International Laws & Policy Guidelines
International Laws & Policy Guidelines
As businesses struggle to keep up with fast-changing data protection laws and face more compliance issues in their marketing, BDP Agency is uniquely positioned to help guide clients.
Supplying databases around the globe, BDP Agency provides high quality data services and management wherever our clients do business. BDP’s global presence combined with a depth of experience in each region gives clients the important advantage of local knowledge and cultural awareness, combined with consistent, practical advice.
Our team members are very involved in their local compliance culture and maintain close contacts with local regulators in Asia Pacific, Europe and the US. Our data team has successfully worked together in recent years to assist many companies with advice on their data compliance.
Start getting better results today.
Each controller or processor is required to appoint a Data Protection Officer, DPO, if they satisfy one or more of the following tests below:
Groups of undertakings are permitted to appoint a single data protection officer who has the responsibility for multiple legal entities. However, this is provided that the data protection officer is easily accessible from each establishment. Thus, meaning that larger corporate groups may find it difficult in practice to operate with a single data protection officer. (Article 37.2)
DPOs must have “expert knowledge” of data protection law and practices. It is possible to outsource the Data Protection Officer role to a service provider. (Article 37.5 & Article 37.6)
Controllers and processors are required in order to ensure that the DPO is involved “properly and in a timely manner in all issues which relate to the protection of personal data”. The DPO must also directly report to the highest management level, they must not be told what to do in their tasks and must not be dismissed or penalised for performing those tasks. (Article 38.1 & Article 38.3)
The specific tasks of the DPO include:
Data Protection Principles
Controllers are responsible for compliance with principles which apply to all processing of personal data. Under these principles, personal data must be:
The controller is responsible and must also be able to demonstrate compliance with the principles above. This is the “accountability principle”. Accountability is a core throughout the GDPR. Not only do organizations have to comply with the GDPR but they must also be able to demonstrate compliance. This means that they could have to demonstrate compliance maybe years after a decision was made relation to the processing of personal data. To achieve accountability, organizations will have to keep records, audit, and take appropriate governance, this will all form a key role in achieving accountability.
Legal Basis under Article 6
The use of personal data must be justified by reference to an appropriate basis for processing in order to achieve and satisfy the lawfulness principle. Legal bases, which are also known as lawful bases or lawful grounds, which data may be processed are (Article 6.1):
Special Category Data
The processing of special category data is prohibited. However, where one of the following exemptions applies:
Member States are required to introduce further laws and conditions and limitations for processing with regards to processing genetic, biometric and health data.
Criminal Convictions and Offences data
The processing of personal data which relates to criminal convictions and offences is prohibited unless it is carried out under the control of an official public authority, or specifically authorised by a Member States domestic law. (Article 10)
Processing for a secondary purpose
It is becoming increasingly more common, that organisations wish to re-purpose personal data. For example they may use data collected for one purpose then reused for a new purpose, which was not disclosed to the data subject at the time the data was first collected. This is a potential conflict with the principle of purpose limitation, which is to ensure the rights of the data subjects are protected. The GDPR has listed a series of factors that the controller must consider to check against when deciding if the new process is compatible with the purpose for which the personal data was initially collected, (Article 6.4) the factors are:
If the data controller comes to a conclusion that the new purpose or purposes are incompatible with the original purpose, then the only bases that they have to justify the re-use of data is consent or a legal obligation, this could be an EU or a Member State Law.
Transparency (Privacy Notices)
The GDPR is heavily invested on transparency. For example, the rights for a data subject to understand how and why their data is used, and what other rights are available to the data subjects control on the processing.
The following information must be provided at the time that the data is obtained in a concise, transparent and easily accessible form, using clear and plain language (Article 12.1):
Rights of the Data Subject
Data subjects have the rights to control the processing of their personal data, some are broadly applicable, while others will only apply in limited circumstances. Controllers must provide the data subjects with information on the actions that can be taken in response to requests within one calendar month as a default, with limited rights for the controller to extend this period by up to a further two months where the request is excessive.
Right of access (Article 15)
A data subject is entitles to request access to get a copy of their personal data, along with information about how the data has been used by the data controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or missing personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects can request the erasure of their personal data. This right is not absolute, and it only arises in quite a narrow set of circumstances. Specifically when a controller no longer needs to data for the purposes of which they collected.
Right to restriction of processing (Article 18)
Data subjects have the right to restrict processing of their personal data in specific circumstances. Including where the accuracy of the data is contested, where the processing is unlawful, the data is no longer needed or where the legitimate groups for processing by the controller is contested.
