Written by Adrien Fegual
Advised and Edited by Kunchou Tsai, Esq.
Provided by and Credit to Enlighten Law Group
I. Key notions and Scope of General Data Protection Regulation (GDPR)
A. Key notions
Pre-requisite to any data-processing (article 5): the purpose of the processing should be specified, determined, explicit and legitimate: generally speaking, the harm caused to privacy, consisting in the data processing, should be proportionate.
Data Processing (article 4) : processing means any operation which is performed on personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Privacy by design (article 25): General principle that have to lead data processors (the organisation) in their data processing activities. This principle aims at implementing appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in order to meet the requirements of this Regulation and protect the rights of data subjects. The practical consequence is that any technology processing data must comply with the requirements of the regulation, from the design stage.
Accountability Principle (article 5): General principle that aim at empowering and leading data processors in their data processing activities. They shall be, at any time, able to report on concrete measures taken to comply with the requirements of the regulation. Numerous of the new obligations that organizations have to comply with are based on this general principle.
B. Scope of application
Increased Territorial Scope (extra-territorial applicability)
One of the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
GPDR makes its applicability very clear - it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor (a subcontractor) not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU.
On the question of international data transfers (outside the EU)
Although they are, in principle, forbidden, such transfers are made possible if the country where the data is transferred provide an “adequate level of protection” (article 45), that means a similar level of protection as the one provided by the GDPR.
The European Commission has already published a list of countries (following the procedure of the “implementing acts“ described in the article 93) considered as providing an equivalent level of protection as the one provided by the GDPR. The list should be extended, but right now Taiwan is not part of the list.
Few more options are to be considered to make international data transfers in compliance with the GDPR:
As part of a data transfer inside a group of affiliated undertakings and after the approval of the supervisory authority (independent public authority in charge of the application of the regulation, at a member state level), Binding Corporate Rules (article 47 of GDPR), as an internal code of conduct, can be adopted to provide the appropriate requirements.
The most common way for controllers and processors to transfer data in compliance with GDPR is to use Standard Contractual Clauses that have been pre-approved by the EU Commission as contractually providing “appropriate safeguards“(article 46). According to the article 57 of the regulation, Supervisory Authorities at a state level can also adopt such Standard Contractual Clauses. Last but not least, companies can also create their own contractual clauses providing appropriate safeguards and submit it to the national supervisory authority for a compliance review (article 46 3.a).
A legally binding and enforceable instrument (article 46 2.a) can be created between governments to facilitate the data transfer. An example of such an instrument is the EU-US Privacy Shield framework that was negotiated, and approved by the EU Commission in 2016.
On this particular matter, there is a gap between GDPR and PIPA, as international transfers (“international transmissions”) in the latter are lightly restricted in article 21 of the regulation, in comparison with the GDPR where transfers to “third countries” are the object of Chapter V of the regulation (article 44 to 50).
(Shall you have any question about GDPR, please do not hesitate to contact us.)