Privacy Valley Partner Helena Verhagen ontdekte een verontrustende praktijk van de GGD over medische data van kinderen; lees haar LinkedIn Post: https://lnkd.in/eChNcKf
PART I, XS2A and CONSENT
Is your organization reluctantly getting ready for PSD2? Or, are you jumping with excitement ready to dot the I’s on your Fintech/PSD2 business plans? Either way, if you’re in the financial services industry, it’s likely your organization is going to introduce, or face, new and innovative services that require the use and exchange of personal data. Services that are governed not only by PSD2 but also by the GDPR.
PSD2 AND GDPR: A SHORT INTRODUCTION
If you’re aware of the key motives of PSD2 and GDPR you can skip right to the next bit. For a bit of a refresher, here’s a 2 penny summary.
PSD2 is an EU directive that aims to promote safer and innovative digital payment services, reduce cost of financial transactions and strengthen consumer rights. The two parts of PSD2 that have attracted most debate are the obligation for banks to grant third parties access to transactional information otherwise known as XS2A (access2accounts) and strong authentication requirements for payments. These two bits introduce obligations for financial institutions that require the handling of personal data.
This is where the General Data Protection Regulation (GDPR) comes in, the new, and very strict, EU data protection framework. The key motives of the GDPR are to keep personal data safe and to reinforce the rights of data subjects by giving them control over their own data. All organizations that are active in the EU or are in the business of processing personal data of EU citizens, have to comply with the GDPR. Non- compliance can lead to fines of up to 4% of an organization’s annual worldwide turnover, or 20 Mio EUR, whichever is more.
GDPR and PSD2 both aim for better consumer protection. But at the same time as PSD2 requires open access to transactional data, GDPR introduces increasingly strict obligations to keep these data safe and ensure that consumer rights are met. In short, if you’re getting ready for PSD2, make sure that whenever you’re dealing with personal data, you also comply with the GDPR.
XS2A & Consent
Banks and payment service providers hold transactional data. Data that are carefully shielded as business assets, and are kept safe in accordance with regulatory requirements such as privacy laws. Following XS2A, third party service providers will gain access to these sensitive personal data. Payment Service Provider (PSPs) may gain access, process and store personal data only with the explicit consent of the customer. To understand what “Explicit Consent” means, and how to obtain valid consent, we have to turn to the GDPR.
The GDPR requires “a statement or a clear affirmative action” that signals the customer’s agreement to a certain data processing. Meaning, the customer has to actively do something to let you know they agree to what you are about to do with their data. Good examples are ticking a box stating they agree with the processing, or choosing technical standards for a service (e.g. cookie settings). “Opt-out” mechanisms, pre-ticked opt-ins, or implicit consent deducted from silence, are not allowed.
Consent must be freely given. If the customer has no genuine or free choice or is unable to refuse or withdraw consent without detriment, consent is not considered “free”. For example, as a condition to use a payment service, the PSP requires a customer to agree that their personal data may be used for purposes completely unrelated to the delivery of that service. Any such “bundled” consent is considered to be given under undue pressure, meaning, not free. Also, any consent given in the context of an interaction where there is a clear imbalance of power (e.g. employer/employee, doctor/patient, public authority/citizen) is not free.
The PSP must provide granular options for obtaining consent separately for different processing operations and different purposes. This means that if a PSP wishes to use personal data for purposes other than those necessary for the execution of the payment service, it should get separate consent for each of those purposes.
Prior to the processing of personal data, you should provide the customer with sufficient information that enables them to understand what they are consenting to. This means that the purposes, the scope and the consequences of the data processing as well as the identity of the data processor and the rights of the customer (see part III of these series) should be specifically described and communicated to the customer. The communication should be done in an easily accessible form –don’t hide it in general terms and conditions-, and in plain and clear language that can be understood by your target audience. Consent cannot be given for vague, or open ended processing activities. For example “we will share your data with carefully selected partners for marketing purposes”.
Once you’ve communicated your purposes of personal data processing and received consent, you may not use these data for other purposes that are not compatible with the original purpose. To understand if your original purpose and your new purposes are “compatible” you may ask yourself: based on my communication, would the customer expect me to use their data in this way? If not, you will need separate consent (see: granular consent).
