the general data protection regulation

The General Data Protection RegulationHow can employers operating

share plans prepare?

2

Getting ready for the GDPRThis briefing contains a non-exhaustive summary of the likely impacts of the GDPR on share plans

and considers how businesses which operate share plans can get ready for the new regime.1

Since the draft General Data Protection Regulation (the GDPR) was published in January 2012, the overhaul of the European Union’s (EU) data protection regime (currently based on the 1995 EU Data Protection Directive) has been hotly debated. Following the adoption of the final GDPR on 27 April 2016, law makers, regulators, commentators and businesses have been working hard to understand its wide ranging impact and the new data privacy landscape it will usher in from 25 May 2018.

The UK government has recently published a Data Protection Bill which provides that the GDPR will apply to the processing of personal data in the UK as if it were an Act of the UK Parliament (subject to certain modifications). This approach should ensure the UK’s status as a third country which provides an adequate level of protection for personal data post Brexit – this is required in order to facilitate transfers of personal data outside of the EEA. The GDPR will therefore continue to be relevant to the UK (along with other Member States) even after Brexit.

The GDPR: How can employers operating share plans prepare?

1. Unless otherwise stated, references in this briefing are to the Articles of the GDPR

3

Project planning

In businesses operating multiple share plans it may be helpful to start by reviewing one share plan and use the lessons learned as a blueprint.

Ownership

GDPR implementation will affect many stakeholders (legal, HR, IT, compliance, product development, procurement, customer services, works councils etc). Share plan data protection updates should tap into wider GDPR implementation processes to ensure a consistent application across the business.

Assessing the status quo

Examine existing data protection documentation/provisions in share plans (both in the rules and participant communications), contracts with share plan administrators, documentation with employee benefit trusts (EBTs) and other third parties to understand the current data protection position (including the current bases for processing and transfer).

Gap analysis

Once an understanding of the current position is established, assess what is needed to comply with the GDPR. Either way, the following points should be addressed:

• Data protection clauses in share plans – are they fit for purpose?

• What lawful grounds are there for processing or should you seek consent?

• Consent provisions in grant documentation – should these continue to be included in the documentation if you are relying on one of the other lawful grounds for processing? Do they work under the GDPR?

• What processing information is provided to participants – is any provided at present? Does it comply with the information rights provided for in the GDPR?

• Arrangements with EBTs and share plan administrators – what arrangements are in place regarding participant data? Are processors properly accountable? Are contract changes needed and does this impact contract pricing?

• Data transfers – is participant data transferred outside of the EEA (eg to EBTs offshore or other group companies)? What is the legal basis for the transfer currently and will this work under the GDPR?

• Data Privacy Impact Assessments – are any ‘high risk’ processing activities or ‘large scale’ sensitive personal data processing activities undertaken in connection with share plan management and administration which require a privacy impact assessment to be carried out?

• Record keeping – are there systems in place to record the data processing (eg what personal data is held and for what purpose, to whom the data has been transferred and on what legal basis (including what, if any, consents have been provided)?

Share plans (1)What steps should employers be taking now?


4

Timing

Businesses need to examine the impact of the GDPR on their share plan processes in order to ensure that they are ready for the new regime. Processing after 25 May 2018 will need to comply with the GDPR, so businesses may want to anticipate the new rules to ensure that documentation associated with share plan awards granted shortly prior to its coming into force (as well as older grants of subsisting awards) are compliant from day one.

Where can I find this?

Share plans (2)What steps should employers be taking now?

Subject Article Recital

Consent Articles 4(11), 6(1)(a), 7, 8 and 9(2)(a) Recitals 32, 42 and 43

Provision of information

Articles 12, 13 and 14 Recitals 58—62

Using data processors Articles 28—29 Recital 81

Data transfers Articles 44—49 Recitals 48, 101—115

Impact Assessments Articles 35—36 Recitals 89—94

Record keeping Articles 24(1) and 30 Recital 82


5

Harmonised rules

The GDPR will establish a single set of rules across the EU but will allow for Member State discretion in some situations. Article 88 allows Member States to provide for more specific rules in respect of the processing of HR data – these will add more colour to the HR GDPR space once published – only Germany and Austria have done so to date. The UK government has chosen not to incorporate Article 88 into law in the UK Data Protection Bill.

Extra-territoriality

The GDPR has far-reaching territorial scope. Companies based outside the EU that offer goods/services in the EU or that process data about EU citizens (eg because they have employees based in the EU) must comply.

Data protection ‘by design’

Data protection safeguards will have to be built into processes (eg share plan administration processes) from the earliest stage of development, and privacy-friendly techniques like pseudonymisation will be encouraged.

Transparency

Businesses will have to give individuals more information on how their data is processed and in an understandable way. This will impact how businesses and share plan administrators communicate with share plan participants.


What are the main changes? (1)


Extra-territoriality Article 3 Recitals 22—25

Data protection ‘by design’

Article 25 Recitals 74—78

Transparency Articles 12, 13 and 14 Recitals 58—62


6

Purpose limitation

If businesses collect data for a specific purpose, they will be able to use it for another purpose only if that new purpose is compatible with the original one.