Right to data portability (Article 20)
Where the processing of personal data is justified for either where the data subject has given their consent to processing, or where the processing is necessary in the performance of a contract, then the data subject has the rights to receive or have their data transmitted to another controller. All the personal data that concerns the data subject should be in a structured, commonly used and in a machine-readable format. An example of this is a file format recognised by common software applications, such as an .xsl file.
Right to object (Article 21)
Data subjects have the rights of objecting to processing on the legal basis of the legitimate interests of the data controller or where the processing is in the public’s interest. The controllers will then have to suspend their processing of the personal data until they have demonstrated “completing legitimate groups” for processing which override the rights of the data subject.
At any given time, data subjects have an unconditional right to object from the processing of personal data for direct marketing purposes.
The right not to be subject to automated decision taking (Article 22)
Automated decision making, also including profiling, “which produces legal effects concerning the data subject … or similarly affects him or her” is only permitted where:
In cases where significant automated decisions are taken, the data subject has the rights to obtain human intervention to contest the decision, and to express his or her point of view.
Personal data that is transferred to third countries outside of the EU, Norway, Liechtenstein and Iceland, by a data controller or processor, are only permitted if the conditions that are laid down in the GDPR are met. (Article 44)
The European Commission has the power to make the decision in respect to a third country, determining that it provides an adequate level of protection of data, and therefore meaning that personal data may be freely transferred to that country or territory.
Currently the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (With some exceptions), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, Switzerland, Eastern Republic of Uruguay and New Zealand.
Third country transfers are also permitted where appropriate safeguards have been met and provided by the controller or processor. This is also on the condition that the enforceable data subjects rights and legal remedies for the data subject are available. The list of appropriate safeguards includes amongst others, binding corporate rules, standard contract clauses and the EU-U.S Privacy Shield.
The GDPR includes a list of specific points to permit transfers to third countries where:
There is however, very little room to transfer where no other mechanism is available, and the transfer is necessary for compelling the legitimate interests of the controller, which are not overridden by the interests and the rights of the data subject. Notification to the supervisory authorities is required and the data subject is required if you are relying on this derogation.
Transfers of data which are demanded by courts, tribunals or administrative authorities of countries which are outside of the EU are only recognised or enforceable within the EU, where they are based on an international agreement. For example, this could be a mutual legal assistance treaty in force between the requesting third country and the EU or Member State. If there is a transfer in response to these requests when there are no other legal bases for the transfer, then this is infringement of the GDPR.
The GDPR is not specific when it comes to technical standards or measures. The GDPR leans towards a proportionate and context specific approach to security and measures. Controllers and Processors are required to implement appropriate technical and organisational measures to ensure a level of security which is appropriate and proportional to the risk of the processing.
However, the GDPR does require controllers and processors to consider the following when carrying out the assessment on their security:
Within the GDPR there is a general requirement for personal data breaches to be notified to the supervisory authority by the controller. For more serious breaches, the affected data subjects must also be notified. The definition of a “personal data breach” is “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. (Article 4)
The data controller must notify supervisory authorities of the data breach without undue delay, and where possible, no longer than 72 hours of becoming aware of the data breach unless the data controller has determined that the breach is not likely to result in a risk to the data subjects. However, if it is determined that the data subjects are at high risk, then the controller is required to notify the affected data subjects without undue delay. (Article 34)
If the breach is found at the level of a data processor, then they are required to notify the data controller without undue delay after becoming aware of the data breach. (Article 33.2)
When notifying the supervisory authority of the data breach, where possible the categories and approximate numbers of individuals and records concerned, the name of the organisation’s data protection officer, the likely consequences of the breach and the measures taken to minimise harm need to be included. (Article 33.3)
Data controllers are also required to keep a record of all data breaches, if notified to the supervisory authority or not, and audits of the record by the supervisory authority. (Article 33.5)
The GDPR supervisory authorities have the power to impose fines up to 4% of annual worldwide turnover, or up to €20 Million (EUR), whichever is higher.
The European Commission’s intentions of fines are that they should, where appropriate, be imposed by reference to the revenue of an economic undertaking rather than the revenues of the relevant controllers or processors. ‘Undertaking’ is not defined and the extensive case-law is not straightforward, with decisions usually being based on the specific facts within each case.
Fines are split into two categories.
