Blogs and News

We make topical legal issues easy for you to understand.

Eveliina Puustjärvi - August 24, 2017 at 2:01 PM

What Are the Data Protection Principles Under the GDPR?

The EU General Data Protection Regulation (GDPR) brings the most revolutionary changes to European data protection laws since the 90’s. Many of the GDPR’s data protection principles derive from the Data Protection Directive (DPD) the GDPR is set to repeal in May 2018. However, some principles found from the GDPR are further refined to correspond to both the technological developments since the passing of the DPD, and to better answer the requirements for privacy protection in the digitized world of today and tomorrow. Even though the changes to the data protection principles may not be fundamental of nature, they do consolidate the significance of these principles of data processing.

Read more
0 Kommentteja Click here to comment

Topics: data protection, data privacy

Eveliina Puustjärvi - May 24, 2017 at 3:12 PM

Data Portability Under the GDPR

Read more
0 Kommentteja Click here to comment

Topics: data protection, data privacy

Eveliina Puustjärvi - March 14, 2017 at 4:00 PM

Does the proposed ePrivacy Regulation signal the end of spam?

Read more
0 Kommentteja Click here to comment

Topics: data privacy

Eveliina Puustjärvi - March 2, 2017 at 11:49 AM

What does the GDPR’s entry into force NOT require?

The EU General Data Protection Regulation (GDPR) which needs to be applied by May 2018, is a complex and much discussed regulation reform. Even data protection experts have had a lot to learn with the blowing winds of change. The majority of articles, seminars and teaching materials have focused on what the Regulation will change and what companies should consider, so that their approaches are consistent with the GDPR by 25 May 2018 when the two-year transition period ends and the Regulation must be applied.

Read more
0 Kommentteja Click here to comment

Topics: data protection, data privacy

Heli Gummerus - February 23, 2017 at 9:12 AM

Does my company need a Data Protection Officer?

The EU Data Protection Regulation, which came into force last spring, has caused a flurry of activity in many companies as they prepare for the new requirements. Preparations should be completed by 25 May 2018 when the Regulation becomes applicable at the end of a two-year transition period. However, the somewhat unclear wording of the Regulation is causing interpretation problems. Companies are waiting for more detailed practical guidance regarding, for example, the appointment of Data Protection Officers.

The EU Data Protection Working Party (WP29) released three guidelines in December in response to this wait, one of which concerns Data Protection Officers. On 24 January, the Data Protection Office of the Ombudsman also published a guide on preparing for the Regulation, which is directed at controllers and was drawn up in collaboration with the Ministry of Justice. The guide briefly discusses the appointment, role and responsibilities of a Data Protection Officer. You should continue to actively follow information on this topic, as further advice and changes to national legislation will be added during the transition period. The interpretation of the Regulation will also be refined in the long term through case law.

The Data Protection Officer according to the new Regulation

Appointing a Data Protection Officer shall be mandatory for the controller and processor when:

1. a public sector operator is concerned, who is not a court
2. the organisation’s core tasks involve processing personal data, which requires regular large-scale and systematic monitoring of data subjects
3. the organisation’s core tasks consist of large-scale processing, which is focused on specific categories of personal data or data relating to criminal convictions or violations.

Point b) in particular has caused confusion in its circularity. The WP29 guidelines have clarified the interpretation of this point through examples. A company must also appoint a Data Protection Officer in the event that processing personal data is not part of its core tasks, but carrying out these tasks requires collecting personal data. An example of this could be a hospital whose core mission is to provide health care. To fulfil this mission, the hospital must collect personal data. Instead, delivering support functions such as payroll and IT support does not require the appointment of a Data Protection Officer, even though personal data is collected in connection with these functions.

The guidelines specify that large-scale processing refers to the number of data subjects rather than to the size of the organisation. Thus, even a small company is obliged to appoint a Data Protection Officer, if it deals with a large amount of personal data. Regular and systematic monitoring, in turn, refers to, for example, monitoring that occurs over the Internet such as behaviour-based advertising and location-based services. Further examples can be found in the guide.

A Volunteer Data Protection Officer?

If the company is not obliged under the Regulation to appoint a Data Protection Officer, it is still recommended that they determine who is responsible for considering data protection issues in the company's activities. This person could also act as a contact person for questions concerning the rights of data subjects and regulatory control.

I recommend that companies avoid referring to the volunteer contact person as the Data Protection Officer, so that the role is not confused with that of the compulsory Data Protection Officer, whose role and function have to follow certain requirements. At the same time, it would be good to document in writing the reasons why the company has decided that an official Data Protection Officer is not required. Regardless of whether the Data Protection Officer role is compulsory or voluntary, he or she is not personally responsible for complying with the Regulation. This responsibility is always with the controller or processor.

Read more
0 Kommentteja Click here to comment

Topics: data protection, data privacy

Comments