The EU’s General Data Protection Regulation (GDPR) became effective on May 25, 2018. It replaced the EU’s Directive 95/46/EC. You may be wondering, what does this mean for my Canadian organization?
What is the GDPR about?
The GDPR is the EU’s new data protection regulation that provides stronger data protection rules by more extensively regulating the processing by an individual, a company or an organization of personal data relating to individuals in the EU. The goal is to increase protection in an increasingly data-driven world, extend the jurisdiction of the GDPR to apply to all companies processing personal data of data subjects in the EU regardless of company location, increase penalties for noncompliance, and strengthen consent provisions.
The GDPR is divided into several chapters:
- Chapter I – General provisions
- Chapter II – Principles
- Chapter III – Rights of the data subject
- Chapter IV – Controller and processor
- Chapter V – Transfers of personal data to third countries or international organizations
- Chapter VI – Independent supervisory authorities
- Chapter VII – Cooperation and consistency
- Chapter VIII – Remedies, liability and penalties
- Chapter IX – Provisions relating to specific processing situations
- Chapter X – Delegated acts and implementing acts
- Chapter XI – Final provisions
This is a large and dense document; let us focus on some of the main features for the purposes of this discussion. To that end, here are some of the noteworthy elements of the GDPR:
- “Personal data” is any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
- “Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. This includes the processing of employment data as well
- “Controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
- “Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
- Application: the GDPR applies to the processing of personal data. It applies to data controllers and data processors with an establishment in the EU, or with an establishment outside the EU that target individuals in the EU by offering goods and services irrespective of whether a payment is required, or that monitor the behaviour of individuals in the EU where that behaviour takes place in the EU. It does not apply in certain cases, such as activities falling outside the scope of the Union law, or by natural persons in the course of personal activities, for the prevention and detection and prosecution of criminal offences in safeguarding against the prevention of threats to public security
- Personal data must: (I) be processed lawfully, fairly and in a transparent manner in relation to the data subject; (II) be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (III) be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (IV) be accurate, and where necessary, kept current, and if inaccurate, erased or rectified without delay; (V) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (VI) be processed in a manner that ensures the appropriate security of the personal data including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage using appropriate technical and organizational measures. The controller must be able to show compliance with these requirements
- Processing is lawful only if: (I) the data subject has given consent to the processing for one or more specific purposes; (II) the processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject before entering the contract; (III) processing is necessary for compliance with a legal obligation to which the controller is subject; (IV) processing is necessary in order to protect the vital interests of the data subject or another natural person; (V) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (VI) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where the interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Is important to note that the processing of special categories of personal data is prohibited (for example, data revealing racial or ethnic origin, political opinions, religious beliefs, and health to name a few)
- “Consent of the data subject” is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Where processing is based on consent, the controller must be able to show that the data subject has consented to processing the personal data. The data subject has the right to withdraw consent at any time, and it must be as easy to withdraw as it is to give consent. Where the processing involves a child under 16 years, the processing is only lawful if the consent is given by the holder of parental responsibility
- There are several significant rights of data subjects: (I) the right to information requires data controllers to give individuals certain information about the processing of their personal data free of charge, and in a concise, transparent, intelligible and easily accessible format using clear and plain language; (II) the right to rectification allows the data subject to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her (III) the right to be forgotten (also referred as the right to erasure) includes both the right to have the data erased and the right to delisting in certain circumstances. The individuals have the right to require data controllers to delete their data in certain circumstances, including where the information is no longer necessary for the purpose for which it was collected or where the individual withdraws their consent and there is no other legal grounds for processing their data; (IV) the right to restriction of processing applies in some specific circumstances including for example, for an interim period allowing the data controller to verify the accuracy of the personal data that is contested by the data subject, or when the controller no longer needs the personal data for the purposes of the processing but are required by the data subject (for example, the establishment of legal claims); (V) the right to data portability refers to the right of an individuals to receive personal data that they have provided to the data controller in a structured, commonly used and machine readable format and to transmit that data to another data controller without hindrance. This right only applies to personal data that an individual has provided to the controller, where the processing is based on the individual’s consent or for the performance of a contract and where the processing is carried out by automated means. This is to be without prejudice to the exercise of the right to erasure or the right of access
- Data controllers have significant responsibilities: data controllers must ensure compliance with the GDPR and be able to demonstrate that compliance. They must implement appropriate technical and organizational measures, including data protection policies. In performing their duties, they consider the nature, scope, context and purposes of the processing as well as the risks for the rights and freedoms of individuals. Controllers are provided with tools to help them demonstrate accountability, including working with the data protection officer or conducting data protection impact assessments, and complying with the principles of privacy by design and privacy by default
- Data processors have significant responsibilities: they must provide the sufficient guarantees to implement appropriate technical and organizational measures so the processing meets the requirements of the GDPR. Data processors must also assist data controllers in matters of security, data protection impact statement and data breach notifications and alert the controller if their processing instructions would lead to a possible violation of the GDPR or of a provision of Union or Member State law
- “Personal data breach” is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