The highest fine, which is up to €20 million (EUR), or, in the case of undertaking, can be up to 4% of the total worldwide turnover of the previous year, whichever is higher. This applies to the infringement of the following:
The lower category fines, which are up to €10 million (EUR), or, in the case of undertaking, can be up to 2% of the total worldwide turnover of the previous year, whichever is higher. This applies to the infringement of the following:
Supervisory authorities are not required to impose fines but they must ensure that in each case the sanctions that are imposed are deemed effective, proportionate and dissuasive. (Article 83.1)
However, it is possible for fines to be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities have the powers to investigate and correct. (Article 58) This includes the power to impose on-site data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes welcome for specific provisions for individuals to carry out private claims against controllers and processors. This applies when;
All natural and legal persons, including individuals, controllers and processors, have rights to order judicial remedy against a decision of a supervisory authority which concerns them or for failing to come to terms with a decision.
Data subjects enjoy the rights to an effective legal remedy against a controller or processor.
The GDPR applies to the majority of electronic marketing activities; this is due to the involvement of some use of personal data, for example, an email address which includes the recipient’s name. The most plausible legal bases for electronic marketing will be consent or the legitimate interests of the controller as there are strict standards set for consent under GDPR. When consent is replied to, the marketing consent forms need to have clearly worded opt-in mechanisms such as ticking an unticked consent box and the signing of a statement. This does not include the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website.
Data subjects have an unconditional right to object to and therefore prevent any form of direct marketing which includes electronic marketing, at any time. (Article 21.3)
There are specific rules on electronic marketing, which include circumstances in which consent must be obtained, these are to be found in Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of the Member States. The ePrivacy Directive is soon to be replaced by a regulation, which is currently forecast for spring 2019.
In the meantime, GDPR makes it clear that references to the Directive 95/46/EC will be replaced with references to the GDPR. References to the Directive 95/46/EC are standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent. (Article 94)
Direct marketing to natural persons is only allowed by means of automated calling systems, fax, email, text, voice, sound or image messages and only if the natural person has given their prior consent to it. Using other means of direct marketing is allowed, if the natural person in question has not specifically forbidden to it. If, for example, a service provider receives an email address, or another category of contact information, in relation to the sale of a product or a service, then the service provider may use this contact information to market their own products or services, as long as they are within the same product group or that they are otherwise similar to the natural person in question. However, the natural person must be able to easily forbid/opt-out, at no cost, of any direct marketing, and the service provider must clearly inform the natural person of that possibility.
A service provider is able to use direct marketing with legal persons unless it has been specifically forbidden.As with natural persons, legal persons must also be able to easily, and at no cost, forbid to any direct marketing. The service provider must also clearly inform the natural person of that possibility.
Electronic Marketing is not specifically addressed in The Act however the use of personal data for marketing purposes falls within the scope of the act. In the case of processing personal data for marketing purposes it is argued that the consent of the data subject is a requirement.
Electronic Marketing is regulated by the Austrian Telecommunications Act(2003,’TKG’). In line with the TKG sending electronic messages without gaining consent prior from the recipient is considered to be unlawful as long as it is for direct marketing purposes or it is to more than 50 recipients. In the case of data which has been acquired through the sale of goods or provision of services and is being used for the sale of similar goods or services it is not required to have consent however the recipient has to be able to decline the usage of their personal data easily. The recipient can also be entered onto the relevant list which is maintained by the Austrian Regulatory Authority for Broadcasting and Telecommunications to state that they do not want to be contacted.
The section which is relevant to the TKG states that a user must give informed consent for the storage of personal data which includes a cookie. The user also has to be aware that consent has been given and that they have actively agreed. Therefore, obtaining consent through a pop up or an agreement is advice.
The location data of a natural person can be processed if it is for the purpose of offering and using added value services, if:
The value added service that is in question that is being offered needs to ensure that:
The user or subscriber is entitled to request and receive the location data from their device from the service or communications provider at any time. Location Data can only be processed for value added services and the consent of the user is required. In the case of consent the user must be able to prohibit the processing through easy means and it must be free of charge.
Traffic Data which is held by communications service providers must be erased or anonymised when it is no longer needed for the purposes of transmission of a form of communication however Traffic Data can be retained for the purposes of invoicing the services. In a case like the if the invoice has been paid and if no appeal has been made with the CSP within three months of the Traffic Data must be erased of anonymised.
Your Dream. Our Mission.
Here is a list of all the contact information you need for the data protection authorities in Europe.
Phone: +43 1 52 152-0
Our licensing and terms and conditions ensure that all purchases from us and any consequent marketing undergone is GDPR compliant. GDPR regulations consist of rules regarding the processing of data and its purpose, as well as documenting use and possession.
Learn more >