{"id":1252,"date":"2023-10-13T13:01:35","date_gmt":"2023-10-13T13:01:35","guid":{"rendered":"https:\/\/aurele-it.fr\/?p=1252"},"modified":"2023-10-13T13:01:35","modified_gmt":"2023-10-13T13:01:35","slug":"gdpr-compliance-overview","status":"publish","type":"post","link":"https:\/\/aurele-it.fr\/en\/gdpr-compliance-overview\/","title":{"rendered":"GDPR Compliance Overview"},"content":{"rendered":"<p>This overview outlines key features of GDPR implementation, in the light of the landmark decisions of the French and European Regulators over the past 5 years. Its purpose is to assist you planning your GDPR project with a risk based approach, aligned with the regulatory authorities\u2019 expectations.<\/p>\n<h3>Summary<\/h3>\n<ol>\n<li>Overview of the past 5 years GDPR enforcement\n<ul>\n<li>Key statistics<\/li>\n<li>Recent landmark cases<\/li>\n<\/ul>\n<\/li>\n<li>GDPR Key features\n<ul>\n<li>Extraterritorial scope outside European Union &amp; Data transfers<\/li>\n<li>Principles: Accountability, Privacy by design<\/li>\n<li>Actors : Controllers vs. Processors; DPOs<\/li>\n<li>Documentation: Record, DPA, DPIA<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>Conclusion: upcoming European regulations impacting data<\/p>\n<hr \/>\n<h2>Overview of the past 5 years GDPR enforcement<\/h2>\n<p>GDPR is a European Regulation, which came into effect in May 2018.<\/p>\n<p class=\"LC20lb MBeuO DKV0Md\">General Data Protection Regulation (GDPR)\u00a0 :<\/p>\n<ul>\n<li>carries penalties of up to the higher amount between \u20ac 20 M or 4% of the organization\u2019s worldwide annual turnover<\/li>\n<li>applies to companies even with no presence in the EU<\/li>\n<li>covers personal data (directly or indirectly identifying a natural person) &amp; all processings (any action on personal data)<\/li>\n<li>applicable without difference to any organization whatever the size, turnover, activity sector<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>The aggregate amount of <strong>sanctions<\/strong> issued from the 27 data protection across Europe and UK from 2018 to 2022 based on GDPR is <strong>\u20ac 2,5 Bn.<\/strong><\/p>\n<p>+50% is the 2022: year-on-year increase in aggregate reported GDPR fines of 50% vs 2021, whereas <strong>109,000 data breaches<\/strong> were notified to regulators in 2022 <em>(a decrease on the total of approximately 120,000 in 2021).<\/em><\/p>\n<h4><\/h4>\n<h4><strong>Grounds for sanctions &amp; Top enforcement priorities in 2022\u00a0<\/strong><\/h4>\n<p>=&gt; <strong>Ad-tech<\/strong> and Behavioral advertising<\/p>\n<p>=&gt; 50 % of sanctions issued by the French supervisor are related to a <strong>lack in security measures<\/strong> (art.32)<\/p>\n<p>Frequent grounds for sanctions include <strong>excessive retention durations<\/strong> &amp; lack of transparency<\/p>\n<p><em>Sources: DLA Piper\u2019s 2022 annual GDPR survey, CNIL statistics<\/em><\/p>\n<p>&nbsp;<\/p>\n<h3>GDPR Key statistics<\/h3>\n<p>The DPOs &#8211; Key figures for France are the following:<\/p>\n<ul>\n<li><strong>73.000<\/strong> organisms had appointed a DPO in 2020.<\/li>\n<li>Profiles: <strong>47 % have a background other than legal<\/strong> <strong>and tech<\/strong>: administrative and financial background, audit &amp; compliance.<\/li>\n<li><strong>72 % internal DPO<\/strong> employee of one Controller<\/li>\n<li><strong>13,5 % shared internal DPO<\/strong>: employee shared for several Controllers<\/li>\n<li><strong>14,7 % external DPO<\/strong> in an independent structure (e.g. Attorney).<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>With these key statistics in mind, let&#8217;s examine some high-profile cases that have set significant precedents over the past 5 years<\/p>\n<h3><\/h3>\n<h3>Overview of the past 5 years &#8211; High profile cases<\/h3>\n<h4><strong>Criteo case (june 2023)<\/strong><\/h4>\n<p>Criteo \u2013 <a href=\"https:\/\/www.cnil.fr\/en\/personalised-advertising-criteo-fined-eur-40-million\" target=\"_blank\" rel=\"noopener\">CNIL 15\/06\/2023 &#8211; fined \u20ac40 M<\/a><\/p>\n<p>Through the one stop shop mechanism, Criteo was fined by the CNIL \u20ac40 M, representing 2% of the company\u2019s worldwide turnover of \u20ac 2 Bn.<\/p>\n<p>Criteo is an AdTech company specializing in ad-retargeting, tracking the browsing activity of users and offering personalized ads through cookies.<\/p>\n<p>The CNIL found that it had failed to demonstrate that individuals provided their consent when cookies were placed on their devices.