On 25 May 2018 the General Data Protection Regulation ("GDPR") will come into effect, replacing the EU Data Protection Directive with new, sweeping legislation, fundamentally changing EU law with regard to protection of personal data.
One of the most impactful changes under the new legislation is the potential consequence of breach. Under the GDPR, administrative fines for certain types of infringement can be up to the greater of €20 million or 4% of global annual turnover during the financial year preceding the infringement.
Entities (including Israeli entities), even those whose activities are not physically conducted in the EU, may be required to comply with the GDPR if they collect, process, or transfer any personal data relating to data subjects in the EU. For purposes of the GDPR, "personal data" means any information related to an identified or an identifiable natural person.
The following is a very general, non-comprehensive overview of GDPR provisions.
The GDPR principles require that personal data be collected for specified, explicit, and legitimate purposes, and be processed lawfully, fairly and in a transparent manner that is compatible with the purposes for which it was collected. In addition, the data collected should be adequate, relevant, and limited to what is necessary for the purposes for which the data is processed. Information should be accurate and kept up to date where necessary. It should be kept in a form that permits identification of data subjects only for as long as is necessary for the purposes for which the personal data is being processed. Appropriate security of the personal data should be ensured. The accountability principles require demonstration of compliance with the GDPR principles.
Subject to certain exceptions, processing of personal data should be based on a lawful basis, such as consent, performance of a contract, compliance with a legal obligation, protection of vital interests of a data subject, performance of a task carried out in the public interest, or in exercise of official authority or legitimate interest.
Who is subject to the GDPR?
The GDPR applies to organizations established in the EU and whenever an EU data subject's personal data is processed in connection with goods or services offered to the data subject, irrespective of whether connected to a payment.
In addition, the GDPR applies whenever the behavior of individuals within the EU is monitored. This may include, for example, Internet tracking or profiling.
The GDPR applies to both 'Controllers' and 'Processors' of personal data regardless of the country in which such Controller or Processor is located.
Under the GDPR:
- "Controller" includes any natural or legal person, public authority, agency or any other body that alone or jointly with others determines the purposes, conditions and means of the processing of personal data. For example, an Israeli B2C company offering goods or services directly to EU data subjects may be deemed a Controller under the GDPR.
- "Processor" includes a person or entity that processes personal data on behalf of a Controller. For example, an Israeli company that provides 'software as a service' (SAAS) to corporate customers and in the course of such activities processes personal data of EU data subjects on behalf of its corporate customers may be deemed a Processor under the GDPR.
The GDPR does not apply to processing carried out by individuals for purely personal or household activities.
Data Subject Rights
A Controller must notify data subjects of the existence of certain data subject rights, including the right to access, correct and delete information, the right to object to data processing, the right of data portability, the right to lodge a complaint with a supervisory authority, the right to restrict processing, and rights related to automated decision making and profiling. These rights, as well as additional information including (i) identity of the data Controller; (ii) purposes of the data processing; (iii) (third party) recipients of the data (iv) retention period; (v) contact details of the data protection officer (if any); and (vi) international transfer, should be disclosed to data subjects in a privacy notice,.
Certain categories of personal data are considered especially sensitive and are subject to certain specific additional protections ("special categories"). Special categories of personal data including data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data used for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Accountability and Governance
The GDPR requires organizations to have comprehensive but proportionate governance measures in place with the goal of minimizing the risk of breaches and upholding the protection of personal data. This includes, where relevant, appointment of a data protection officer, record keeping, and implementation of appropriate technical and organizational measures that ensure and demonstrate that an organization is in compliance.
Data Protection Officer and Record Keeping
Under the GDPR, certain organizations requires appointment of a data protection officer. These include any organization (i) that has 250 employees or more, (ii) whose core activities consist of regular and systematic monitoring of EU data subjects, or (iii) that is a public authority. A data protection officer must have sufficient knowledge of data protection law and practices and be able to perform his or her duties and tasks in an independent manner.
Additionally, organizations with more than 250 employees must record data processing activities. Processing that is either (i) frequent and not occasional, (ii) likely to result in a risk to the rights and freedoms of data subjects, or (iii) involves special categories or data relating to criminal convictions and offences, must be recorded in all organizations, irrespective of the number of employees.
Controllers must notify the supervisory authority promptly and in any event not later than 72 hours after having become aware of a personal data breach. When a personal data breach is likely to result in significant risks to the affected individuals (such as identity theft, fraud, physical harm, humiliation, damage to reputation), the Controller must notify the affected individuals.
The GDPR imposes restrictions on the transfer of personal data outside the EU. Personal data of EU individuals may be transferred to an organization outside of the EU only if such organization has provided adequate safeguards in accordance with the GDPR. As of the date of this article, Israel appears on the EU 'White List', and as such, in most cases personal data may be transferred from the EU to Israel without the need to satisfy procedural hurdles that generally apply to export outside of the EU.
Controllers or Processors not established in the EU must designate a representative in the EU. If processing is only occasional and does not include certain categories of data on a large scale, and if the processing is not likely to result in a risk to rights and freedoms, appointment of a representative will not be required.
Enforcement and Penalties
The national data protection authorities of EU Member States, whose power is expanded by the GDPR, are responsible for enforcement. Consequently, the national data protection authorities may carry out investigations, obtain access to the premises of Controllers and Processors, require Controllers and Processors to provide information and may levy administrative fines (as specified above, those fines may be up to the greater of €20 million or 4% of global annual turnover during the preceding financial year).
In light of the significant obligations imposed by the GDPR and the substantial penalties for violations, Israeli entities that will be subject to the GDPR are strongly advised to prepare and obtain expert guidance towards GDPR compliance, including by adjusting internal policies and practices relating to the collection and processing of personal data.
For further information please contact Netanella Treistman at firstname.lastname@example.org
This overview is informative only and should not be treated as legal advice or legal opinion.