- Data breach notifications: where there has been a personal data breach, the controller must, without undue delay, and not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. If this has not been done within 72 hours, the notification must be accompanied by reasons for the delay. The processor must also notify the controller without undue delay. The notification must at least: (I) describe the nature of the breach, the categories and number of data subjects involved, and the number of data records concerned; (II) communicate the name and contact details of the data protection officer; (III) describe the likely consequences of the breach; (IV) describe the measures taken or proposed to be taken by the controller to address the breach, and if appropriate measures to mitigate possible adverse effects. Information may be provided in phases without undue further delay when it is not possible to provide all the information at the same time. Additionally, the controller must communicate the same notification as above to the data subject without undue delay where the personal data breach is likely to result in high risk to the rights and freedoms of the natural persons (this must be done using clear and plain language)
- Data protection officers have certain tasks: they must (I) inform and advise the controller or processor and employees who carry a processing of their obligations under the GDPR; (II) monitor compliance with the GDPR, including assigning responsibilities, awareness raising, and training of staff; (III) provide advice where requested regarding data protection impact assessments; (IV) cooperate with the supervisory authority; (V) act the contact point for the supervisory authority on issues regarding processing and consult where appropriate
- There are provisions regarding processing in the context of employment: Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employee personal data in the employment context, in particular for the purposes of recruitment, performance of the contract, including discharge of obligations created by law or by collective agreements, management, planning organization of work, equality and diversity in the workplace, health and safety at work, protection of the employer’s or customer’s property and for the purposes of the exercise and enjoyment on an individual or collective basis of the rights and benefits related to employment, and for the purpose of termination of the employment relationship. The rules must include suitable and specific measures to safeguard the data subject’s human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal data within a group of undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the workplace. As a consequence, there are stricter requirements in place with respect to the processing of data in the context of employment
- There are significant consequences for noncompliance with the GDPR: infringements of provisions of the GDPR can lead to administrative fines of up to 20,000,000 EUR, or up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. Although the administrative fines are intended to act as a deterrent, the administrative fines provisions lists several factors that are to be taken into consideration when imposing a fine such as: (I) the nature, gravity and duration of the infringement; (II) the intentional or negligent character of the infringement; (III) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (IV) the degree of responsibility of the controller or processor taking into account technical organizational measures implemented; (V) any relevant previous infringements; (VI) the degree of corroboration with the supervisory authority in order to remedy the infringement and mitigate the adverse effects; (VII) the categories of personal data that are affected by the infringement; (VIII) the manner in which the infringement became known to the supervisory authority (whether there was proper notification); (IX) whether there was compliance with measures previously ordered against the controller or processor; (X) adherence to approve codes of conduct; and (XI) any other aggravating or mitigating factors that are applicable to the circumstances such as financial benefit gained or losses avoided from the infringement
How does this affect Canadian organizations?
One may question how this is applicable to Canadian organizations. In its announcement on February 22, 2018, the Office of the Privacy Commissioner of Canada highlighted that there could be a new obligations created for Canadian businesses that handle the personal information of individuals in Europe. More specifically, Canadian organizations may need to comply with the GDPR if:
- they have an establishment in the EU, or
- they are located outside the EU but either offer goods or services to, or monitor the behaviour of individuals in the EU.
Although Canadians have federal private sector privacy legislation, namely the Personal Information Protection and Electronic Documents Act (PIPEDA), it is important to remember that, while PIPEDA and the GDPR are both privacy laws, they are different laws that apply in different situations. The Office of the Privacy Commissioner of Canada only enforces compliance with PIPEDA – it does not enforce compliance with the GDPR.
To that end, it is important for Canadian organizations to determine whether they may fall under the scope of the GDPR. If so, it is highly recommended that these organizations carefully examine the requirements that are contained in the GDPR and ensure that there is compliance with the relevant provisions.
When determining whether the GDPR applies, it is important to ask questions such as, “do I have an establishment in the EU?”, “do I offer goods or services to individuals in the EU?”, and “do I monitor the behaviour of individuals in the EU?”
Factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may suggest that the controller intends to offer goods or services to data subjects in the Union. Likewise, collecting information (for example Internet tracking or collecting data to build a profile) for behaviour monitoring could be seen as involving activities concerning persons within the EU.
For Canadian employers, it is important to take note of the significantly stricter requirements regarding the processing of personal data in the context of employment.
How can employers accomplish these goals? An important first step is to ensure that the proper policies and procedures are in place, consistently enforced, and explained to employees in proper training sessions. Further, it is important to ensure that organizations have in place the necessary procedures to deal with the collection and use of personal information of data subjects who are residents of the EU, and ensure that the rights of data subjects are maintained (for example, the right information and the right to rectification and erasure). These policies and procedures would affect every step of the employment process for recruitment to termination.
When constructing the plan to be tailored to the particular employment context, it is important to remember to: review and revise employment contracts; appoint a data protection officer; deciding whether it is necessary to do a data protection impact assessment; review and revise policies regarding retaining employee personal information; examine organizational and technical measures for service providers to access employee personal information; create a strong breach notification policy and procedure; and create a personal data processing registry that has an employee-specific section; and so on, depending on the circumstances.
Indeed, it is important to be proactive and not reactive in this situation.
Unquestionably, the fines for noncompliance of the GDPR are very serious, and if the GDPR applies, it is important to ensure compliance right away.
Employers who wish to learn more are recommended to visit the European Commission’s site here for further guidance. Similarly, the Article 29 Data Protection Working Party has created a fact sheet outlining the main features of the GDPR.
- Reasonable expectation of privacy in Internet Protocol (IP) addresses - March 26, 2024
- Air Canada found to be responsible for negligent misrepresentation regarding chatbot’s incorrect explanation of bereavement fares - March 22, 2024
- The problem with deepfakes, and British Columbia’s solution - February 23, 2024