2. www.duanemorris.com2
AGENDA
1. EU General Data Protection Regulation – General
facts
2. What is the aim of the new regulation?
3. Definition of personal data
4. Scope of application
5. Core principles
6. New principles introduced by the EU GDPR
7. Implementation enforcement and sanctions
8. What must be considered for data processing?
3. www.duanemorris.com3
EU General Data Protection Regulation
• Regulation (EU) 2016/679, the European Union’s
new General Data Protection Regulation (‘GDPR’),
came into force on May 25, 2018
• GDPR repeals the outdated Directive No. 95/46/EC
of the European Parliament and of the Council on the
protection of individuals with regard to the processing
of personal data and on the free movement of such
data from 1995
•Protection of personal data is a fundamental right in
the European Union
4. www.duanemorris.com4
Article 8 of the Charter of fundamental rights of the
European Union
Protection of personal data
1. Everyone has the right to the protection of personal data
concerning him or her.
2. Such data must be processed fairly for specified purposes and
on the basis of the consent of the person concerned or some
other legitimate basis laid down by law. Everyone has the right of
access to data which has been collected concerning him or her,
and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an
independent authority
5. www.duanemorris.com5
What is the aim of the new regulation?
• to force companies, associations and public authorities to better
protect the personal data of their customers and employees.
• to standardize data protection and better protect citizens in the digital
age.
The Facebook data privacy scandal centers around the collection of
personally identifiable information of "up to 87 million people" by the
political consulting and strategic communication firm Cambridge
Analytica. It shows the need of better data protection!
6. www.duanemorris.com6
What is personal data?
• Article 4(1): 'personal data' means any information relating to an identified
or identifiable natural person ('data subject'); an identifiable natural person is
one who can be identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person;
Examples of personal data:
name and surname; home address; email
address; ID number; IP address; advertising
identifier of your phone; data held by a
hospital or doctor, which could be a
symbol that uniquely identifies a person
Examples of data not considered
personal data:
a company registration number;
an email address such as
info@company.com;
anonymized data
7. www.duanemorris.com7
Who has to comply with the new rules?
EU member states:
• Applies directly to all companies, associations and public
authorities within the EU, which process data
• Landlords, brokers and property managers when they
request data from potential tenants
• Doctors and hospitals, if they save data of their patients
Non-European companies:
• Must also comply with the new regulations, if
- they have a branch in the EU; or
- process personal data of EU citizens,
REGARDLESS of their locations
Companies such as Facebook or Google, based in the US
are affected!
EU General Data
Protection Regulation
is forcing big changes
at tech’s biggest firms
– even if the US isn’t
likely to follow suit.
8. www.duanemorris.com8
Core principles
taken from the old regulation
Definition
• The definition of "personal data" remains unchanged
Permission offense
• In principle, personal data may not be collected or processed, unless otherwise provided by
law
• Art. 6 governs the permission offenses
Consent
• Processing particularly sensitive personal data is still subject to strict conditions and
requires, for example, the prior consent of the person concerned
• This also applies to the field of email marketing (Newsletter)
Data protection officer
• In companies whose main activity is the collection and processing of data or the permanent
observation of persons
Purpose and transparency
• Further processing of data depends on the respective purpose. Collected personal data must
not be misappropriated
• Respective processes must be transparent
9. www.duanemorris.com9
Scope of application
• Non-European companies are subject to the scope if the processes concern EU citizens or
their personal data
Consent
• Not bound by special form requirements
• Verbal, written and electronic consent is permitted
• BUT! Processor carries the burden of proof: written consent is recommended
Revocation
• Anytime possible
• Must be as simple as the granting of consent
Right of access (Article 15)
• Citizens have the right to access their personal data and information about how this personal
data is being processed (for example: bonus card in the supermarket)
• A data controller must provide a copy of the personal data undergoing processing
What's new?
New main principles
10. www.duanemorris.com10
What's new?
New main principles (cont.)
Right to rectification (Article 16)
• Incorrect data must be corrected and, if necessary, completed if the person concerned desires it
Right to erasure (‘right to be forgotten’ - Article 17)
• Data subject has the right to request erasure of all data related to them, if the reasons for the data
storage are omitted
• The processor itself must delete the data if there is no longer any reason for storage and
processing
Right to data portability (Article 20)
• Data subject have the right to receive the personal data concerning him or her, which he or she
has provided to a controller, in a structured, commonly used and machine-readable format
• Have the right to transmit those data to another controller without hindrance from the controller
to which the personal data have been provided
Information
• Consumers must be informed about data leaks and hacker attacks
11. www.duanemorris.com11
Implementation enforcement and sanctions
Competent authorities
•Each country has its own supervisory authorities
• For international companies there will be a competent supervisory
authority Europe-wide
Jurisdiction depends on location of the headquarters (for example:
Facebook = Ireland)
• Affected parties can also turn to the supervisory authority in their
country with a complaint - it must then forward the complaint
Sanctions
• The level of penalties for violations of the GDPR may amount to up
to € 20 million or four percent of the word-wide annual turnover,
whichever is the higher
12. www.duanemorris.com12
What must be considered for data processing?
• Collect as few data as possible,
• Store them safely,
• Store them only as long as necessary,
• Explain in simple language, for which purpose the data is stored.
‘Privacy by Design’
ALWAYS REMEMBER:
‘Privacy by Default’
15. www.duanemorris.com15
DUANE MORRIS VIETNAM LLC
Thank you very much!
HANOI OFFICE HO CHI MINH CITY OFFICE
Pacific Place, Unit V1307/08, 13th Floor, Suite 1503/04, Saigon Tower
83B Ly Thuong Kiet, Hoan Kiem District 29 Le Duan Street, District 1
Hanoi, Vietnam Ho Chi Minh City, Vietnam
Tel.: +84 4 39462200 Tel.: +84 8 3824 0240
Fax: +84 4 3946 1311 Fax: +84 8 3824 0241
Contact email:
omassmann@duanemorris.com