The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
European Union
International Regulations
European Union General Data Protection Regulation (EU GDPR)
Regulation (EU) 2016/679, of the European Parliament and the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1.
Highlights
Territorial Scope:
The EU GDPR applies to the processing of Personal Data in the context of the activities of an establishment of a Controller or a Processor in the EU, regardless of whether the processing takes place in the EU or not.
The EU GDPR applies to the processing of Personal Data of Data Subjects who are in the EU by a Controller or Processor not established in the EU, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the Data Subject is required, to such Data Subjects in the EU; or
- the monitoring of their behavior as far as their behavior takes place within the EU.
Principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Lawfulness of Processing:
Processing is lawful only if and to the extent that at least one of the following applies:
- the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
- processing is necessary for the performance of a contract;
- processing is necessary for compliance with a legal obligation;
- processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest; or
- processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party.
Controller and Processor Obligations:
- Implement appropriate technical and organizational measures to ensure and to demonstrate that processing is performed in accordance with the EU GDPR.
- Implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data protection principles by design and by default.
- For Controllers or Processors not established in the EU, designate in writing an EU representative.
- Govern processing by a Processor by a contract or other legal act under EU or Member State law that is binding on the Processor with regard to the Controller and that sets out the required provisions.
- For Processors, not process Personal Data except on instructions from the Controller, unless required to do so by EU or Member State law.
- Maintain a record of processing activities.
- Cooperate on request with the Supervisory Authority.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
- For Controllers, in the case of a Personal Data Breach, notify the competent Supervisory Authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.
- For Processors, notify the Controller without undue delay after becoming aware of a Personal Data Breach.
- For Controllers, communicate the Personal Data Breach to the Data Subject without undue delay when the Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons.
- Carry out a data protection impact assessment where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons.
- Designate a data protection officer where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the Controller or the Processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of Data Subjects on a large scale; or
- the core activities of the Controller or the Processor consist of processing on a large scale of Special Categories of Personal Data pursuant to Article 9 or Personal Data relating to criminal convictions and offenses referred to in Article 10.
Data Subject Rights:
The Controller shall respond to the Data Subject without undue delay and in any event within 1 month of receipt of the request. That period may be extended by 2 further months where necessary, taking into account the complexity and number of the requests.
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to object to processing of Personal Data
- Right not to be subject to a decision based solely on automated processing, including Profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Cross-border Data Transfers to Third Countries or International Organizations:
- Transfers on the Basis of an Adequacy Decision: A transfer of Personal Data to a third country or an international organization may take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.
- Transfers subject to Appropriate Safeguards: In absence of an adequacy decision, a Controller or Processor may transfer Personal Data to a third country or an international organization only if the Controller or Processor has provided appropriate safeguards, and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available. [Example: the EU Standard Contractual Clauses.]
- Binding Corporate Rules: Binding corporate rules are data protection policies adhered to by companies established in the EU for transfers of Personal Data outside the EU within a group of undertakings or enterprises. Companies must submit binding corporate rules for approval to the competent Supervisory Authority in the EU.
Personal Data Breach Notification:
- Timeline for Notification to Supervisory Authority: Without undue delay and, where feasible, not later than 72 hours after becoming aware of a Personal Data Breach (unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons). The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach.
- Requirements for Notification to Supervisory Authority: The notification shall at least:
- Describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- Describe the likely consequences of the Personal Data Breach; and
- Describe the measures taken or proposed to be taken by the Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Requirements for Notification to Affected Data Subjects: When the Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the Personal Data Breach to the Data Subject without undue delay. Such notification should at least contain the information required in (ii)-(iv) above.
- When is Notification to Affected Data Subjects not required?
- If the Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the Personal Data affected by the Personal Data Breach, in particular those that render the Personal Data unintelligible to any person who is not authorized to access it, such as encryption.
- If the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialize.
- If it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.
More Details
Definitions:
- Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for its nomination may be provided for by EU or Member State law.
- Data Subject: An identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, culture or social identity of that natural person.
- Personal Data: Any information relating to an identified or identifiable natural person.
- Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- Processor: A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
- Profiling: Any form of automated processing of Personal Data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Special Categories of Personal Data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The EU GDPR also has restrictions on the processing of Personal Data relating to criminal convictions and offenses.
- Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51.
Penalties:
Infringements of certain provisions can be subject to administrative fines up to €10,000,000, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Infringements of certain, other provisions can be subject to administrative fines up to €20,000,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Non-compliance with an order by a Supervisory Authority can be subject to administrative fines up to €20,000,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Remedies, Liability, and Complaints:
- Right to Lodge a Complaint with a Supervisory Authority: Every Data Subject has the right to lodge a complaint with a Supervisory Authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the processing of Personal Data relating to him or her infringes the EU GDPR.
- Right to an Effective Judicial Remedy against a Supervisory Authority: Each natural or legal person has the right to an effective judicial remedy against a legally binding decision of a Supervisory Authority concerning them.
- Right to an Effective Judicial Remedy against a Controller or Processor: Each data subject has the right to an effective judicial remedy where he or she considers that his or her rights under the EU GDPR have been infringed as a result of the processing of his or her Personal Data in non-compliance with the EU GDPR.
Effective Date:
May 25, 2018