2. Prior to the EU GDPR, the US had entered into the
EU-US Mutual Legal Assistance Treaty (MLAT)
2003
Then there was the Safe Harbor Agreement which
set minimum requirements for US-EU
transactions, but…
The Court of Justice of the European Union (CJEU)
declared in Schrems that the Safe Harbor
Agreement was invalid because it failed to meet
the standards set forth by the EU. The level of
protection in the US was “inadequate” to protect
privacy because US public authorities had access
to the data on a generalized basis for any EU
citizen who’s data was transmitted to the US. This
“generalized, mass, and unlimited” surveillance
was contrary to EU’s privacy and data protection
requirements.
So on April 14, 2016, the EU GDPR became law
with an effective date of May 25, 2018.
https://www.eugdpr.org/
E Baker Law Firm Pllc
3. On July 12, 2016, the EU-US and Swiss-US (on January 12, 2017) entered into the
Privacy Shield Frameworks. This was enforced by the FTC and DOT under the False
Statements Act and or as a violation of 49 USC 41712, but ONLY if the US companies
voluntarily participated in the program.
In December 2016, the EU-US Umbrella Agreement was entered into with an
effective date of February 1, 2017. This transatlantic agreement set privacy and data
protection safeguards for personal information transferred between the EU and US
for prevention, investigation, detection and prosecution of criminal offenses.
VOLUNTARY AGREEMENTS / FRAMEWORKS
E Baker Law Firm Pllc
4. Identify workflow process / data
flow for personal information/data
subject to the EU GDPR
How data comes in,
How data is retained/stored,
How data is transmitted,
How data is transferred to third party?
Identify where the data is,
Who has access to the data,
Can / How do you retrieve data,
Can you delete the data upon request?
E Baker Law Firm Pllc
6. Lawful, fairly, transparent
Collected for specified, explicit,
legitimate purpose
Adequate, relevant, limited to
what is necessary
Accurate, up-to-date
Kept in form where identification
of data subjects is not longer than
necessary
Secure
Ability to demonstrate compliance
E Baker Law Firm Pllc
7. 1. Consent
a. Controller must be able to
demonstrate
b. If written consent, must be
“clearly distinguishable” from
other matters, intelligible, easily
accessible, clear and plain
language
c. Prior to consent, must be given
notice of right to withdraw
consent at any time
d. Freely given (e.g. was it
contingent upon performance of
contract or provision of service
and not necessary for that)
2. Necessary
3. Children – 15 years or
younger – must have consent
of holder of parental
responsibility (member states
may require younger age but
not cannot go below age 13)
E Baker Law Firm Pllc
8. Processing personal data prohibited for data:
related to race,
ethnic origin,
political opinion,
religious or philosophical beliefs,
trade union membership,
genetic data, biometric data for the purpose of
uniquely identifying a natural person,
health,
Sex life or sexual orientation
UNLESS
1. Explicit consent for specified purpose (except if
EU member state does not allow consent by
natural person)
2. Necessary
a. for employment, social protection law
b. To protect vital interests of data subject or another
natural person (when data subject not physically or
legally capable of consenting)
c. For establishment, exercise or legal defense or by
courts
d. Substantial public interest
e. Preventive or occupational medicine
f. Public interest in public health
g. Archiving purposes
3. Carried out in course of legitimate activities
with safeguards by not-for profit body
4. Data made public by data subject
E Baker Law Firm Pllc
9. Controller shall provide notice to
data subject in reference to Articles
13, 14, 15-22, 34:
concise
transparent
intelligible
easily accessible form
clear and plain language
in writing including
electronic means
without undue delay,
within 1 month of receipt of
request (or inform as to why will
not)
free of charge
may request additional
information to substantial identify
of data subject/requestor
E Baker Law Firm Pllc
10. Period for which the data will be stored
Existence of right to request from controller access to,
rectification of, or erasure of data or restriction of
processing concerning data or to object to processing as
well as right to data portability
Existence of right to withdraw consent at any time
(Article 6(1)(a), 9(2)(a))
Right to lodge complaint with supervisory authority
Whether the provision of personal data is statutory or
contractual, etc.
