GDPR Enforcement Update: Recent Actions Highlight the Need for Proper Disclosures, Providing Access to Data and Third-Party Provider Agreements

January 28, 2019Alerts

If you offer goods or services to individuals in the European Union, have an establishment in the EU or monitor the behavior of individuals in the EU, now would be a good time to review your privacy notices, your process for responding to data subject requests and your agreements with third party service providers.

Enforcement actions from Data Processing Authorities across Europe have highlighted these important aspects of companies’ overall GDPR compliance plans. These actions signal an uptick in enforcement actions from the EU Data Protection Authorities several relatively quiet months since the law took effect in May, 2018.

Say what you do, do what you say - fully, clearly and in one place

French data protection authority CNIL recently imposed a €50 Million fine on a tech company for failing to clearly disclose how it was using consumers' personal information. The sanction provides actionable lessons for companies handling personal information for advertising purposes.

  • Privacy notices are just that. Notices. They are meant to inform individuals of how their data is handled. They do not require consent. And, in fact, requiring consent for the entire privacy notice causes this consent to be invalid under GDPR.
  • Consent depends on adequate disclosure.
    • Disclose all the pertinent aspects of the processing - why you process their information, how long you keep it and the categories of it.
    • Use clear specific language. Vague statements such as “any of the following purposes may apply” will not suffice.
    • Try to put all relevant information in one place.  (This is particularly important if the processing is complex, uses information from different sources or involves sensitive information.)
    • Make sure information you provide users is easily accessible.
    • Refrain from requiring multiple actions to access the necessary information.
  • Consent needs to be specific and unambiguous.
    • Use separate call-outs. Statements such as: “I accept that my information is used as described above” may not suffice.
    • Get consent for each processing/purpose separately, not in bulk.
    • Require action by the user to signify consent (no pre-checked checkboxes).

Revise your Third-Party Data Processing Agreements

If you are a “data controller” under GDPR (which means that you determine the purpose and the means of the processing of the data) make sure you have data processing agreements meeting the requirements of Article 28 of GDPR with each service provider that processes personal data for you.

The Dutch data protection authority recently asked 30 companies in the energy, media and trade sectors for their third party data processing agreements.

Under GDPR, a company may only engage processors that offer sufficient guarantees that they also comply with the EU’s legal requirements. The processor agreement must specify how the protection and processing of personal data is regulated and address issues including:

  • which data will be processed and for how long
  • the nature and purpose of the processing
  • how the security of the data is guaranteed

Failure to comply may come at a significant cost. In Germany, following a complaint, the Hessian data protection authority recently fined a small shipping company – the data controller in this case – €5,000 for failing to have a data processing agreement in place with its Spanish data processing service provider.

If an individual asks for their data – give them the data, with all required disclosures

A new complaint filed by the nonprofit privacy enforcement group NOYB against multiple media streaming services highlights the importance of complying with all aspects of the “right to access” pursuant to Article 15 of GDPR.

Controllers that receive a request from an individual asking for access to their data must disclose all data they hold and which could render the individual identifiable, including cookies, online identifiers, tracking technologies, beacons, IP addresses, pixel tags or device identifiers. They must disclose:

  • purpose
  • categories
  • recipients
  • retention
  • sources (if not the individual)
  • transfers outside the EU
  • the individual’s right to right to request rectification, restriction of or objection to processing
  • the individual’s right to lodge a complaint
  • the existence of automated processing/profiling

Controllers must provide the information in a manner clearly readable by the average consumer. If you provide the data in machine-readable format, you need to also provide an explanation, software or other means to make the data readable and understandable.

Odia Kagan is a partner at Fox Rothschild and chair of the firm’s GDPR Compliance & International Privacy Practice. For help reviewing or updating privacy notices, data request response practices or agreements with third-party service providers or for assistance with other GDPR compliance matters, please contact Odia at [email protected] or by calling 215.444.7313.