 2015 (hereinafter the “PIPA”).
[8] GDPR art. 3, ¶¶1-2.  See also A&O, Preparing for the GDPR, supra note 2, at 4-5; Jane Finlayson-Brown et al., Preparing for GDPR Compliance, supra note 2, at 1-2; Paul Doris et al., supra note 5; Nohe, supra note 5.
[9] GDPR art. 4(18).
[11] Id. (7).
[12] Id. (8).
[13] Id. art. 3, ¶1.
[14] Id. ¶2.
[15] Id. art. 83, ¶¶4-6.
[16] Id.
[17] Id. art. 84, ¶1.
[18] Information Commissioner’s Office, Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now 1 (May 25, 2017) (hereinafter “ICO, 12 steps”); A&O, Preparing for the GDPR, supra note 2, at 4.
[20] Brandeis, supra note 2, at 8; ICO, 12 steps, at 3.
[21] ICO, 12 steps, at 8; Brandeis, supra note 2, at 5; Jane Finlayson-Brown et al., Preparing for GDPR Compliance, supra note 2, at 1.
[22] GDPR art. 37, ¶1.
[23] ICO, 12 steps, at 3-4; Brandeis, supra note 2, at 22; Jane Finlayson-Brown et al., Preparing for GDPR Compliance, supra note 2, at 1.
[24] Evan Schuman, Last-Minute GDPR Compliance 2 (2018), available at: https://www.thecontentfirm.com/images/user/other/Last-Minute-GDPR.pdf; Stephen Lawton, One Month Out: Top 6 Steps for GDPR Compliance, SC Media (Apr. 25, 2018), https://www.scmagazine.com/one-month-out-top-6-steps-for-gdpr-compliance/printarticle/754487/; Teri Robinson, GDPR: It's (just about) here, SC Media (May 1, 2018), https://www.scmagazine.com/gdpr-its-just-about-here/article/762198/; Nohe, supra note 5; GDPR Privacy Policy Checklist, The VeraSafe Data Protection Blog (Apr. 10, 2018), https://www.verasafe.com/blog/gdpr-privacy-policy-checklist/ (hereinafter “Checklist, VeraSafe”).
[26] ICO, 12 steps, at 6; Brandeis, supra note 2, at 28.
[27] ICO, 12 steps, at 5; Jane Finlayson-Brown et al., Preparing for GDPR Compliance, supra note 2, at 1.
[28] ICO, 12 steps, at 7; Brandeis, supra note 2, at 18; A&O, Preparing for the GDPR, supra note 2, at 26; Jane Finlayson-Brown et al., Preparing for GDPR Compliance, supra note 2, at 1.
[29] GDPR art. 25, ¶1.  See also Jane Finlayson-Brown et al., Preparing for GDPR Compliance, supra note 2, at 1.
[30] GDPR art. 25, ¶2.
[31] Brandeis, supra note 2, at 11; A&O, Preparing for the GDPR, supra note 2, at 24.
[32] Brandeis, supra note 2, at 11.
[33] GDPR art. 35, ¶1.
[34] Id. ¶3.
[36] GDPR art. 4(12).
[37] Id. art. 33, ¶1.
[38] Id. art. 34, ¶1.
[39] Id. art. 33, ¶2.
[40] Id. art. 4(1).
[41] PIPA art. 2, subpara. 1.
[42] GDPR art. 3, ¶¶1-2.  See also Nohe, supra note 5.
[43] PIPA art. 4.
[45] Id. ¶1.
[46] GDPR art. 9, ¶¶2-3.
[47] Id. art. 9, ¶1.
[48] PIPA art. 6, ¶1.
[49] GDPR art. 44.
[50] Id. art. 46, ¶1.
[51] Id. art. 47, ¶1.
[52] PIPA art. 21.
[53] GDPR arts. 12-14.
[54] Id. art. 15.
[55] Id. art. 16.
[56] Id. art. 17.
[58] Id. art. 20.
[59] Id. art. 21.
[60] Id. art. 22.
[61] PIPA art. 3.
[62] Id.
[63] Id. arts. 3 & 11, ¶1.
[64] Id. arts. 3 & 11, ¶¶2-3.
[65] Id. arts. 3 & 11, ¶3.
[66] GDPR art. 83, ¶4-6.
[67] Id. art. 84, ¶1.
[68] PIPA arts. 47-48.
[69] Id. arts. 41-42.
[70] Id. art. 28, ¶3.
[71] Id. ¶4.
[72] A&O, Preparing for the GDPR, supra note 2, at 4.
[73] GDPR art. 99.
[74] Rhys Dipshan, Marketers Are Struggling With GDPR Compliance. Is Legal at Risk?, Law.com (Aug. 8, 2018), https://www.law.com/legaltechnews/2018/08/08/marketers-are-struggling-with-gdpr-compliance-is-legal-at-risk (last visited Aug. 22, 2018).
[75] A&O, Preparing for the GDPR, supra note 2, at 4, 38; Jane Finlayson-Brown et al., Preparing for GDPR Compliance, supra note 2, at 1.
[76] ICO, 12 steps, at 3; A&O, Preparing for the GDPR, supra note 2, at 43; Jane Finlayson-Brown et al., Preparing for GDPR Compliance, supra note 2, at 1.
[77] Jane Finlayson-Brown et al., Preparing for GDPR Compliance, supra note 2, at 1.
延伸閱讀:
消息來源: