Use of the PSC Card and Privacy NoticesPosted in : Business Legal on Data Security on 27 August 2019
Business Legal has recently published their August Newsletter on all data protection matters. This edition focuses on the use of the Public Services Card (PSC); Privacy Notices/Policies; verifying the identity of an individual requesting access to their data or that data be deleted; a GDPR fine in Romania; Brexit planning etc. The newsletter is packed with useful information and guidance.
The Public Services Card (PSC)
The Data Protection Commission (DPC) has determined that the PSC may not be used on a mandatory or compulsory basis by government departments other than the De-partment of Social Protection, which is the Department which issued the card. This means that it is not lawful for a PSC to be demanded in a driving licence or passport application, or any other application to any department other than the Department of Social Protection.
More problematically, the DPC has ordered the destruction of 3.2 million data subjects’ records on the basis that there are no longer required once the primary purpose for gathering that data was achieved, namely the identification of the individual.
The government appears to be inclined to try and retrospectively legislate to legitimise its unlawful actions, rather than to take on board the criticism of data protection practitioners, and the DPC with regard to its actions over the last number of years. There are very strong legal objections to this approach, as Article 5.1.b of the GDPR requires that personal data be “collected for specified, explicit and legitimate purposes”, and the data has already been collected. Any attempt to retain the personal data held in respect of the PSC, or to respectively legitimise its collection would likely be resisted by recourse to liti-gation. The PSC has put a 21 day stay on its order for the destruction of the personal data, so we will be reporting on further developments in our September edition of this newsletter.
With the prospect of increased GDPR regulatory activity ahead, it is important for organisations to ensure their Privacy Notices are compliant.
You must provide clear, intelligible and easily accessible information to individuals about the collection and use of their personal data.
This must be provided at the time personal data is obtained from individuals (or within one month when ob-tained from another source).
The categories of information to be provided include the purposes of processing, the legal basis for processing, the legitimate interest of the company which the company claims legitimises the processing (if applicable), any data sharing, any international transfers, and the data retention periods which apply to each processing.
Working this out, with documentation to meet the requirements of accountability, can be challenging. You may need to re-fresh data mapping or review justifications for legal basis. Privacy Notices should also align with your Records of Processing Activities (as required by Article 30). You may need more than one Privacy Notice depending on the individuals involved (customers, staff, etc.). Privacy Notices are not a once-off exercise and must be kept under review to reflect processing activi-ties.
They are part of your GDPR transparency obligations. It should be transparent to individuals that their personal data is being processed and to what extent.
How do you verify the identity of an individual requesting access to their data or that data be deleted?
The Dutch Data Protection Authority, Autoriteitpersoonsgegevens, has provided guidance.
If at all possible, refrain from asking for a copy of a formal ID
Some alternatives may be:
- Via an existing login system.
- A form of two-factor authentication. For example:
- after receiving a request via e-mail request a confirmation by SMS. This mobile number must then match the customer data from your administration.
- request confirmation of the telephone request by e-mail. This e-mail address must match the customer data from your administration.
- ask for the last 3 digits of the account number, the date of birth and / or the customer number for verification.
- ask someone to come by and show you his/her ID proof without making a copy. Note, however, that this cannot be used to set up a threshold to allow access and should only offered as an alternative
GDPR fine in Romania
EU Standard Contractual Clauses (SCCs) and EU-US Privacy Shield
While we can’t pre-empt the decision of the CJEU, if the SCCs and/or Privacy Shield were invalidated that would mean that businesses that have heretofore been relying on these mechanisms would need to consider alternative mechanisms for trans-ferring their personal data to third countries.
- Binding Corporate Rules (BCRs)
Given the lack of any practical alternatives, should the SCCs and/or Privacy shield be struck down, the European Data Protection Board will come under significant pressure to allow for some kind of moratorium during which no enforcement action will be taken by a national regulator, as happened previously when the precursor to Privacy Shield (Safe Harbour) was deemed invalid.
Businesses would need to:
- educate senior management on the implications of a declaration of invalidity;
- analyse data flows outside the EEA, what mechanism(s) underpin these transfers and how important these transfers are;
- assess the potential impact of having to stop transferring data abroad and how any fall out may be mitigated. E.g cease certain data processing activities or cross-border transfers, bring the personal data back into the EEA or continue processing outside of the EEA;
- consider the extent to which business operations may continue without the need to transfer personal data outside the EEA;
- consider alternate mechanisms such as BCRs or one of the derogations, or demonstrate data subject consent to the transfers; and
- engage with third party service providers to determine what contingency plans they are putting in place to ena-ble them to continue to receive data.
How should companies plan for BREXIT?
Although the UK has passed a Data Protection Act 2018, with roughly equivalent provisions to the GDPR, in the absence of a Withdrawal Agreement being concluded between the EU and the UK the transition from being a member of the EU, to being an unsafe third – country destination for EU personal data will be immediate.
Existing contractual provisions between controllers based in the EU, and processors based in the UK.
Currently, when a controller based in the EU (including in the UK) proposes to retain a processor based in the UK, they are required to put in place an agreement complying with Article 28.3 of the GDPR (often called a controller – processor agree-ment). This requirement will remain, but it will become more important, as the UK will now be considered an unsafe third – country destination for EU personal data.
In addition however, the EU-based controller will have 2 legiti-mise the transfer of personal data from the EU to the UK. There are a number of ways of doing this, but the most com-mon, and most practically useful method is the execution of Standard Contractual Clauses (SCCs), often also called Model Clauses.
In simple terms, every EU-based controller who has a UK based processor, will have to ensure that in addition to a con-troller – processor contract, they also have in place a Model Clause contract between themselves and that UK based pro-cessor.
This is not as simple as it sounds, as processors often refuse to sign controller – processor contract, or Model Clause con-tracts. In the absence of both these agreements being signed, the controller has no legal option but to sever the relationship with the processor. This can create contractual difficulties in itself, as there can be contractual or statutory consequences from terminating the contract with the processor.
Article 27 Representatives
In circumstances where a UK based company is targeting EU residents for the offering of goods or services, or is monitoring the behaviour of EU-based residents, such as behavioural advertising, then it will be subject to the EU GDPR, and will have to ap-point an EU-based representative in accordance with Article 27 of the GDPR.
UK arrangements are similar
The UK has put in place similar provisions with regard to the transfer of UK data to third – countries, and there are require-ments for third – country based controllers and processors to have a UK Representative appointed.
In circumstances where a UK company is the lead controller for a group of companies, then it will be necessary for an alterna-tive group company in an EU jurisdiction to take over this role.
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.