Existence of automated decision making (profiling,
meaningful information about logic involved,
significance, and envisaged consequences of processing)
If controller intends to further process the data for
purpose other than for which it was collected, controller
shall provide the data subject PRIOR to the further
processing with information on other purpose and the
above information.
E Baker Law Firm Pllc
11. Identify and contact details of controller
Contact details of data protection officer
Purpose for processing the data and legal basis
Categories of personal data concerned
Recipients or categories of recipients
If applicable, the fact that they data will be transferred to third party or international organization,
existence (or absence) of adequacy decision by Commission, reference to the appropriate or suitable
safeguards and means to obtain copy of them (or where they are available)
Period for which the data will be stored
Where the processing is based, legitimate interests pursued by controller or third party
Existence of right to request from controller access to, rectification of, or erasure of data or restriction
of processing concerning data or to object to processing as well as right to data portability
Existence of right to withdraw consent at any time (Article 6(1)(a), 9(2)(a))
Right to lodge complaint with supervisory authority
Where the personal data (what source) originated, whether it was from publicly accessible sources
Existence of automated decision making (profiling, meaningful information about logic involved,
significance, and envisaged consequences of processing)
E Baker Law Firm Pllc
12. Implement appropriate technical and
organisational measures to ensure
processing is performed in
compliance with GDPR
Implement policies
Adhere approved code of conduct or
certification mechanisms
Implement appropriate technical and
organisational methods such as
pseudonymisation designed to
implement data protection principles
(data minimisation) to protect the
rights of the data subject (1) at time
of determination of the means for
processing and (2) at the time of
processing
Maintain written (electronic) records
of processing activities (see Act for
details) (*not applicable to
companies with less than 250
employees unless high risk)
E Baker Law Firm Pllc
13. Designate DPO where processing is
by public authority,
Core activities are
regular and systematic monitoring of data
subjects on large scale
Processing on large scale special categories
of data and personal data relating to criminal
convictions or offences
Group may appoint one DPO if easily
accessible by each office
All other cases, unless required by
Member State law, “may” appoint
DPO
DPO shall have expert knowledge of
GDPR, practices, and have ability to
fulfill tasks (Art. 39)
May be staff member of Controller or
Processor or under contract
Contact details of DPO shall be
published and communicated to
supervisory authority
Responsibilities
Inform and advise controller, processor,
employees
Monitor compliance
Provide advice re data protection impact
assessment, monitor performance
Act as contact point for and cooperate with
supervisory authorityE Baker Law Firm Pllc
14. 1. Pseudonymisation, encryption of personal data
2. Ensure ongoing confidentiality, integrity,
availability, resilience of processing systems and
services
3. Ability to restore availability and access to data
in timely manner
4. Process for regular testing, assessing, evaluation
of effectiveness of technical and organisational
measure ensuring security
5. Code of Conduct or Approved Certification
Mechanism (Article 40, 42 respectively)
E Baker Law Firm Pllc
15. 1. Controller shall (without undue delay, where
feasible) within 72 hours after becoming aware of
breach notify the supervisory authority
2. Required notice provisions:
a. Nature of breach, categories, number affected
b. Name and contact of data protection officer
c. Consequences of breach
d. Measures to be taken (or taken) to address, mitigate
3. Controller shall document every breach
4. Notify* data subject if “high risk to rights and
freedoms”
No Notice required if data encrypted, subsequent
measures taken which make it likely there is no
high risk, or disproportionate effort required
(public communication instead)
E Baker Law Firm Pllc
16. Only processors providing sufficient guarantees to
implement appropriate technical and organisational
measures in such a manner that processing will meet
requirements of GDPR
No sub-processors without controller’s prior written
authorization
Shall be governed by contract (see details required) or law
Adherence to approved code of conduct or approved
certification mechanism
Maintain written (electronic) record of all categories of
processing activities carried out for controller (see Act for
details) (*not applicable to companies with less than 250
employees unless high risk)
E Baker Law Firm Pllc
17. For more information on how to bring your organisation into compliance with
the EU GDPR, data privacy, regulatory compliance, risk management, and or
setting up your workflow processes, policies, procedures. Please contact:
Elizabeth Baker, JD, CRCMP
Internationally certified Risk and Compliance Management Professional (EU, US)
ebakerjd@ebakerjdlaw.com
E Baker Law Firm Pllc