powerpoint presentation · 2015-11-05 · map data processing activities & data flows it...
TRANSCRIPT
![Page 1: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/1.jpg)
![Page 2: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/2.jpg)
![Page 3: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/3.jpg)
![Page 4: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/4.jpg)
![Page 5: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/5.jpg)
![Page 6: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/6.jpg)
![Page 7: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/7.jpg)
![Page 8: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/8.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
![Page 9: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/9.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
1993 2005 2015
EU DIRECTIVE 1995/46
Main Frame Computing
Internet
- E-Commerce and Distance Services
- Biometrics /RFIDs- Big Data Processing- Cloud Computing- IoT/Social Media- Nano-computing- Etc.
EU DATA PROTECTION REGULATION
Delocation / Omnipresence of Data Processing
EU DIRECTIVE 1995/46
- Omnibus legislation
- Notice & Consent
- Sensitive Data
- Data Protection Rights
- Notification Regulators
- Restrictions on Data Transfers
![Page 10: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/10.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
The Future Data Protection Regulation Will Be ‘Game Changer’
- Direct binding effect
- Applicable to processing activities related to offering of services
to individuals in the EEA
- Broader obligations for data processors (Internal documentation,
PIAs, data breach, international transfers)
- Data breach notification
- Accountability obligations (PIAs, Internal Documentation)
- Privacy by design/default
- Administrative sanctions (currently) up to EUR 100,000,000 or
up to 5 percent of annual global TO
![Page 11: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/11.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
![Page 12: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/12.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
![Page 13: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/13.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Set of rules that set forth a data privacy regime to exchange personal information within a group of companies
Take the form of a code of conduct, backed by policies, procedures, and control mechanisms, which are negotiated and approved by the national
DPAs
Binding Corporate Rules for Data Controllers and Data Processors
![Page 14: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/14.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
BCRs are not only a mechanism to transfer personal information. They help to obtain:
- Accountability
- Adequate Data Privacy Governance
- Awareness and Effective Data Protection
![Page 15: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/15.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
- 72 BCRs approved
- Timing:
5 months in average for lead DPAs to handleapplication
3-4 months for mutual recognition and cooperationprocedure with other DPAs
8 months response time applicant
![Page 16: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/16.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Key Points When Considering BCRs
Relevancy
Multiplicity of jurisdictions
Required flexibility to transfer PII globally
Effort
Status current privacy compliance and governance
Vision
Long-term view on privacy
Legal certainty Structure, streamline
and reduce administrative burden of privacy compliance for the future
Commercial benefits
Increases customers’ and partners’ trust and improves company’s public reputation
![Page 17: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/17.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Company GroupScalable in terms of group companies
EU NON-EU
Member
Member Member Member
Member
MemberMember
Member Member
HQ
Member
Member
BCR
![Page 18: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/18.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Company GroupScalable in terms of data types of data covered
EU NON-EU
Member
Member Member Member
Member
MemberMember
Member Member
HQ
Member
Member
HR DataCust. & Suppl.Data
HR DataSuppl. & Vendor
Data
HR Data
HR Data
HR Data
HR DataCust.Data
Cust.Data
BCR
![Page 19: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/19.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
19
Company GroupOther International Data Transfer Mechanisms
EU NON-EU
Member
Member Member Member
Member
MemberMember
Member Member
HQ (USA)
Member
Member
HR Data Cust. & Vendor
Data
HR DataSuppl. & Vendor
Data
HR Data
HR Data
HR Data
HR DataVendorData
Cust.Data
C-C Model Contract
Safe Harbor
BCR
![Page 20: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/20.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Robust privacy governance structure is required to successfully apply for BCRs
Privacy Governance Structure
Policy
Implementation
Effectiveness
GROUP’S GLOBAL PRIVACY POLICY
Control
AUDIT PROGRAMME
EFFECTIVE COMPLIANCE MEASURES
PROCESSES & PROCEDURES
HR Data & Privacy Policy Vendor & Supplier Data Privacy Policy
Customer Data Privacy Policy
0Privacy Notices
Employee Policies &
ConfidentialityClauses
Map Data Processing Activities & Data Flows
