Practical Compliance Steps

• Author: Katherine H Woodcock; W Gregory Voss
• Pages: 45-96

45

3

Practical Steps for Compliance

In practice, companies need to accomplish three major sets of steps in order to ensure

compliance with EU data protection laws: (1) the notication or registrations with

the relevant data protection authorities (DPAs); (2) the development of internal docu-

mentation; and (3) ensuring the compliance of international data transfers. These steps

have been handled separately in this chapter for the sake of discussion; however all

three are closely (even intimately) correlated and cannot be separated from a compli-

ance perspective—meaning that all are equally important in terms of compliance with

the law. For example, you cannot confront the issue of interacting with DPAs (i.e.,

ling notications) unless you have drafted and implemented internal documentation

and are condent about compliance with the rules on international transfers.

I. INTERACTION S WITH DPAS

Interactions with the relevant DPAs fall under three possible categories: (1) the

obligation to register data processing activities; (2) the obligation to have the DPA

perform a prior check on processing activities in certain specic circumstances; and,

nally, (3) dealing with the DPA’s general abilities to investigate, ask follow-up ques-

tions, request information, and generally act as a supervisory body.

A. Notifications to DPAs

Article 18(1) of the Directive sets out the obligation to register data processing with

the relevant DPA:

Member States shall provide that the controller or his representative, if any,

must notify the supervisory authority referred to in Article 28 before carrying

out any wholly or partly automatic processing operation or set of such opera-

tions intended to serve a single purpose or several related purposes.1

Notication to the relevant DPA is “designed to ensure disclosure of the purposes

and main features of any processing operation for the purpose of verication that the

1. Directive 95/46/EC of the European Parliament and of the Council of 24 Oct. 1995 on the protection

of individuals with regard to the processing of personal data and on the free movement of such data

[hereinafter Directive], 1995 O.J. (L 281) 31 (Nov. 23, 1995), art. 18(1), at 43–44.

woo51396_03_c03_045-096.indd 45 12/4/15 4:24 PM

46

Navigating E U Privacy and Data Protec tion Laws

operation is in accordance with the national measure taken under . . . [the] Directive.”2

Generally, entities acting as data controllers are required to notify the processing of

personal data to the relevant DPA for inclusion on a public register maintained by it,

subject to a number of exemptions. As mentioned, controllers are legal entities that

collect data from their employees and others and specify in what manner and for what

purpose such data will be processed or used. Thus, companies will need to assess

which entities collect data about their employees, customers, and others; who holds

the data; and which entities should le a notication to the relevant DPA.

In a small number of countries, for example in Finland and Ireland, data processors

are also subject to notication obligations.

1. Timing of Notifications—Prior to Processing

Controllers subject to the relevant DPA’s national law must register their processing

activities prior to carrying them out. In reality, as many companies are catching up

with their basic notication requirements, this is a bit of a gray area—with companies

pretending they are complying and DPAs turning a blind eye to the fact that many

companies are notifying practices or data les that have been in place for years. Typi-

cally, this is not an issue for low-impact processing (e.g., basic human resources data);

however, when les pertain to more sensitive issues (e.g., whistle-blowing hotlines,

criminal background information, etc.), more care should be taken when notifying

and it may be worthwhile to consult a local lawyer to verify the possible risks. It is

also worth considering, when playing catch up whether processing should be sus-

pended until the notication procedure has been nalized with the DPA.

2. Exemptions from Notification

Exemptions from notication are provided “where processing is unlikely adversely

to affect the rights and freedoms of data subjects.”3 Most Member States have simpli-

ed notication procedures or exempted certain categories of data processing from

the notication requirement. These exemptions depe nd on the country and fac-

tual circumstances (e.g., types of data processed and the purposes for processing).

Most countries permit exemptions for data processing in the context of basic human

resources processing (e.g., payroll and administration of basic benets) and business

contact information. Additionally, a few exclude data processing for accounting pur-

poses (e.g., customer invoicing and billing practices). However, it is good to keep in

mind that these exemptions vary in scope based on the relevant country and are not

interpreted uniformly. Finally, there are exemptions for when entities have appointed

2. Id., recital 48, at 36.

3. Id., recital 49, at 36. Art. 18(2) species that “Member States may provide for the simplication of or exemp-

tion from notication only in the following cases and under the following conditions: where, for categories of

processing operations which are unlikely, taking account of the data to be processed, to affect adversely the rights

and freedoms of data subjects, they specify the purposes of the processing, the data or categories of data undergo-

ing processing, the category or categories of data subject, the recipients or categories of recipient to whom the data

are to be disclosed and the length of time the data are to be stored.” Id. at 44.

woo51396_03_c03_045-096.indd 46 12/4/15 4:24 PM

47Practic al Steps for Compliance

a data protection ofcer (DPO) or representative and for when the processing has

as its sole purpose “the keeping of a register which according to laws or regulations

is intended to provide information to the public and which is open to consultations

either by the public in general or by any person demonstrating a legitimate interest.”4

This exemption is further explained in Chapter 3 Section I.C.

PRACTICAL TIPS

If you would like to nd out whether certain types of data processing would be

exempt verify local law. It is also possible to call the local DPA and verify how the

exemptions are interpreted this in practice. When contacting DPAs, it is best to do

so in a personal capacity and not on behalf of an organization, as this could attract

unwanted attention to the company’s data processing practices. Typically, DPAs are

quite willing to answer basic questions on the law and local procedures. If there are

language barriers, rely on your local entity or contact persons (e.g., external counsel)

to communicate in an informal way with the DPA.

A table containing a list of websites with links to national registry and notication

information is contained in this book’s appendix A.

3. Notification Procedure

Article 19 of the Directive species the minimum information that must be included

in DPA notications:

1. Member States shall specify the information to be given in the notication.

It shall include at least:

(a) the name and address of the controller and of its representative, if any;

(b) the purpose or purposes of the processing;

(c) a description of the category or categories of data subject and of the data

or categories of data relating to them;

(d) the recipients or categories of recipient to whom the data might be

disclosed;

(e) proposed transfers of data to third countries;

(f) a general description allowing a preliminary assessment to be made of

the appropriateness of the measures taken pursuant to Article 17 [of the

Directive] to ensure security of processing.5

The procedures for notication of processing activities to the DPAs vary widely

by country and at the moment there is no harmonized notication procedure in the

European Union. In addition to the required information specied in the Directive,

4. Id. art. 18(3), at 44. There is also an exemption from notication when processing sensitive data for

legitimate activities. Although, again, national requirements on this approach vary. Id. art. 18(4), at 44.

5. Id. art. 19(1), at 44.

woo51396_03_c03_045-096.indd 47 12/4/15 4:24 PM