We are only looking at three articles this week, the first explaining the new registration process and cost as a controller or processor in Jersey and soon Guernsey. This will increase the registration cost for most organisations. The second look at a GDPR compliance audit carried out by the German Supervisory Authority on 50 companies of various sizes. This make very interesting reading, with the largest gap being IT security and DPPIA’s. Finally our old friend, the Cookie – the UK ICO has released guidance.
If you have any data protection questions, please contact us.
Registering as a controller and processor in the Channel Islands
Since the introduction of the new data protection laws in Jersey and the Bailiwick of Guernsey, each of the islands’ data protection authorities elected to retain their existing notification and fees regimes. This is, however, set to change.
Whilst the implementation of Guernsey’s regime is still being discussed at government level, a new charging model in Jersey will be debated next month. In this bulletin, we look at the latest developments in both jurisdictions and in particular, examine what Guernsey can learn from Jersey’s new charging model.
The Bailiwick of Guernsey – discussions ongoing
The Data Protection (Bailiwick of Guernsey) Law, 2017 (as amended) (“DPGL”) came into force on 25 May 2018 and prohibits all Guernsey controllers and processors from processing personal data unless they are either: (a) registered with the Bailiwick’s Office of the Data Protection Authority (“ODPA”); or (b) eligible for exemption from registration in accordance with regulations. Section 40 of the DPGL also allows the ODPA to levy a registration fee to be used to pay for the remuneration, salaries, fees, allowances and other costs associated with the establishment of the ODPA and its continued operations including the exercise of any of its powers and functions. Given that the ODPA is provided with wider powers under the DPGL, it has been recognised that a new charging model will be required to ensure that the ODPA is adequately funded. Discussions with the States of Guernsey regarding the new registration and charging model have been and continue to be ongoing. In the meantime, the ODPA has announced that the existing transitional regime will be extended for a further year, until 31 December 2020. This means that any organisation which is currently exempt from registration with the ODPA will not need to register until January 2021.
These include entities that are exempt: by virtue of:
- their status s charitable or not for profit organisations; or
- their status as a processor (i.e. because they only process personal data on the instructions of another entity); or
- the fact that they only process personal data for “core business purposes” (being for accounts and record-keeping, staff administration and marketing their own good and services).
They will, however, need to continue to document their rationale for relying on any relevant exemption. In the meantime, registered entities must to continue to renew their annual registration and pay the existing £50 levy. It is, as yet, unclear as to what Guernsey’s new registration and charging model will look like. However, it seems likely that Guernsey will have regard to the success of Jersey’s proposed model when considering their next line of direction.
Jersey’s data protection law reform – new proposals for a charging model
The Data Protection (Jersey) Law 2018 (“DPJL”) and the Data Protection Authority (Jersey) Law 2018 (“DPAJL”) came into force on 25 May 2018. Under Article 17 of the DPAJL, controllers and processors established in Jersey are required to register with the Jersey Office of the Information Commissioner (“JOIC”). Article 18 of the DPAJL makes provision for appropriate fees to be charged in order to fund the activities of JOIC and the Jersey Data Protection Authority, which oversees JOIC. As part of the transitional arrangements in relation to notification and fees, the Data Protection (Registration and Charges) (Jersey) Regulations 2018 (the “Regulations”) essentially “grandfathered” the previous notification and charging regime (although extended both processors as well as controllers), under which a flat fee of £50 per year was charged. The intention has been to replace the Regulations with a risk based system of tiered annual payments. The JOIC issued a consultation paper proposing a tiered risk based model which was akin to the model adopted by the UK Information Commissioner. The model initially proposed was relatively complex and (critically) made no provision for entities administered by financial services companies, which form a large category of controllers and processors in their own right. The new proposals are more straightforward and treat administered entities as a separate class. This will make it far more straightforward for regulated financial services providers to deal with registration and fee issues in relation to the entities which they administer.