<\/p>\n<p>The main grievances include:<br \/>\n&gt;<span style=\"color: #ff0000;\"> lack of control &amp; contractual allocation of responsibilities between joint controllers<\/span><br \/>\n&#8211; failure to respect the right to withdraw consent<br \/>\n&#8211; lack of information &amp; transparency obligations and failure to comply with the right of access<\/p>\n<p>&nbsp;<\/p>\n<h4><strong>Credential stuffing case (january 2021)<\/strong><\/h4>\n<p><a href=\"https:\/\/www.cnil.fr\/fr\/credential-stuffing-la-cnil-sanctionne-un-responsable-de-traitement-et-son-sous-traitant\" target=\"_blank\" rel=\"noopener\">CNIL 27\/01\/21 &#8211; controller fined \u20ac150,000<\/a> &#8211; processor fined \u20ac75,000<\/p>\n<p>On the ground of GDPR article 32, The CNIL sanctions the failure to implement Technical and Organizational Measures that would have enabled avoiding the data breach<\/p>\n<p>Paradigm shift: first time a processor\u2019s liability is engaged under GDPR. However the controller\u2019s liability is not relieved<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<hr \/>\n<h2>2) GDPR Key features<\/h2>\n<h3>GDPR Extraterritorial scope outside EU<\/h3>\n<p>GDPR applies to any organization that (art. 3)<\/p>\n<p>\ud83d\udd38 Is established in the EU:\u00a0 regardless of whether the processing takes place in the EU or not<\/p>\n<p>\ud83d\udd38Is not established in the EU, when<\/p>\n<ul>\n<li>it processes personal data of EU residents when offering them goods or services<\/li>\n<li>it monitors EU residents\u2019 behavior<\/li>\n<\/ul>\n<h3><\/h3>\n<h3><strong>GDPR Principles\u00a0<\/strong><\/h3>\n<p>\ud83d\udd38 <strong>Accountability<\/strong>: Organizations are responsible for ensuring and demonstrating compliance with GDPR&#8217;s requirements for the processing of personal data &amp; to implement internal mechanisms and procedures to demonstrate compliance with legislation<\/p>\n<p>\ud83d\udd38 <strong>Privacy by design<\/strong>: methodology involving considering GDPR-related issues from the outset for any project involving the creation of products or services<\/p>\n<p>\ud83d\udd38 <strong>Privacy by default<\/strong>: corollary of privacy by design &#8211; From the inception of the service or product, privacy protection is implemented and applied by default, without requiring any user intervention<\/p>\n<p>&nbsp;<\/p>\n<h3><strong>GDPR Actors &#8211; DPO<\/strong><\/h3>\n<p>(art 37) PRIVATE ORGANIZATIONS: controller or processor shall designate a DPO where their core activities:<\/p>\n<p><strong>a) involve regular and systematic monitoring of individuals on a large scale<\/strong><\/p>\n<p>=&gt; large scale is an undefined concept. EDPB guidelines take into consideration (i) the number of individuals concerned (ii) the categories of data processed (their volume and\/or nature) (iii) the duration of the processing (iv) the geographical extent<\/p>\n<p><strong>or<\/strong><\/p>\n<p><strong>b) involve large-scale processing of sensitive data<\/strong><\/p>\n<p>=&gt; Sensitive data (art. 9 GDPR) biometric &amp; genetic data, data concerning health, sexual life, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning criminal convictions and offenses (art. 10 GDPR).<\/p>\n<h3><\/h3>\n<h3>GDPR Actors: Controllers vs. Processors<\/h3>\n<p>\ud83d\udd38 <strong>Controller:<\/strong> organization which alone or jointly with others determines the purposes and the means of the processing<\/p>\n<p>\ud83d\udd38<strong> Joint Controllers<\/strong>: where 2 or more controllers jointly determine the purposes and means of processing<\/p>\n<p>\ud83d\udd38 <strong>Processor<\/strong>: organization which processes data on behalf of a controller and under their its instructions<\/p>\n<p>Accountability implies that specific documentation should be made available to the Regulator upon request.<\/p>\n<p>They include record of processing activities and a GDPR Documentation.<\/p>\n<h3><strong>Record of processing activities<\/strong><\/h3>\n<p>When it comes to GDPR projects, businesses tend to focus on quick wins.<\/p>\n<p>However it is important to keep in mind that the record of processing activities is the first and fundamental basis for your\u00a0 GDPR implementation project<\/p>\n<p>(art 30) Controllers shall maintain a record of processing (personal data mapping):<\/p>\n<ul>\n<li>name and contact details of the controller, joint controller, controller\u2019s representative &amp; DPO<\/li>\n<li>purposes of the processing<\/li>\n<li>categories of data subjects &amp; categories of personal data<\/li>\n<li>categories of recipients<\/li>\n<li>where applicable, transfers outside EU &amp; documentation of suitable safeguards<\/li>\n<li>retention duration<\/li>\n<li>description of the technical and organizational security measures<\/li>\n<\/ul>\n<p><strong>\u00a0<\/strong><\/p>\n<h3><strong>GDPR Documentation &#8211; Data Protection Agreement<\/strong><\/h3>\n<p>&nbsp;<\/p>\n<h4><strong>Art. 28: Between a Controller &amp; its Processor it sets out<\/strong><\/h4>\n<ul>\n<li>subject-matter and duration of the processing<\/li>\n<li>the nature and purpose of the processing<\/li>\n<li>type of personal data and categories of data subjects<\/li>\n<li>the processor:\n<ul>\n<li>processes the personal data only on documented instructions from the controller<\/li>\n<li>ensures