Data Protection Commissioner
Data Protection Commissioner

 The General Data Protection Regulation

 

Consultation on consent, profiling, personal data breach notifications and certification

 
The EU Article 29 Working Party’s (comprising the EU’s member state data protection authorities) is currently preparing guidance on the interpretation and application of key provisions of the General Data Protection Regulation (GDPR). To inform that process, the office of the Data Protection Commissioner (DPC) has initiated a consultation period seeking submissions from interested individuals and organisations on the following key concepts:
 
  • Consent
  • Profiling
  • Personal data breach notifications
  • Certification
 
The GDPR, which takes effect from 25th May 2018, will replace the existing EU data protection framework, providing for additional and stronger data protection rights for individuals, and greatly increased obligations on organisations who collect and process personal data.
 
The 2017 Action Plan of the Article 29 Working Party commits to preparing guidance on consent, profiling, data breach notifications and certification in the first half of 2017. With the purpose of ensuring that the views of stakeholders are heard, data protection authorities across the European Union are currently undertaking consultation processes. 
 
The DPC’s consultation period will run up to 31st   March, 2017. Submissions should be emailed to consultation@dataprotection.ie.
 
The submissions received will be supplied to the presidency team of the Article 29 Working Party for consideration in the preparation of guidance on these concepts. However, there should be no expectation that the issues raised in submissions will be addressed by the guidance published by the Working Party. The DPC will not be summarising or preparing a report of the submissions received.
 

Consent

 
The consent of a data subject is one of the grounds on which personal data can be lawfully processed. Article 4 of the GDPR defines consent as meaning “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
 

Conditions

 
There are a number of requirements that are necessary to satisfy the conditions for consent:
 
  • Organisations processing data on the basis of consent must be able to demonstrate that the person to whom the data relates has given their consent;
  • Where consent is given as part of a written declaration which also includes other matters, the request for consent must be presented in a manner that is clearly distinguishable from the  other matters, in an intelligible and easily accessible form, using clear and plain language;
  • Individuals have the right to withdraw consent at any time and it must be as easy to withdraw consent as to give it.
 
The GDPR also stipulates that consent will not be freely given where the individual has no genuine or free choice; or is unable to refuse or withdraw consent without detriment; or where the performance of a contract (such as the provision of a service) is dependent on consent even though consenting to such processing is not necessary to perform the contract. Furthermore, separate consent is required for each type of processing operation.
 

Examples of consent

 
The recitals to the GDPR give examples of actions which may indicate consent and these include where the following actions clearly indicate the individual’s acceptance of the proposed processing of his/her personal data:
 
  • A written statement (including by electronic means)
  • An oral statement
  • Ticking a box when visiting an internet website
  • Choosing technical settings for information society (e.g. online) services
 
The GDPR recitals also clearly state that silence, pre-ticked boxes or inactivity by an individual (e.g. failing to do something) do not indicate consent.
 

Children and consent

 
In respect of children there is a specific provision on children’s consent for ‘information society services’ (services requested and delivered over the internet). Organisations that offer services directly to children (other than preventive or counselling services) based on consent must get parental consent for children under 16 – although the Irish Government can choose to lower this, to a minimum age of 13. Organisations will need to implement age-verification measures, and make ‘reasonable efforts’ to verify parental responsibility for those under the relevant age.
 

Explicit Consent

 
The processing of special categories of personal data (such as data revealing racial or ethnic origin, health data, genetic data) based on consent requires the explicit consent of the individual. However, explicit consent is not defined under the GDPR.
 
Key GDPR provisions see Articles 4(11), 6(1)(a), 7, 8, 9(2)(a), 13(2)(c), 14(2)(d), 49(1)(a) and Recitals 32, 33, 38, 42, 43, 54, 65, 111, 155, 161, 171 (external link)
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
 
Questions for consultation:
In particular, stakeholder views are sought on the following questions:
 
  • How should freely given, specific, informed and unambiguous indication of the data subject’s wishes be interpreted and implemented in practice?
  • What actions/activities on the part of an individual should be considered a statement or a clear affirmative action signifying agreement to processing of personal data?
  • How can organisations demonstrate that consent has been obtained to the standard required by the GDPR?
  • What organisational systems and procedures will be required to prove consent was obtained?
  • For how long should organisations retain proof that consent was lawfully obtained?
  • What are the practical implications for organisations where consent is withdrawn by an individual?
  • What are the consequences for the individual concerned when consent is withdrawn?
  • In respect of minors how should parental consent be collected in an online environment?
  • What are the practical challenges in an online environment in verifying the age of a minor to determine whether parental consent is required?
  • In respect of special categories of personal data how should ‘explicit’ consent be interpreted?
  • What actions/activities on the part of an individual should be considered to indicate explicit consent?
 
 

Profiling

 
Article 4 of the GDPR defines profiling as “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
 

Individual rights in relation to profiling

 
Article 22 further states that an individual has the right not to be subject to a decision based solely on automated processing, including profiling which produces legal effects concerning [an individual] or similarly significantly affects [an individual]”.
 
There are some exemptions to this where the processing is (a) authorised by EU or Member State law; (b) where it is necessary for entering into / performance of a contract between the individual and a data controller; or (c) where the explicit consent of the individual has been obtained. In respect of the latter two exemptions the individual has the right to obtain human intervention, to give their point of view and to contest the decision. In all cases the data controller must implement measures to protect the individual’s rights and freedoms and legitimate interests. Profiling using special categories of personal data is not permitted unless the individual has given explicit consent or the processing is necessary for public interest reasons.
 
 
Key GDPR provisions see Articles 4(4), 13(2)(f),14(2)(g), 15(1)(h), 21(1), 22, 35(3), 47, 70(1)(f) and Recitals 24, 60, 63, 70, 71, 72, 73, 91
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
 

Questions for consultation:

 
In particular, stakeholder views are sought on the following questions:
 
  • How will profiling activities currently undertaken in your industry be impacted by the requirements of the GDPR?
  • How should the distinction between ‘legal effects’ and ‘significant effects’ be interpreted?
  • How should the requirement to vindicate the individual’s right to obtain human intervention in the context of profiling be interpreted?
  • How should the individual’s right to give their point of view and contest a decision as regards profiling be given effect by a data controller?
  • What are the implications for organisations in implementing measures to respect the individual’s right to specific information, to obtain human intervention, and to express their view and contest a decision?
  • What types of public interest reasons would justify profiling?
  • Are there limits to profiling? Should certain activities and/or information be excluded from profiling?
  • Where profiling involves special categories of data, what additional protections should apply to safeguard the individual’s rights and freedoms and legitimate interests? 
 
 

Personal data breach notifications

 
The GDPR provides that in the event of a personal data breach, the data controller must notify the competent data protection authority without delay after becoming aware of the data breach and, where feasible, not later than 72 hours after becoming aware of it. Where a notification is not made within 72 hours, the data controllers must give reasons for the delay.
 
Notification to the competent data protection authority is not required where the data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.
 

Contents of notifications to data protection authorities

Personal data breach notifications to a data protection authority must include at a minimum the following:
 
  • a description of the breach including where possible, the categories and approximate number of individuals concerned and the categories and approximate number of personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • a description of the likely consequences of the data breach;
  • a description of the measures taken or that will be taken to address the data breach, including where appropriate measures to mitigate its possible adverse effects.
 
Where it is not possible to provide the information above at the same time, it may be provided in phases but without further undue delay.
 
 

Notifications to individuals

 
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller must inform the affected individuals without undue delay. This communication must be in clear and plain language and at a minimum provide details of a contact point within the organisation, a description of the likely consequences of the breach and the measures taken or that will be taken to address the data breach, including where appropriate measures to mitigate its possible adverse effects.
 
Data controllers will not be required to inform the individuals concerned where: (a) it has implemented appropriate technical and organisational measures which were applied to the personal data affected by the data breach (e.g. encryption); or (b) where measures taken by the data controller following the breach ensure that the high risk to the rights and freedoms of the individuals affected are no longer likely to materialize; or (c) where notifying the individuals concerned would involve a disproportionate effort. However, in such cases there must instead be a public communication or other similar measure to inform individuals in an equally effective manner.
 