IT Security
0 0Third Party Relations 0 0
Roles & Responsibi-
lities
Data Quality/Breach
Response
Training & Testing
Complaint & Reqest Handling
Network of Privacy
Officers & Staff
Sanction Mechanism
PIA & Template
Contacts for 3rd Parties
Cooperation with DPA’s
Internal and/or External Annual Audit Ad Hoc Investigations
BCR ADVANTAGES:
• Facilitates data flows within group
• Provides structure for privacy governance
• Ensures high level of privacy compliance and awareness
• Increases legal certainty due to DPA check
![Page 21: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/21.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
•
•
![Page 22: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/22.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
EUClient = DC
Vendor data processing services=
EU data processor
EU
Non-adequate countries
DP affiliate China
Data Flow
DP affiliate US
DP affiliate India
![Page 23: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/23.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
EUClient = DC Vendor data processing services
=EU data processor
EU
Non-adequate countries
→ Burdensome for clients• Commercially impractical• High administrative burden related to multiple
model contracts→ Accurate reflections of data flows
C-P Model Contract
C-P Model Contract
C-P Model Contract
Data FlowContractual arrangements
SLA
DPaffiliate China
DP affiliate US
DP affiliate India
![Page 24: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/24.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
EU Client = DC Vendor data processing services
=EU data processor
EU
Non-adequate countries
C-P Model Contract
Data FlowContractual arrangements
SLA
DP affiliate China
DP affiliate US
DP affiliate India
C-P Model Contract
C-P Model Contract
→ Commercial advantage:
• Reduce burden for clients
→ Legal Risks:• Does not reflect reality (i.e. Not compliant with actual data flow
+ requalification of processor as controller)• Shift unwanted liability to EU processor
![Page 25: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/25.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 25
EU Client = DC Vendor data processing services
=EU data processor
EU
Non-adequate countries
Data FlowBCR-P
DP affiliate China
DP affiliate US
DP affiliate India
SLA
![Page 26: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/26.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Safe Harbor Model ContractsConsent &
DerogationsBCRs
ScopeN/A
• EU → Global• No businesses
excluded• Structural transfers
• EU → Global• No businesses
excluded• No structural transfers
• EU → Global• No businesses
excluded• Structural transfers
Legal Certainty N/A • High • Low • High
Maintenance N/A
• High• Requires updates and
amendments• Low • Medium
AdministrativeBurden N/A
• High(permits)
• Low – High (exemptions – consent
forms)
• High at start, low once obtained
Cost/Complexity N/A• Cost = Complexity
(corporate structure)
• Consent:Cost = Complexity
( # of DS)• Derogations:
Cost (liability risk) > Complexity
• Cost < Complexity
![Page 27: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/27.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Identify Lead DPA
Submit Documents
Lead DPA Review( + co-reviewers)
NotificationsMR DPAs
Closure
Phase I
Phase II
ReviewCooperation
DPAs
National Authorities
WP 133
WP 133 Form / BCRs / IGA (or similar) / Audit Policy / Training Program / Overview Entities
Discussion rounds with Lead DPA – Circulation to Co-Reviewers (possible further amendments)
Mutual Recognition DPAs only need to confirm receipt –Cooperation DPAs have 1 month to submit remarks
Lead DPA circulates final version to DPAs + Listing in Article 29 WP
Notification updates and permits (where required)http://ec.europa.eu/justice/data-protection/document/international-
transfers/files/table_nat_admin_req_en.pdf
![Page 28: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/28.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
MR Procedure
Austria, Belgium, Bulgaria, Cyprus, CzechRepublic, Estonia, France, Germany,Ireland, Italy, Latvia, Luxembourg, Malta,the Netherlands, Spain, Slovakia,Slovenia and the UK.
Co-operation Procedure
Croatia, Denmark, Finland, Greece,Hungary, Lithuania, Poland, Portugal,Romania and Sweden.
![Page 29: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/29.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
•
•
•
•
![Page 30: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/30.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
•
Accountability under GDPR BCR
Concise, transparent, clear and easily accessible policies demonstrating compliance
Demonstrable technical/organizational measures
PIAs
Documentation obligations
DPO requirements (?)
Audit requirements
![Page 31: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/31.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
![Page 32: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/32.jpg)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
![Page 33: PowerPoint Presentation · 2015-11-05 · Map Data Processing Activities & Data Flows IT Security 0 Third Party Relations Roles & Responsibi-lities Data ... Hungary, Lithuania, Poland,](https://reader033.vdocuments.site/reader033/viewer/2022050312/5f73f5ae7372dd716c76ebbd/html5/thumbnails/33.jpg)
‒‒
‒
‒
‒