The GDPR does not prescribe any specific way in which consent must be obtained, or administered, but it does put the burden of proof on the PSP. The PSP must be able to demonstrate consent. This means that the PSP will have to keep records of their own communications, as well as the obtained consent. As there is a clear potential for disagreement on whether or not valid consent for payment was obtained, you may have to think about double opt-in (e.g. via e-mail confirmation of the consent) or other technical mechanisms that provide such proof.
Personal data of children are especially protected. They may be less aware of the risks and consequences of the processing of their personal data. Ensure that you amend your language in communications to children so they can understand what they consent to. Depending on national legislation on the age limit for “children” (13-15 years), you need to get the consent of the parents as well.
customer’s have the right to withdraw consent at any time. PSPs must inform customer’s on how they can withdraw consent. Unless there is some other legal basis for the data processing, organizations must discontinue the data processing going forward.
For a full self-assessment of your organizations compliance with all requirements under the GDPR and practical tips on how to remedy any non-compliance, please check out our Accelerator tooling. For more information or a complimentary demo, please contact us at: firstname.lastname@example.org.
This contribution has been made in conjunction with competition attorney Emilie van Hasselt of Van Hasselt Law who can be reached at email@example.com.
More and more employers get into trouble for not complying with privacy laws. The media loves a good data breach and you may face serious fines if your department does not comply with the privacy laws. With all eyes on the GDPR, you have a couple of months to become (and stay) compliant with that framework, so let’s get started! Privacy valley has developed a 10-step method that will help your HR department towards better privacy.
Starting discussions about data privacy and information security in your department is an important first step in becoming compliant and should be an ongoing process. This includes involving relevant stakeholders in determining where you stand right now in terms of compliance and where you want to be and involving stakeholders in the steps described below. Relevant stakeholders could be employees and outside staff working in your department, the data protection officer, the Legal counsel and IT departments, employee representatives and relevant external suppliers.
Communication with your staff also includes training your staff regularly on the requirements of your policies and the law. You should also inform the stakeholders what the risks and repercussions are of any non-compliance with the law, both for your company, the data subjects and the employees themselves.
¬ You can test your level of compliance and get practical tips on how to improve your compliance and embed it in your HR department with our Checklist: HR Practices
Formally allocating responsibility for data privacy and information security in your department will help you to effectively manage and co-ordinate data protection and make your business more accountable. The allocation of responsibilities should be part of (employment) agreements with your staff. Regular spot-checks of compliance with the duties in such agreements will enhance compliance.
If you have a bigger HR department, it is good practice to appoint a data lead (privacy champion) who acts as a first point of contact for data privacy issues and oversight of compliance. The lead should be appropriately skilled and have the necessary authority and resources to fulfill its duties.
Some organizations are obliged to record their personal data processing activities. If this is the case, you should record all your personal data processes in a format as required by the GDPR. But even if this duty does not apply to your organization, describing and analyzing the purpose, scope and legality of your personal data processing activities, is paramount to understanding the risks thereof for the data subjects and your organization, and the measures you should undertake to minimize those risks.
¬ You can record your data processes with our Checklist: Privacy Register Controller
Once you have described the processes that include the processing of personal data, you should determine if any of these processes are high-risk for the protection of personal data. High-risk activities may require that you undertake some further analysis of the risks involved in the form of a data privacy impact assessment (DPIA or PIA). Common examples of high-risk activities in HR departments are: any use of new technologies, the use of profiling, the processing of information relating to criminal convictions and offences, any systematic (employee)-monitoring in open spaces or individual monitoring.
¬ Determine if you need to undertake a DPIA with our Checklist: Pre-PIA
¬ If the Pre-PIA results require you to undertake a PIA, you can use our Checklist: PIA
¬ If you undertake employee monitoring, you can use our Checklist: Employee Monitoring
Your HR department most likely works with third party suppliers who process personal data on your department’s behalf. Think about a payrolling company or a pension provider, the supplier of an HR system, a cloud storage provider, company medical services, IT services to monitor employees, etc.
In addition, your department may partner with third parties in the processing of personal data. For example, a talent program which is set up between HR departments of group companies.
For each third party your department works with, you should consider what your role is (customer, supplier, partner, controller or processor) and clearly agree on your respective obligations regarding the personal data. If you work with processors, you should have processing agreements in place that comply with the GDPR. In addition, your department should have active controls in place to ensure it only uses third party processors that provide tangible guarantees in terms of expert knowledge, reliability and resources to implement technical and organizational measures to secure your personal data.