In relation to data processors, they are required to notify the data controller without undue delay after becoming aware of a data breach.
 
To enable data protection authorities to verify compliance with the GDPR, data controllers are required to document all personal data breaches, including all of the facts relating to the breach, its effects and remedial action taken.
 
Key GDPR provisions see Articles 33, 34, 58, 70 and Recitals 73, 85, 86, 87, 88 http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
 

Questions for consultation

In particular stakeholder views are sought on the following questions:
 
  • What are anticipated to be the practical implications for organisations in complying with the personal data breach notification provisions of the GDPR?
  • How should “risk to the rights and freedoms of natural persons” be interpreted?
  • How should “high risk to the rights and freedoms of natural persons” be interpreted?
  • What are the circumstances in which a data controller should be considered to have “become aware” of the data breach?
  • In what circumstances would it not be feasible for a data controller to report a data breach to a data protection authority within 72 hours?
  • Where it is not possible for the data controller to provide all of the information required by way of notification to the data protection authority at the same time, what requirements should apply as regards the provision of such information “in phases without further delay”?
  • What type of measures should be considered sufficient to mitigate any adverse effects arising from a data breach?
  • What type of measures should be considered sufficient to ensure that a high risk to the rights and freedoms of the individuals affected will not materialise?
  • How should ‘disproportionate effort’ in notifying individuals be interpreted?
  • In cases where notifying the individuals concerned would involve a disproportionate effort, what form of public communication or other similar measure to inform individuals would constitute an equally effective manner?
  • For how long should a data controller be required to retain documentation relating to data breaches?
 
 
 

Certification

 
Articles 42 and 43 of the GDPR provide for certification activities to be undertaken by supervisory authorities, working with accreditation and certifying bodies.
 
Certification is a key element in the context of a modern accountability-based compliance framework, and the supervisory authority’s role goes beyond just encouraging the use of certification. As an EU regulation, GDPR also makes it clear that this role extends beyond national boundaries, and where cross-border personal data processing is taking place, and can be approved at an EU level, may lead to a “European Data Protection Seal”.
 
A supervisory authority can agree that the work of accrediting certifying bodies will be completed by the National Accreditation Body. This requires that the supervisory authority supply additional requirements to ensure that certification takes account of criteria and levels of conformity that are relevant to data protection. Among the criteria for the certification body such as independence, testing and complaint handling procedures, certification bodies will also need to have data protection expertise.
 
While not mandatory, certification in data protection will be relevant for all types and scales of business. It should also be useful for data subjects to understand and have confidence in an organisation’s processing of their personal data. It should also remain clear to those gaining certification that demonstrating a level of compliance in a particular kind or range of processing does not mean that an organisation’s responsibilities for GDPR compliance are reduced.
 

Benefits of certification

 
GDPR outlines that certification should be of particular value for organisations in terms of:
 
  • their responsibilities (Art. 24) and data protection by design (Art 25)
  • international transfers (Art 46)
  • a processor’s guarantee to controllers (Art 28)
  • various security practices (Art 32) such as encryption, resilience of systems or testing of security measures
 
 
Certification is also a factor in how a supervisory authority will determine administrative fines.
 
Key GDPR provisions: Articles 24, 25, 28, 32, 42 and 43; Recitals 77, 81 and 100.
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
 
 

Questions for consultation

In particular, stakeholder views are sought on the following questions:
 
  • What are the practical implications for organisations in seeking certification under the GDPR for:
    • Controller responsibilities?
    • Data protection by design (Arts 24, 25)?
    • Security requirements?
    • Processor guarantees?
    • Internation transfers?
  • What other types of processing, services or products should be data protection certified, if any?
  • What would be an “appropriate level of expertise in relation to data protection” for a certifying body?
  • What criteria should a supervisory authority approve to support data protection certification?
  • How can certification be made relevant for micro, small, medium-sized and large-scale enterprises?
  • Under what circumstances would it be appropriate for a certification to be withdrawn from an organisation?
  • What information about a data protection certification award should an organisation make known to its users?
 
 
 
Data Protection Commissioner
March 2017