CLV Partners

forwarding of data

Data Protection Officers are under the spotlight in the European Data Protection Board’s latest coordinated enforcement action

Since 25 May 2018, there is hardly a company that has not had to deal with a Data Protection Officer, or DPO. It has been 5 years since the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („General Data Protection Regulation”; hereinafter: “GDPR“) came into force, but this does not and cannot mean that “the machine is running, the creator rests.” In view of the continuous development of case law, a review of the regulations may be necessary from time to time.

In 2023, the European Data Protection Board (“EDPB“) decided to conduct a coordinated enforcement action focusing specifically on the designation and operation of DPOs. The coordinated action involves 26 European data protection authorities.

The Data Protection Officer is responsible for protecting the rights and freedoms of data subjects and ensuring compliance with data protection rules. Impartiality and independence are among the requirements for DPOs that most often come to the attention of the authorities. Impartiality and objectivity ensure that the officer is able to closely monitor data management processes, effectively manage data breaches and advise the organisation on compliance with the GDPR and other relevant data protection rules. Impartiality guarantees that the DPO represents data protection issues of all interested parties, be it the employees, contractors, or the management of the organisation. The DPO shall be an expert who has no interest in the organisation or its data processing activities. Conflict of interest also means that the appointed data protection professional must not be in a position or engage in an activity that could jeopardise objective and independent decision-making.

A number of decisions on DPOs have been taken by national authorities in previous years, with the following conclusions:

  • The DPO must not only be registered with the competent authority of the mother company, but the organisation must also notify other relevant authorities if the organisation has other branches and the DPO can operate there too.
  • It is not possible to hire an external company as an outsourced DPO and at the same time also appoint a third party as DPO.
  • If the DPO is in charge of compliance, audit and risk management, the independence or impartiality of the role may be compromised.
  • The DPOs are not allowed to engage in a role as the controller’s representative before the data protection authority, as this could jeopardize the impartiality or independence of the DPO.
  • The DPO can be withdrawn if the DPO no longer has the appropriate professional skills or fails to comply with data protection regulations.
  • The DPO cannot be ordered, and therefore it is a breach of the GDRP if the DPO cannot act on his or her own, but only on the instructions of the head of the company (or any other person with the right to make decisions in the company).

A control plan may formalise the DPO’s procedure, but a direct instruction does not comply with the GDPR.

  • It is also a breach of the GDPR to have several hierarchical levels between the DPO and the senior management of the organisation because this way the DPO is no longer directly accountable to the management.
  • It is not an appropriate solution if the DPO is appointed, but the DPO also performs compliance functions in the company, thus compromising independence and impartiality. The authority in the case confirmed that the DPO cannot perform a role that allows him or her to determine the purposes and means of processing personal data.
  • Similarly, it has been held to be contrary to the prohibition of conflicts of interest, if the DPO is also a managing director of two subsidiaries which are responsible for processing data for the main company. In this case there is a conflict of interest because the DPO supervises the adequacy of the data processing tasks, while having a legitimate interest in the profits and operations of the data processing companies.

As the EDPB will focus on DPOs in its coordinated enforcement actions in 2023, we can expect to see a growing number of decisions in which the determining data protection authority makes decisions in principle on the functioning and impartiality of the DPOs. Further guidelines or statements may be issued by national or EU authorities.

GPDR after Brexit – Data transfers outside the EU

After years of negotiations the United Kingdom has officially left the European Union, therefore the UK has become a “third country”. We would like to take this opportunity to point out the special rules concerning the UK and data transfers outside the EU in general.
Data transfer to the UK

As we have noted in our latest article on Brexit, some changes need time to enter into force. According to the withdrawal agreement concluded between the UK and the EU, there will be a transition period until 31 December 2020. In this transition period, the GDPR is still applicable in the UK, so the UK would not be considered as a third country until the end of this year.

What happens after the transition period?

It is very important to note that any data processed before the end of the transition period shall continue to be processed in accordance with the GDPR. Thus, personal data transferred to the UK during the transition period shall be guaranteed the same level of safety as currently provided by the GDPR and data subjects have no cause to worry about their right to privacy.

After the transition period, the UK and the EU still need to iron out the specifics of data protection. Certainly, for most data controllers that would be most convenient if the UK continued to apply the GDPR.

However, in the event of a “no-deal” Brexit or if the “deal” excludes data protection, the rules of transferring data outside the EU would have to be applied to the UK.

Data transfers outside the EU

One of the most emphasized general rule of the GDPR is that transferring data outside the EU is not allowed only with a very few exceptions. There are three categories of these exceptions, “adequacy decisions” in Article 45, “appropriate safeguards” in Article 46 and “derogations for specific situations” in Article 49.

Adequacy decisions

With regards to Brexit, the second best scenario would be an EU Commission adequacy decision. Data may be transferred without any special rules or authorizations to third countries deemed to provide an adequate level of data protection. While the decision falls to the discretion of the Commission, we expect this to be a very likely outcome, as the UK has high standards of data protection in their national legislation.

Appropriate safeguards

Should the UK not be found adequate, the next option is for the data controller or processor to provide appropriate safeguards. These safeguards are subject to the approval/ adoption of the Commission and/or the supervisory authority. The most relevant of these safeguards are as follows:

• binding corporate rules (BCR) of a corporate group (approved by the supervisory authority);
• standard data protection clauses (adopted by the Commission);
• standard data protection clauses (adopted by a supervisory authority and approved by the Commission);
• an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;
• an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

The abovementioned options require either significant effort from the data controller (i.e. drafting BCRs or codes of conduct) or a proactive supervisory authority (i.e. drafting and adopting standard clauses). Since the GDPR’s entry into force, no standard clauses have been adopted yet. Consequently, most data controllers might find appropriate safeguards a barrier too high to entry.

Derogations for specific situations

The last option is derogations for specific situations, to be applied for exceptional cases and will not serve as legal basis for systematic or regular transferring of personal data. The most relevant of these situations are as follows:

• explicit consent of a data subject informed of the risks of transfer to the third country;
• transfer is necessary for the performance of a contract between the data subject and the data controller or a contract concluded in the interest of the data subject;
• transfer is necessary for the establishment, exercise or defence of legal claims;
• transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

In any event, if the data controller uses these derogations as basis for data transfer outside the EU, the transfer may only take place if it is not repetitive and concerns only a limited number of data subjects, in addition the controller must demonstrate a compelling legitimate interest and inform the supervisory authority as well as the data subject. This is considered the least favourable option for data controllers because of their obligations to inform.

News on adendment of information act with the effect form 1 October, 2015

The act CXII of 2011 on information self-determination and freedom of information („Information Act”) has been amended with the effect of 1 October, 2015.

The amendments provide new possibilities regarding the forwarding of personal data to third countries as it is possible for the datacontroller to provide adequate level of protection to forward the data to third countries with the preparation and application of binding corporate rules („BCR”). It is a significant change also in the light of the recent EU Court decision on the invalidity of the Safe Harbour agreement.

Moreover to the significant amendments above the provisions of Information Act regarding the rights of affected people are amended as well and the amount of fine give by NAIH is also amended as it can be twenty million forints at the highest (instead of the prior ten million forints).
 

Should you have any questions regarding the above, please feel free to contact us.
 
Dr. Marianna Csabai
H-1126 Budapest, Tartsay Vilmos u. 3.
Tel: + 36 1 488 7008
Fax: + 36 1 488 7009
E-mail: