Updates Archives - Page 3 of 4

Archive for the ‘Updates’ Category

How to draft a privacy policy

Article 13 of the UK GDPR states that at the time you collect personal data from individuals you must provide them with certain information. The usual way of providing this information is via a privacy notice (also called a ‘privacy policy’ or, in GDPR-speak, a ‘fair processing notice’), which is made available to the individual when their personal data is collected, often via a website link like this one. The privacy notice must be in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)).

Where you are not collecting the personal data directly from the individual, Article 14 requires you to provide the individual with the same information as under Article 13 “within a reasonable period after obtaining the personal data, but at the latest within one month”.

Information audit

The first step is to carry out an information audit (also called a ‘data mapping exercise’) so that you understand:

What personal data your organisation collects, including from customers, suppliers, employees, visitors, job applicants etc.
How the personal data is collected.
Where the personal data is stored, and what technical and organisational measures are in place to ensure security.
What your organisation does with the personal data.
Whom the personal data is shared with, including data storage and SaaS providers.
Whether the personal data is transferred to locations outside the UK, and if so where.
Whether the personal data includes any ‘special category data’, and if so whether any additional safeguards have been put in place.
How long the personal data is kept.

Privacy notice

The next step is then to create the privacy notice by documenting the output of your information audit. The format and content of an organisation’s privacy notice will of course vary from organisation to organisation, but for many businesses the following list should be a useful start:

Name of and contact details for the organisation(s) collecting the personal data, i.e. the identity of the controller providing the privacy notice.
The types of personal data the controller collects, and how the personal data is collected.
Whether any of the personal data constitutes special category data.
What the controller intends to do with the personal data.
The lawful basis for processing the personal data.
Whom the controller shares the personal data with, and why.
Whether the controller transfers any personal data outside the UK, and if so details of the relevant transfer mechanism.
How long the controller keeps the personal data.
How the controller keeps the personal data secure.
If the individual is required by law or by contract to provide the personal data, consequences of not providing it.
Whether the controller uses automated decision-making, including profiling, and if so details of logic involved and consequences of processing for the individual.
What rights the individual has in relation to their personal data.

Final thoughts…

When drafting a privacy notice, it’s tempting to take a broad, catch-all approach – “we will or may use your information for some or all of the following purposes…”, followed by a long list covering pretty much everything you can think of. Although strictly speaking accurate, the broad brush approach is likely to struggle to satisfy the “concise, transparent, intelligible” requirement. Put yourself in the data subject’s shoes: having read the privacy notice, would you understand how your personal information will in fact be used, stored, shared, etc?
Because of the amount of information that you may need (or want) to include, consider adopting a ‘layered’ approach for the privacy notice. This is where you have a high-level, top-layer notice with the key privacy information, with links enabling the data subject to click through a second layer with a bit more detail, and then from the second layer there may be further links to a third layer with the full detail. This layered approach may be particularly useful for mobile or smart devices with small screens.
There is no requirement for all the privacy notice content to be provided to the data subject in one go, and it may make sense for you to provide the data subject with privacy information at the time that they are actually providing you with their personal data – so-called ‘just-in-time’ notices.
As your organisation evolves through the use of new technologies and/or you offer of new products and services, it’s likely that personal data will be collected and used in different ways. Put in place a process which ensures that your privacy notice is updated in line with these changes, and then for the updated notice to be communicated to your data subjects.

Tags: data protection, gdpr, information audit, layered privacy notice, privacy notice, privacy policy
Posted in Privacy, Updates | No Comments »

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) confirms the terms on which one party (the ‘processor’) processes personal data provided or made available by another party (the ‘controller’).

Examples of data processing include arrangements where an organisation provides details of its employees and their remuneration packages to a payroll services provider, or provides lists of its clients’ and stakeholders’ email addresses to an email marketing platform, or uploads its business data to a hosted data storage provider.

As well as being the right thing to do commercially, controllers and processors are required by Art 28(3) of the GDPR (now incorporated into UK law, as amended) to enter into a contract which sets out:

The subject-matter and duration of the processing
The nature and purpose of the processing
The type of personal data and categories of data subjects
The obligations and rights of the controller

The contract must also stipulate the processor obligations listed in paragraphs (a) – (h) of Art 28(3):

Only process personal data in accordance with the controller’s documented instructions.
Ensure that individuals authorised to process personal data have committed themselves to confidentiality.
Implement appropriate technical and organizational measures to ensure the information’s security.
Assist the controller with its response to any request by a data subject.
Co-operate with the controller in the event of a personal data breach.
Co-operate with the controller if the controller carries out a data protection impact assessment.
Delete or return the personal data at the end of the engagement.
Not transfer personal data outside of the UK without the controller’s permission.

If a processor wants to engages its own processor (a ‘sub-processor’), the processor must obtain the controller’s specific or general prior authorisation. If the authorisation is general, then the processor must notify the controller of any additional or replacement sub-processor (Art 28(2)). The processor must also enter into a DPA with the sub-processor which imposes on the sub-processor the same data protection obligations as are set out in the DPA between the processor and the controller (Art 28(4)).

Posted in Privacy, Updates | No Comments »

European Commission publishes new draft SCCs for consultation

19/11/20 – By way of background, transfers of EU citizens’ personal data to locations outside the European Economic Area (EEA) require a GDPR-permitted transfer mechanism. (more…)

Tags: data protection, modular SCCs, privacy, SCCs, Schrems II, Standard Contractual Clauses, transfer mechanism
Posted in Privacy, Updates | No Comments »

Special category data – what do I need to know?

Ok, let’s start with the basics. What is ‘special category data’?

Article 9 of the GDPR (as incorporated into UK law, and amended) (“UK GDPR”) defines special category data as:

Personal data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership.
Data concerning:
- health
- a person’s sex life
- a person’s sexual orientation.

Genetic data.
Biometric data (where used for identification purposes).

In short, special category data is personal data that needs more protection because it is sensitive.

And what does ‘more protection’ mean?

It means that, in addition to ensuring that the processing is generally lawful, fair and transparent, and that it complies with all the other principles and requirements of the UK GDPR, you must comply with the following requirements:

Prior to processing any special category data, you must not only identify and document a lawful basis under Article 6 (as required for all processing of personal data), but you must also satisfy at least one of the conditions for processing special category data listed in Article 9.
Of the 10 conditions for processing special category data in Article 9, five require you to meet additional conditions and safeguards set out in Schedule 1 of the Data Protection Act 2018 (“Schedule 1 conditions”). For some Schedule 1 conditions you also need to put in place an ‘appropriate policy document’. The ICO has provided an appropriate policy document template.
In practice, you may need to use the explicit consent condition for the special category data processing (Article 9(2)(a)). If so, then bear in mind that the individual’s consent must be:
- freely given
- specific, i.e. it must specify the nature of the special category data, and be separate from any other consents
- affirmative, i.e. opt-in
- unambiguous
- capable of being withdrawn at any time.
Article 35 requires you to do a Data Protection Impact Assessment (DPIA) for any type of processing that “is likely to result in a high risk to the rights and freedoms of natural persons”. This is more likely to be the case when processing special category data.
Article 30 requires controllers to maintain a record of processing activities. The exemption from this obligation for organisations employing fewer than 250 persons (Article 30(5)) does not apply where the processing includes special categories of data.
Update your privacy notice with specific information about your processing of special category data.