¬ Analyze your processing agreements with our Checklist: Data Processing Agreement Checker
¬ Generate new data processing agreements with our Checklist: Data Processing Agreement Generator
Your staff and staff-prospects generally have a right to be actively informed about the details of the data processing of their personal data by your organization. This means that at the time of gathering, you should inform them about -inter alia- the type of data that is gathered and how long you will store it for, the sources of your data, other recipients of their personal data and any international data transfer, the contact details of your DPO, the rights they have with respect to your data processing and where they can complain. In specific cases, you may have an overriding interest not to inform staff. This could for example be the case if you are conducting a fraud investigation.
As indicated in step 5, your staff have certain information rights with respect to the processing of their personal data. In addition, your staff may also initiate an access request to know which personal data you process regarding them, they may request rectification of the data you process, request restriction of your processing or object thereto, request erasure or data portability of the data regarding them. If you undertake profiling, e.g. in an automated selection process, or if you undertake certain data processing based on legitimate interest, they have the right to object to this. Your department should have a procedure in place to ensure that all such requests by your staff are assessed and handled adequately and in a timely manner.
¬ Use our Checklist Data Subject Request Handling (individual request) to register any requests and assess how you should handle an individual employee request.
During the recruitment process a lot of, often sensitive, data is gathered and exchanged. You should ensure that you limit your data gathering to those data necessary for the type of job and the stage in the recruitment process that you are in. For example, if you require background vetting or information about a person’s criminal records, you should carefully consider in which stage of the recruitment process you require these data and what can be done to limit the impact of such a check.
In addition, it’s important that you inform prospects about the type of data you gather, how and for what purpose these data are gathered (see information rights above) and if any automatic decision-making is used in the selection process. The interviewers should be made aware that any interview notes may be accessed by the interviewee. Finally, you should consider that you are required to ensure the safe storage and transit of recruitment data. For example, if you provide the technical means for an online application or require that people submit their application via e-mail, you should ensure the safety and restricted access of the system in which these data are received and stored.
¬ review your recruitment processes and get practical tips to improve privacy with our Checklist: HR Practices
One of the ways to minimize risk in relation to personal data is by simply getting rid of personal data you no longer need or no longer are required to keep. This is easier said than done though. HR records are considered very valuable records. A lot of organizations are not comfortable with the idea to delete any data in their HR records. The GDPR however requires you to think about retention periods for data and do exactly that for data that are no longer needed.
This means that you should determine for which purposes you retain personal data and define retention times based on business need and legal requirements. If you no longer have a legitimate purpose for keeping personal data, you should delete these.
It is not generally necessary to seek a worker’s consent to keep employment records. It will usually be sufficient to inform your staff by following Step 5 above. However, the gathering of any sensitive data should be analyzed very carefully. If sensitive data are collected, consent may be necessary. This is mostly the case if the data gathering is not mandatory by law for the employer and there is no other legitimate basis for the data gathering.
Please note that any consent given in the context of an employee / employer relationship is subject to extra scrutiny. The consent must be given freely and comply with the other requirements of the GDPR. In an employer / employee relationship, it may be hard to obtain freely given consent due to the power imbalance in the relationship.
Please note that there are very strict limitations that apply to including health data in employee records. This means you should carefully review your employee records and have a policy regarding the type of health information that may and may not be included there. You should also consider reviewing your occupational health and safety service, any policy regarding sick leave and any sick leave reduction services offered by third parties.
The results of your discussions with the stakeholders should be reflected in tangible rules, a policy with do’s and don’ts on data privacy and information security that everyone in your department can follow. Your policies should include guidelines on how to handle personal data and information security measures that must be followed.
In addition, your employees should understand what a data breach is, and you should have a clear protocol for data breaches.
¬ You can check your information security measures by using our Checklist: Cyber Security Quickscan. For a more comprehensive check, you can use our Checklist: Information Security Measures.
¬ Data breaches may be analyzed and recorded using our Checklist: Data Breaches.
All the Checklists referred to in this article are part of Privacy Valley’s compliance management software, which can be accessed at www.privacyvalley.com. For a free software demo, please contact us at firstname.lastname@example.org or click on this link.