The proposed new model
he consultation process resulted in significant changes to the model now proposed, which is intended to come into force on 1 January 2020. It will be debated at the next States Assembly sitting on 10 December 2019. The proposed funding model seeks to balance the risks arising from data processing with the size and resources of Jersey businesses – whilst also aiming to be understandable and easy to administer. Under the proposals, the annual processing charges which controllers and processors will now incur consist of up to three elements:
- the number of Full-time Employees involved
- the level of Past-Year Revenue
- whether the relevant entity is a regulated financial services provider (or otherwise subject to the Money Laundering (Jersey) Order 2008 or in the alternative if the entity is not regulated but otherwise processes special category data.
Although the maximum fee under this new model is £1,600, the proposals are based on the assumption that only 0.1% of data controllers or processors would be likely to incur such a charge, with the majority of businesses paying £70. There are some (very limited) exemptions for those acting in the public interest such as public authorities, candidates for a public election, provided schools and those processing data as required by the law. Those entities administered by a regulated trust company business (“TCB”) or fund services business (“FSB”) will not be eligible for an exemption but will instead be required to pay a fixed annual charge of £50. Those entities which do not process personal data will not be either controllers or processors and accordingly no fee will be payable. However, for an entity to process no personal data whatsoever will be rare. An annual charge falls due on 1st January of the year to which the charge relates and must be paid by the last day of the following month. Accordingly, if the proposals are approved by the States Assembly, the first payments under the new scheme will be due in January 2020. Where controllers or processors have already paid an annual charge in respect of any portion of 2020, the pro rata amount of the payment attributable to that year will be subtracted from the amount to be paid as the annual charge for 2020. Whilst the detail of registration and payment are yet to be finalised, the annual processing charge for controllers and processors (other than those administered by a TCB/FSB) is proposed to be as set out below:
Proposed annual processing charge for controllers and processors
Full-time equivalent employees
When calculating number of full-time equivalent (“FTE”) employees of a Payer:
- a person employed for no more than 9 hours a week is treated as 25% of a FTE employee;
- a person employed for more than 9 hours but no more than 18 hours a week is treated as 50% of a FTE employee;
- a person employed for more than 18 hours but not more than 27 hours a week is treated as 75% of a FTE employee; and
- a person employed for more than 27 hours a week is treated as a FTE employee.
Past-Year Revenues are defined as a Payer’s gross revenues that are generated by or on behalf of that part of the payer’s business that is established in Jersey for the year before the year to which an annual charge relates.
The Jersey proposals appear robust (although there are one or two minor drafting issues) and have the advantage of relative simplicity.
If successful, Jersey’s risk-based model could provide a source of inspiration for Guernsey’s own registration and charging model. However, as with many aspects of the data protection regime, the devil is likely to be in the detail of how registration and fee payment is managed in practice – particularly for administered entities. If this could be combined with other payments (such as the companies registry fee) which service providers already need to make, this would be a welcome development.
German DPA releases findings of GDPR readiness audits of 50 organisations
The Lower Saxony Data Protection Authority (Lower Saxony DPA) has audited 50 large and medium-sized organizations on their implementation of the requirements of the GDPR since June 2018. On November 5, 2019, the Lower Saxony DPA released a report summarizing its findings (Report; available in German here).
Summary of findings in the Report
We previously reported on our blog that the Lower Saxony DPA has released the checklist it used in assessing the GDPR readiness of the audited organizations (Checklist). This Checklist is a helpful tool for determining where organizations have GDPR compliance gaps.
The Lower Saxony DPA has now summarised its findings of the audits. It has grouped the audited organisations based on a traffic light system:
- Green (= mainly satisfactory): 9 organizations
- Yellow (= some deficiencies): 32 organizations
- Red (= major deficiencies): 8 organizations
The Report also highlights the GDPR compliance items that still raise the most and the least concerns:
- Most deficiencies: IT security, data protection impact assessments (DPIA)
- Medium deficiencies: records of processing activities (ROPA), consent, data subject rights
- Low deficiencies: data processing agreements, data protection officers (DPO), notification of data breaches, accountability
Deficiencies outlined in the Report
The Lower Saxony DPA outlined the following deficiencies that it found for some organizations.
