There was much interest and concern in Australia regarding the applicability and impact of the European Union's General Data Protection Regulation (DSGVO), which entered into force on 25 May 2018.
How to delete this last email If you (re) ask for your permission, you might be wondering what the DSGVO means for Australian companies that may already have Australian privacy laws.
In this article we present a high level. practical answer to this question
What is the GDPR?
The GDPR is the new EU regulation on privacy and data protection. It essentially governs the "personal data" of individuals in the EU throughout the life cycle of collection, use, storage, transfer and deletion.
The GDPR therefore covers similar reasons as the Australian Privacy Act 1
While the GDPR has just become fully enforceable, the entire regulation has been in the books in final form since January 2016. Regulators are likely to find that the companies had plenty of time to prepare.
Think of Your Supply Chain
What does that mean for Australian companies? 19659002] First of all, it should be noted that although your company may not collect personally identifiable information about individuals in the EU, DSPR may influence you indirectly because of agreements with customers or suppliers. Ask yourself, "Do I treat personally identifiable information about EU corporate customers?"
The reason for this is that, because of their data protection provisions, EU corporate customers have certain conditions in their subcontracts for companies processing personal data. These terms reflect, to a certain extent, the own obligations of EU corporate clients within the meaning of the GDPR.
The clear and present danger to the Australian business is not whether the French Commission Nationale de l'Informatique et des Libertés comes to the antipodes with questions or fines.
Instead, your corporate customers in the EU, to which the GDPR undoubtedly applies and are much more at risk from their national data protection authorities, will ensure that their contractual arrangements are respected
This does not just mean the relationship of your EU corporate customer to you, but also your relationships with your service providers along the chain, who process personal information for your business. According to the DSGVO, the EU corporate customer is there for everyone
What does that mean practically?
This means that if you wish to keep or receive EU corporate customers, you will likely need to update your terms and conditions for them and your subcontracts with your subcontractors (known as processors or sub-processors) who access personal information (e.g. B. CRMs, Cloud (19659002) The specific requirements for these contracts come from a few bodies, notably Article 28 of the GDPR, which applies to all processing and subcontracting regimes, and Article 46, which deals with international treaties Personal Information
What complicates Australia's businesses is that Australia has not been recognized by the European Commission as "adequate privacy laws." This means that organizations wishing to share information with Australian service providers must take additional "reasonable security measures."
This could be we other conditions (EU model clauses) or consent, which makes the GDPR more difficult to manage.
The good news is that larger sub-processors are probably already part of it, which means you may be able to rely on the steps that they have as GDPR-compliant.
OK, I understand that my corporate customers in the EU will be looking for new contracts. What about the direct application of the GDPR for my company?
If your company sells goods or services directly to customers in the EU and you collect personal information about individuals in the EU, you are likely to be covered by the GDPR. The General Data Protection Regulation can also apply directly to you in many cases where you process personal data of individuals in the EU, with or without intermediary EU companies. The requirements are deceptively complicated – bear in mind when targeting and marketing or tracking and profiling goods and services for individuals in the EU.
Sometimes the answer is obvious – but if you think you're on the run, seek legal advice
So what else do I have to do under DSGVO if I am myself already abide by Australian data protection law?
Whether you comply with the DSGVO directly or by contract, the notable overlap between the DSGVO and the Australian Data Protection Act should be observed.
Broad principles in the GDPR such as data minimization, transparency, use only for specific purposes, and security are already reflected in Australian privacy principles. Both require "privacy by design".
One of the main differences is that the DSGVO has the terms "controllers" and "processors". "Controllers" are essentially the entity that decides why personal data is collected and processed.
You are responsible for processing personal data in accordance with the GDPR, regardless of whether you process it yourself or outsource it to a "processor". 19659002] "Processors" process personal information only upon instruction and under contract with the controller and have more limited duties than controllers.
The DSGVO obliges the controllers, which are more burdensome than the Australian data protection law. Some of the major differences are as follows:
Selection of the "legal basis" of processing
A data controller under the General Data Protection Regulation must ensure that it processes personal data on a "lawful basis". that could be:
- contractual obligation to the individual
- fulfillment of the legal obligation
- necessity of protection of vital interests
- necessity of a task performed in the public interest and
Consent is harder to obtain
In Australia, approval may be implied. According to the General Data Protection Regulation, this must be explicitly stated by "a statement or clear positive action". In both systems, the consent must be revoked at any time.
Increased rights of data subjects
While Australia already has a right of access and right to rectification of personal data, the DSGVO adds additional rights such as the right to data erasure, the law data transferability and the right to make decisions based on automated processing only under certain circumstances.
Appointment of EU Representative and Data Protection Officer
You may need to appoint an EU "Representative" or a Data Protection Officer.
Higher data requirements
You must report a wider range of data breaches in a muc h) shorter timeframe
What public measures have been taken under the GDPR?
In relation to Google, the complaint found that the maximum possible punishment is 4% of the revenue of the Alphabet Group, amounting to about 3.79 billion euros] Takeaways
The DSGVO will likely to have a direct impact on your business when delivering goods or services to individuals in the EU. It can also affect your business if you have an EU customer or customer who has to fulfill their own obligations under the GDPR. In that case, your customers or customers in the EU may require new or updated agreements for the processing of personal data and require you to impose the same obligations on your service providers, regardless of their location.
The DSGVO is a regulation with real teeth, as the recent complaints against Google and Facebook show. Although there are clear guidelines, these complaints are likely to show that companies whose business model provides for targeted advertising for individuals in the EU must pay particular attention to their data protection strategy. This includes careful consideration of the legitimate basics of processing at a granular level.
Since it is never too late to abide by the Australian Data Protection Act and now the GDPR, now is a good time for an audit to understand the collecting channels, legal bases for the processing and life cycle of personal information in your company, as well as the technical and organizational security measures you have. Do not wait for a complaint against you or one of your customers in the EU.
Do not hesitate to contact us if you have any questions about the effects of the GDPR and look for further updates from our team.
Article of the DVM Law Team