Consent

The GDPR includes new rules on how to obtain consent (applicable also for existing consent declarations) and a right for individuals to withdraw that consent.

Record keeping

Organisations will be obliged to keep a record of their processing activities. Data controllers and data processors must to be able to demonstrate compliance. In principle, a regulator (and perhaps even an employee) may require the employer to implement technical and organisational measures and to show that it complies. It will not be sufficient simply to assert compliance; such compliance must be demonstrated.

Accountability

The GDPR significantly increases documentation requirements. Certain high-risk data processing activities are subject to prior data protection impact assessments.

‘Right to be forgotten’

When individuals no longer want their data to be processed, if there are no legitimate grounds for retaining it, the data will have to be deleted.




Purpose Limitation Articles 5(1)(b), 6(4) Recital 50

ConsentArticles 4(11), 6(1)(a), 7, 8 and 9(2)(a)

Recitals 32, 42 and 43

Record keeping Articles 24(1) and 30 Recital 82

‘Right to be forgotten’ (and similar)

Articles 16 and 19 Recitals 65, 66, 67, 73


7

Conflict of laws

There are new rules on disclosure requests from foreign courts/authorities. This may become an additional obstacle when dealing with requests from non-EU regulators.

‘One-stop-shop’

The GDPR anticipates a ‘one-stop-shop’ (allowing businesses to deal with one lead regulator across the EU in relation to cross border processing) but businesses may still need to interact with multiple national regulators (in relation to local data processing). Country specific enforcement practices must be considered. We anticipate that Brexit will cause a degree of disruption for these arrangements. Post-Brexit, businesses operating both in the UK and EU are likely to be regulated by different data protection authorities, which may create divergences within and outside the EU.

Use of service providers

The GDPR imposes a high duty of care upon controllers in selecting their personal data processing service providers which will require procurement processes and request for tender documents to be regularly assessed. Contracts should include a range of information (eg the data processed and the duration for processing) and obligations (eg assistance where a security breach occurs, appropriate technical and organisational measures taken and audit assistance obligations).

Data breach

Businesses will have to notify regulators in a timely manner of data breaches that put individuals at risk, and also inform individuals about high-risk breaches.




Conflict of laws Article 48 Recital 115

‘One-stop-shop’ Articles 56, 60—62 Recital 36

Use of service providers Articles 28—29 Recital 81

Data breach Articles 33 and 34 Recitals 85—88


8

Severe fines

Data protection authorities will be able to fine businesses that breach the GDPR up to €20m or up to 4 per cent of their global annual turnover, whichever is greater. The recitals to the GDPR explicitly refer to principles under EU competition law, so it’s probable that regulators will look at group turnover.

Joint liability

There is a risk that parent companies may be subject to fines for a breach of the GDPR by a subsidiary. Also, co-operation with third parties (such as share plan administrators or EBTs) can trigger joint liability.



Fines Article 83 Recitals 148—152

Joint liability Articles 82 Recital 146



9

In many ways the GDPR does not represent a seismic shift in data privacy law. Below are two areas of the GDPR relevant to share plan activities which largely follow the current EU legislation on data privacy. However, as explained below, these similarities are not unqualified.

Grounds for processing

The grounds for processing personal data under the GDPR broadly replicate those under the Data Protection Directive. There are, however, a few changes which employers should be aware of.

ConsentHistorically in both an employment and share plan context, employers have relied on employee consent to processing. The GDPR contains new, significant limitations on the use of consent. The GDPR defines ‘consent’ as being ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’, Where the processing relates to sensitive personal data, the consent must also be ‘explicit’.

For consent to be ‘unambiguous’, clear affirmative action by the data subject is required. The concept of affirmative action does still leave room for implied consent in some circumstances (but not where sensitive personal data is being processed). However, in the employment or share plan context, reliance on implied consent (and even potentially express consent) may not be advisable after the GDPR comes into force.

This is for two reasons:

• the GDPR provides that consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. The EU Article 29 Data Protection Working Party’s opinion on data processing at work, adopted on 8 June 2017, states that employees are seldom in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. It states that, except in exceptional situations, employers should rely on another lawful ground for processing; and

• if consent is sought from an employee but, if that consent is not given or is withdrawn, the employer would continue with the processing on one of the other lawful grounds for processing, it would be best not to seek consent at all as to do so may give the employee a misleading impression that the withholding or withdrawal of consent would result in the processing not going ahead.

Other grounds for processingGiven this more restrictive approach to consent, employers operating share plans will be pleased to know that the following grounds for lawful processing will continue to apply under the new regime, in respect of personal data:

• Necessary for the performance of a contract with the data subject or to take steps preparatory of such contract (6(1)(b)).

• Necessary for the purposes of legitimate interests pursued by the controller or a third party (where such interests are not overridden by the interests, rights or freedoms of the individual) (6(1)(f)).