that persons authorized to process the personal data have committed themselves to confidentiality<\/li>\n<li>takes all measures required pursuant to\u00a0a<u><a href=\"https:\/\/gdpr-info.eu\/art-32-gdpr\/\"> 32<\/a><\/u><\/li>\n<li>Subject to approval to engage another processor<\/li>\n<li>makes available to the controller all information necessary to demonstrate compliance<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h4><strong>Art 26: Between Joint Controllers<\/strong><\/h4>\n<ul>\n<li>determine their respective responsibilities<\/li>\n<li><strong>applicable between entities of the same group\u00a0 or between two different companies<\/strong><\/li>\n<\/ul>\n<p>Where there is a data transfer: Standard Contractual Clauses\u00a0<em>(template of the European Commission June 4 2021)<\/em><\/p>\n<p>&nbsp;<\/p>\n<h3><strong>GDPR Documentation &#8211; DPIA<\/strong><\/h3>\n<p><strong>(art.35)<\/strong> If a processing meets at least 2 of the following criteria, a Data Protection Impact Assessment (DPIA) must be conducted:<\/p>\n<ul>\n<li>involves the evaluation or scoring of personal aspects or the rating of the data subject, such as their work performance, health, preferences or interests, reliability or behavior, location, and movements<\/li>\n<li>involves automated decision-making with significant effects on the data subject, such as the loss of a right (credit refusal, denial of a promotion, denial of a position)<\/li>\n<li>involves systematic monitoring of individuals (e.g. video surveillance)<\/li>\n<li>involves the collection of sensitive data<\/li>\n<li>concerns \u00ab vulnerable \u00bb individuals (employees or minors)<\/li>\n<li>involves large-scale processing<\/li>\n<li>involves the matching or combining of datasets<\/li>\n<li>involves the use of innovative technology or the application of new technological solutions (connected devices, fingerprint recognition systems, facial recognition)<\/li>\n<li>prevents the data subject from exercising a right or benefiting from a service\/contract<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<hr \/>\n<h2>Conclusion: upcoming European regulations impacting data<\/h2>\n<p>Upcoming European regulations impacting data are gamechanger &amp; landmark regulations:<\/p>\n<p>\ud83d\udd38 <strong>Digital Services Package<\/strong> including Digital Services Act and Digital Markets Act passed in \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 July 2022<\/p>\n<p>\ud83d\udd38 <strong>AI Act<\/strong>: voted by European Parliament on June 14 2023,\u00a0 final version of the law expected to be passed later this year:<\/p>\n<ul>\n<li>bans biometric surveillance, emotion recognition, predictive policing AI systems<\/li>\n<li>introduces right to make complaints about AI systems<\/li>\n<\/ul>\n<p>\ud83d\udd38\u00a0\u00a0 <strong>Data Act<\/strong>: draft issued by the European Commission in Feb. 22, proposal for regulation establishing a harmonized framework for industrial, non-personal data sharing in the EU<\/p>\n<p>\ud83d\udd38 <strong>Data Governance Act<\/strong> : aims\u00a0 at public sector organizations (States, authorities) &amp; data sharing service providers: including content-sharing platforms, social networks, cloud services<\/p>\n<p>\ud83d\udd38 <strong>E-privacy regulation<\/strong>: EU Council\u2019s draft regulation aiming at replacing the 2002 e-privacy Directive<\/p>\n<p>&nbsp;<\/p>\n<p>Author : <a href=\"https:\/\/aurele-it.fr\/en\/florence-ivanier-attorney-at-law-member-of-the-paris-bar\/\">Florence Ivanier, Attorney<\/a>, member of the Paris Bar, Data Protection Officer<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This overview outlines key features of GDPR implementation, in the light of the landmark decisions of the French and European Regulators over the past 5 years. Its purpose is to assist you planning your GDPR project with a risk based approach, aligned with the regulatory authorities\u2019 expectations. <\/p>\n","protected":false},"author":2,"featured_media":1270,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40],"tags":[],"class_list":["post-1252","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-gdpr"],"_links":{"self":[{"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/posts\/1252","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/comments?post=1252"}],"version-history":[{"count":13,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/posts\/1252\/revisions"}],"predecessor-version":[{"id":1269,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/posts\/1252\/revisions\/1269"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/media\/1270"}],"wp:attachment":[{"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/media?parent=1252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/categories?post=1252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/tags?post=1252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}