Ny personvernforordning - noen hovedpunkter 9. juni 2016 Advokatfullmektig Cecilie Rønnevik
Hvorfor innfører EU en personvernforordning? Generelt om endringene Særlig om internkontroll Særlig om personvernombudsordningen Særlig om avviksmeldinger Særlig om administrative sanksjoner Diverse 2
Hvorfor innfører EU en personvernforordning? 1 "Ett kontinent èn lov" EUs personverndirektivet 1995 - gjennomført ulikt i 29 land - ulikt beskyttelsesnivå - mye byråkrati i medlemslandene - mye administrasjon hos de ansvarlige EUs personvernforordning 2016 (2018) - forordningsteksten blir intern rett "ord for ord" - harmonisering av forvaltningspraksis og rettspraksis 3
2 Større risiko - større ansvar Risikoen for krenkelser av personvernet har økt - teknologisk utvikling - globalisering Større ansvar for virksomheter som behandler personopplysninger - ansvaret "flyttes" fra tilsynsmyndigheten til virksomhetene - sanksjonsapparatet styrkes 4
Generelt om endringene Personvernprinsippene videreføres (Art 5) - lawfullness, fairness and transparency - purpose limitation - data minimisation - accuracy - storage limitation - integrity and confidentiality - accountability Langt på vei kodifisering av gjeldende rett basert på EU Domstolens praksis Nasjonal lovgivning og praksis 5
Loven blir større Fra 52 knappe bestemmelser til 91 omfattende bestemmelser - fortale og forordning utgjør 204 sider Flere konkrete rettsregler men mye skjønn overlates fremdeles til de ansvarlige selv Loven blir ikke enklere 6
Særlig om internkontrollplikten Personverndirektivet: Internkontrollplikten følger ikke eksplisitt Personopplysningsloven 14 jf forskriften kap 3 "Den behandlingsansvarlige skal etablere og vedlikeholde planlagte og systematiske tiltak som er nødvendige for å oppfylle kravene i eller i medhold av loven. De systematiske tiltakene skal tilpasses virksomhetens art aktiviteter og størrelse i den utstrekning det er nødvendig for å etterleve krav gitt i eller i medhold av personopplysningsloven. Den behandlingsansvarlige skal dokumentere tiltakene." 7
Internkontroll, forts Datatilsynet konstaterte avvik i 49 av 67 kontroller i 2014 - manglende forståelse for hva internkontroll innebærer? - manglende vilje til å avse ressurser? Internkontroll har avgjørende betydning for etterlevelse av de øvrige pliktene i loven - et tilpasset regelverk for de ansatte i den aktuelle virksomheten 8
Internkontroll, forts Art 22 Responsibility of the controller "Taking into account the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of individuals, the controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation" 9
Internkontroll, forts Art 23 Dataprotection by design and default "The controller shall ( ) implement appropriate technical and organisational measures which are designed to implement data protection principles in an effective way and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects." Herunder gjøre personvernprinsippene til premisser for arkitekturen og funksjonaliteten til de systemene hvor personopplysninger blir behandlet - Relevans og nødvendighet: tic-boxes i stedet for fritekstfelt - Kvalitet: automatisk periodisk oppdatering mot grunnkilder - Informasjon: automatisk genererte informasjonsskriv - Innsyn, retting og sletting: legge til rette for den registrertes tilgang - Sletting: automatisert regelmessig sletting (feks tidsintervaller) 10
Internkontroll, forts Art 33 Data Protection Impact Assessment "Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk for the rights and freedoms of individuals, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks." - opplisting av typetilfeller - tilsynsmyndighetene skal angi behandlinger 11
Særlig om personvernombudsordningen Ikke berørt i personverndirektivet: Et uregulert, frivillig internkontrolltiltak Ulik rettslig og faktisk utvikling av ordningen innen EU/EØS Personopplysningsloven: utnevnelse gir lettelser i meldeplikten, etter vedtak fra Datatilsynet ingen regulatoriske krav til ombudets kompetanse, oppgaver eller stilling hovedvekt av internt ansatte ombud Juni 2015 12
Personvernombud, forts Art 35 Data Protection Officer "The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body; or (b) the core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale (c) the core activities consists of processing on a large scale of special categories of data and data relating to criminal convictions and offences " Juni 2015 13
Personvernombud, forts "The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfill the tasks referred to in Article 37. " "The data protection officer may be a staff member by the controller or processor, or fulfill his or her tasks on the basis of a service contract." 14
Personvernombud, forts Art 37 The tasks "to inform and advise the controller or the processor and the employees who are processing personal data of their obligations " to monitor compliance with this Regulation and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in the processing operations, and the related audits to cooperate with the supervisory authority; and to act as the contact point for the supervisory authority on issues related to the processing of personal data" "Data subjects may contact the data protection officer on all issues related to the processing of the data subject s data and the exercise of their rights" 15
Personvernombud, forts Art 36 The position "The controller or the processor shall ensure that the data protection officer is properly and in a timely manner involved in all issues which relate to the protection of personal data. The controller or processor shall support the data protection officer in performing the tasks referred to in Article 37 by providing resources necessary to carry out these tasks as well as access to personal data and processing operations, and to maintain his or her expert knowledge. The controller or processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of these tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor 16
Særlig om plikt til å melde om avvik Plikt til å melde avvik følger ikke av gjeldende direktiv Personopplysningsloven "Dersom et sikkerhetsbrudd har medført uautorisert utlevering av personopplysninger hvor konfidenisalitet er nødvendig." Datatilsynet skal varsles, jf personopplysningsforskriften 2-6 Ikke regulatoriske krav til varselets innhold eller tidspunktet for varslingen Den registrerte skal varsles, dersom det er forholdsmessig personopplysningsloven 19 jf ulovfestede personvernprinsipper 17
Avviksmeldinger, forts In case of "accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed" (Art 4) Art 31 Notification to the supervisory authority " the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 72 hours. 18
Avviksmeldinger, forts "At least describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of data records concerned; communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects." 19
Avviksmeldinger, forts Art 32 Communication to the data subject "When the personal data breach is likely to result in a high risk of the rights and freedoms of individuals the controller shall communicate the personal data breach to the data subject without undue delay, in clear and plain language unless "the controller demonstrates to the satisfaction of the supervisory authority that it has implemented technological measures that render the data unintelligible to unauthorized persons (encryption) "the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or "it would involve disproportionate effort." 20
Særlig om administrative sanksjoner Gjeldende direktiv pålegger medlemsstatene å fastsette sanksjoner for brudd på personvernlovgivningen I Norge Datatilsynet kan ilegge overtredelsegebyr, jf personopplysningsloven 46 Lovbundet skjønn (momentliste) Inntil 10G (ca NOK 900.000) Objektivt virksomhetsansvar 21
Administrative sanksjoner, forts Art 79 Fines "in each individual case effective, proportionate and dissuasive". Tilsynsmyndighetene (eller domstolen) Lovbundet skjønn (momentliste) Gradert maksimumsbeløp vednærmere angitte lovbrudd EUR 10 000 000 / 2% annual worldwide turnover (whichever is higher) EUR 20 000 000 / 4 % annual world wide turnover "basic principles for processing" "data subjects rights" "third country transfer" 22
Administrative sanksjoner, forts In addition or instead of fines, the authority may issue warnings give reprimands order compliance impose limitation or ban on processing etc 23
"Nye" rettigheter for den opplysningene gjelder Right to be forgotten, art 17 Right to restriction, art 17 a Data portability, art 18 Right to object, art 19 on grounds relating to his or her particular situation 24
Diverse Utvidet geografisk virkeområde offering of goods and services to data subjects in the union monitoring of behavior within the EU One stop shop for virksomheter etablert i flere stater, og for behandlinger som involverer registrerte i flere stater Utvidet ansvar for databehandlere Flere personopplysninger anses som sensitive (special categories) Overføring til tredjeland Sertifiseringsløsninger på EU-nivå 25
Cecilie Rønnevik cecilie.ronnevik@dlapiper.com +47 91 39 34 36 26