What is staying (almost) the same? (1)


10

Under the GDPR the processor must tell employees that it is processing on this ground and must specify what the ‘legitimate interests’ are. Where this ground is relied upon, the employee will nevertheless, be entitled to object to the processing and it would then be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the employee.

In addition, the GDPR contains a non-exhaustive list of factors to be taken into account when determining whether the processing of data for a new purpose is incompatible with the purposes for which the data were initially collected.

Where sensitive personal data is being processed, (in a share plan context this is most likely to be data relating to the health of a share plan participant where this is the reason for good leaver treatment) the most likely applicable grounds for lawful processing will be:

• explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law (9(2)(a)).

• necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement (9(2)(b)).

Transfers of personal data

Transfers of personal data to recipients in ‘third countries’ (eg outside of the EEA) continue to be regulated and, in certain circumstances, restricted. The GDPR’s obligations are broadly similar to those imposed by the Data Protection Directive, with some compliance mechanism improvements available, notably the removal of the need to notify standard contract clauses to supervisory authorities, and encouragement for the development of transfer adequacy codes of practice and certification schemes.

Data transfer compliance will remain a significant issue for multinational organisations, and should be a focus of share plan data privacy governance reviews in the context of transfers to third party administrators and offshore employee benefit trusts.


What is staying (almost) the same? (2)


Lawful basis of processing

Articles 6-10 Recitals 40—50

Sensitive data and lawful processing

Article 9 Recitals 51-56

Definitions of (sensitive) personal data

Articles 4, 9, 10 Recitals 26—51

ConsentArticles 4(11), 6(1)(a), 7, 8 and 9(2)(a)

Recitals 32, 42 and 43

Legitimate interestsArticles 6(1)(f), 13(1)(d), 14(2)(b) and 49(1)

Recitals 47—50


11

Contacts (1)

Satya Staes PoletPrincipal AssociateT +32 2 504 7594E satya.staespolet

@freshfields.com

Belgium

Karin Buzanich-Sommegger PartnerT +43 699 18 910 125E karin.sommeregger

@freshfields.com

Austria

Gwen SenlannePartnerT +33 1 44 56 55 13E gwen.senlanne

@freshfields.com

France

Rene DöringPartnerT +49 69 27 30 82 87E rene.doering

@freshfields.com

Germany

Elmar SchnitkerPartnerT +49 211 49 79 222E elmar.schnitker@

freshfields.com

Germany

Boris DzidaPartnerT +49 40 36 90 61 39E boris.dzida

@freshfields.com

Germany

Timon GrauPartnerT +49 69 27 30 86 70E timon.grau

@freshfields.com

Germany

Klaus-Stefan HohenstattPartnerT +49 40 36 90 61 08E ks.hohenstatt

@freshfields.com

Germany

Thomas Müller-BonanniPartnerT +49 211 49 79 164E thomas.mueller-bonanni

@freshfields.com

Germany

Laura ChapmanCounselT +852 2846 3496E laura.chapman

@freshfields.com

China/Hong Kong


12

Contacts (2)

Alice GreenwellPartnerT +44 20 7716 4729E alice.greenwell

@freshfields.com

UK

Kathleen HealyPartnerT +44 20 7832 7689E kathleen.healy

@freshfields.com

UK

Nicholas SquirePartnerT +44 20 7832 7419E nicholas.squire

@freshfields.com

UK

Caroline StroudPartnerT +44 20 7832 7602E caroline.stroud

@freshfields.com

UK

Howard KleinPartnerT +1 212 277 4047E howard.klein

@freshfields.com

US

Jean-Francois GerardGlobal Practice DevelopmentT +32 2 504 7697E jean-francois.gerard @freshfields.com

UK/Belgium

Olga ChislovaCounselT +7 495 785 3032E olga.chislova

@freshfields.com

Russia

Raquel FlórezPartnerT +34 91 700 3722E raquel.florez

@freshfields.com

Spain

Brechje NollenPartnerT +31 20 485 7626E brechje.nollen

@freshfields.com

The Netherlands

Luca CaponePartnerT +39 02 625 30401E luca.capone

@freshfields.com

Italy


This material is provided by the international law firm Freshfields Bruckhaus Deringer LLP (a limited liability partnership organised under the law of England and Wales) (the UK LLP) and the offices and associated entities of the UK LLP practising under the Freshfields Bruckhaus Deringer name in a number of jurisdictions, and Freshfields Bruckhaus Deringer US LLP,

together referred to in the material as ‘Freshfields’. For regulatory information please refer to www.freshfields.com/support/legalnotice.

The UK LLP has offices or associated entities in Austria, Bahrain, Belgium, China, England, France, Germany, Hong Kong, Italy, Japan, The Netherlands, Russia, Singapore, Spain, the United Arab Emirates and Vietnam. Freshfields Bruckhaus Deringer US LLP has offices in New York City and Washington DC.

This material is for general information only and is not intended to provide legal advice.

© Freshfields Bruckhaus Deringer LLP, November 2017, 1571

freshfields.com

the general data protection regulation

Documents