- Lack of understanding of what the GDPR actually requires regarding IT security (for example, risk-based approach)
- Lack of understanding of the concepts of privacy by default and privacy by design
- Insufficient knowledge of the black lists provided by supervisory authorities
- Insufficient documentation regarding whether the decision of DPIA is necessary or not
- Lack of systematic approach
- DPO has carried out the DPIA
- Insufficient description of the facts concerning complex data processing activities (only half a page)
- Lack of measures for addressing the risks identified
- No clear definition of the update process for the ROPAs
- Standard procedures could not be identified (for example, for operation of a website or job applications management)
- Lack of contact information in the ROPAs (for example, of the DPO)
- Processing activities are justified by consent even though they could be based on other legal justification in Article 6 GDPR
- No granular choices
- No information on withdrawal of consent option
Data subject rights:
- Insufficient description of the balancing of interests (Article 6(1)(f) GDPR).
- Insufficient processes for verification of data subject and for providing copies of the personal data processed (Article 15(3) GDPR) in connection with access requests
Data processing agreements:
- No full compliance with the legal views of the Lower Saxony DPA (for example, with regard to maintenance of IT systems)
- No evidence of the DPO’s expert knowledge
Notification of data breaches:
- No clear rules on responsibility for handling data breaches
Organisations should carry out internal GDPR readiness audits 1.5 years after GDPR has entered into force to determine any compliance gaps they still have. The Report and the Checklist highlight some of the GDPR items that supervisory authorities look for in particular. Implementation of these items should thus be reviewed specifically.
What does the ICO’s recent guidance mean for the future of cookies?
In short, and irrespective of whether or not the website is processing any personal data, a website is only allowed to set a cookie on a user’s device if it is:
- strictly necessary; or
- the user of the website has given its consent.
If personal data is being processed on the website then the normal rules of the GDPR will also apply.
A “strictly necessary cookie” has a high threshold and is where a cookie is either (i) necessary for technical purposes to allow a communication to take place; or (ii) to provide a service the user has requested. Common examples of “strictly necessary” cookies are session cookies used to create a shopping basket, or a security cookie for a requested service.
What does this mean in practice?
- Cookie Walls – the lawful use of cookie walls by websites will be difficult and require careful thought. Blanket approaches, e.g. “by continuing to use this website you are agreeing to cookies” will not be valid as consent must be “freely given.”
- Analytics Cookies –the use of analytics cookies is not strictly necessary and requires users’ consent.
- Third Party Cookies – the use of third party cookies will invariably almost always require consent (especially adtech and social media cookies). This raises difficult questions over who is responsible for obtaining the consent (i.e. the website owner or the third party operator) and how it can lawfully be obtained. It also will require third parties to be explicitly named, and an explanation of how the third party uses those cookies will need to be provided to the user. This is a complex area, and further light may be shed on how websites should approach this issue of compliance at the conclusion of the ICO’s investigation into the adtech sector.
Fines from around Europe
Spanish Data Protection Authority (aepd)
€900 TODOTECNICOS24H S.L. – Art. 13 GDPR – Insufficient fulfilment of information obligations
TODOTECNICOS24H had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR.
€1,500 Cerrajero Online – Art. 13 GDPR – Insufficient fulfilment of information obligations
The company had collected personal data without providing accurate information about data collection in its data protection declaration pursuant to Article 13 of the GDPR.
Spanish Data Protection Authority (aepd)
€6,000 Jocker Premium Invex – Art. 6 GDPR – Insufficient legal basis for data processing
After registering for a local census, Jocker Premium Invex had sent the applicant postal advertisements and commercial offers, although data such as first name, surname and postal address were only communicated to the public administration.
Dutch Supervisory Authority for Data Protection (AP)
€900,000 UWV (Dutch employee insurance service provider) – Art. 32 GDPR – Insufficient technical and organisational measures to ensure information security
As the UWV (the Dutch employee insurance service provider – “Uitvoeringsinstituut Werknemersverzekeringen”) did not use multi-factor authentication when accessing the online employer portal, security was inadequate. Employers and health and safety services were able to collect and display health data from employees in an absence system.