Tags: Article 9 conditions, dpa 2018, gdpr, lawful basis, lexoo, sensitive data, special category data, UK gdpr
Posted in Privacy, Updates | No Comments »

EDPB Guidelines on controllers and processors

21/09/20 – On 2 September 2020, the European Data Protection Board (EDPB) adopted ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’. The Guidelines deal with the principles underpinning the differences between controllers and processors, and also delve into the more esoteric world of joint controllers. (more…)

Posted in Updates | No Comments »

Demise of the EU-U.S. Privacy Shield

23/07/20 – If you, as a ‘data exporter’, want to transfer personal data to a country outside the EEA (and which is not one of the 12 countries that have been granted an adequacy decision by the European Commission), then you need to use one of the GDPR-approved ‘transfer mechanisms’. (more…)

Tags: data protection, essentially equivalent, FISA, gdpr, privacy shield, SCCs, tia, transfer impact assessment
Posted in Privacy, Updates | No Comments »

The P2B Regulation – regulating the e-commerce gatekeepers

13/07/20 – The EU Platform to Business Regulation (the ‘P2B Regulation’) came into effect on 12 July 2020. The P2B Regulation applies to all online platforms and search engines which provide services to business users in the EU, where those business users offer goods or services to consumers in the EU. (more…)

Posted in Updates | No Comments »

Government’s response to the Law Commission’s report on Electronic execution of documents

12/03/20 – The UK government has issued a Statement in response to the Law Commission’s report on Electronic execution of documents. My article on the Law Commission’s report can be accessed here.

Key takeaways from the government’s Statement:

The government agrees with the report’s conclusion that businesses and individuals can feel confident in using e-signatures in without the need for primary legislation.
The government accepts the report’s recommendation that an Industry Working Group should be established to consider, in particular, the security and technology of electronic signatures.
The Industry Working Group will also be asked to consider the question of video witnessing of electronic signatures.
In accordance with the report’s recommendation, the government will ask the Law Commission to undertake a broader review of the law of deeds. The timing for the review will however be subject to government and Law Commission priorities given the existing volume of law reform work.

Tags: deeds, electronic signature, execution of documents, law commission, video witnessing
Posted in Commercial, Updates | No Comments »

AA v Persons Unknown – recovering Bitcoin ransom payments

10/02/20 – In AA v Persons Unknown [2019], the Commercial Court confirmed that cryptoassets such as Bitcoin can constitute property under English law, and are therefore capable of being subject to a proprietary injunction (i.e. a court order which prevents the defendant from dealing with the relevant property).

The judgment refers extensively, and gives considerable weight, to the UK Jurisdiction Taskforce’s recent Legal Statement on the Status of Cryptoassets and Smart Contracts – see my article on the UKJT Statement here.

Background

In October 2019, one or more hackers encrypted the IT systems of a Canadian insurance company with malware. In order to regain control of its IT systems, the insurance company paid the hacker(s) a ransom of 109.25 Bitcoins (approx. $950,000).

The insurance company’s cybercrime insurer traced the ransom payment to a Bitcoin wallet linked to and controlled by Bitfinex, a crypto exchange operated by two British Virgin Island entities. The insurer applied for a proprietary injunction to recover the 96 Bitcoins that remained in the wallet.

Judgement

Because proprietary injunctions can only be granted over property, the Commercial Court first had to consider whether Bitcoin constitutes a form of property. Although Bitcoin do not fit into either of the two conventional categories of property – ‘choses in possession’ or ‘choses in action’ – the Court reviewed the analysis of the proprietary status of cryptoassets in the UKJT Statement, and in particular the UKJT’s conclusion that, despite their “novel or distinctive features“, cryptoassets may be objects of property rights, and “[i]f it is necessary to classify it at all, then a cryptoasset is best treated as being another, third kind of property” (UKJT Statement, para. 86(a)). The Court agreed with this approach, adding that “it is fallacious to proceed on the basis that the English law of property recognises no forms of property other than choses in possession and choses in action“.

Having confirmed that Bitcoin constitutes property, the Court granted the proprietary injunction.

Tags: Bitcoin, blockchain, cryptoassets, cryptocurrencies, distributed ledger technology, DLT
Posted in Technology, Updates | No Comments »

Next Page »« Previous Page