Impact on e-commerce of the GDPR- Etrade Summit 2016

Sirius LegaleTrade Summit 27 September 2016

2016’s Marketing buzz…

eTrade Summit 27 September 2016

New “Privacy Law” coming your way…

General Data Protection Regulation 2016/679 (GDPR/AVGB)Regulation instead of Directive – 1 law for 28 statesAgreement reached last December 2015

Enters into force on 1 May 2018 (without grace period!)

New rules are MUCH stricter than current law and impact EVERYONE present here today


General Data Protection Regulation

Heavily influenced by consumer protection activists in EPResult:Consumer friendly, but serious restraints for direct marketing sector, e-commerce sector and especially personalisation, profiling, real time marketing and (big) data processingApplicable on ALL data processing, except personal (private) contact lists (e.g. private Outlook account)


Don’t be this guy, be prepared…


All e-commerce and online marketing run on personal data

GDPR applies to ALL databases (marketing, sales, HR, purchasing, accounting, …)

In the words of the European Commission: “data has become a currency” (cfr. Draft Directive 2015/0287 on digital content delivery contracts)

Fines up to 4% of annual turnover or 20 mio euro

Security & internal processes

1. Working with subcontractors that process data

Obligation to work only with subcontractors that guarantee sufficient data securityObligation to have written contracts wth all subcontractorsList of mandatory clauses in such contracts

= Need to audit/map all existing subcontracting/service contracts



2. Record of processing activities

Obligation to maintain a “record of processing activities”Holding ID of processor, processed data, categories, transfers, time limits, security measures In writing at the seat of your company



3. Data security measures

“Processor shall implement appropriate technical and organizational measures, to ensure an appropriate level of security”Pseudonymisation where possible, confidentiality, security, back ups in place, security testing protocols, …

= Need to audit/map data within company



4. Data Protection Impact Assessment

If possible high impact on data subject privacy rightsObligation to run prior (documented) impact assessmentAdvice of DPO required if DPO is present in the organizationShould be used as basis to ensure adequate security levelsPrivacy Commission to specify when DPIA is requiredIf DPIA shows high risk: obtain Prior Assessment from Privacy Commission



5. Data breach notification

Obligation to notify any data security breach to the Privacy CommissionAsap or at least within 72 hoursNature of breach, possible consequences, measures taken, etc… (= obligation to document data breach)= Need to have data breach procedure in place

If possible consequences for data subjects: obligation to notify them in person!



5. Data Protection Officer

If core activity of processorRequires large scale data monitoringConsists of large scale data monitoring

Series of requirements and conditionsDetails to be specified

Inform & advise, monitor compliance, SPOC for authorities


Information obligations & rights of data subjects

1. Lawfulness of processing (“on which grounds can I proces data?”) (art. 6 GDPR)

Prior opt-in remains the basic rule (+ proof required)“Processing is required for the execution of a contract”

“Legitimate grounds”DM “may be considered” legitimate, but “Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means”If existing client relationship: OK, otherwise not so evidently OKeTrade Summit 27 September 2016


2. Processing of data belonging to minor (-13 Y/O, -16 Y/O) (art. 8 GDPR)

Always requires explicit authorisation by parents!

“Reasonable efforts” to check age and obtain authorisation

eID?, Facebook login?, credit card data?, live chat, …?



3. Information obligations

Obligation to notify data subject of the fact that his data is being / has been collected (or transferred) without his explicit consent (art. 14 GDPR)

Within 30 days or upon first contact

= Data obtained from data brokers, partner organisations, online collection…



3. Information obligations (art. 14 GDPR)

Obligation falls if

Data subject already knowsorInformation provision requires disproportionate effort (= open door to creativity…)


Information obligations & rights of data subjects4. Right not to be submitted to profiling (art. 21 GDPR)

If the person has a legitimate interest to do so, he has a right to object against

Processing/profiling based onpublic interest / official authorityorlegitimate interest

Objection against processing/profiling for direct marketing purposes is always possible


Information obligations & rights of data subjects5. Right to object to automatic decision taking (art. 22 GDPR)

RightNot to be subject to a decision (or profiling) – Exceptions (e.g. contracts)Producing legal effects / significantly affects Solely based on automated processing of dataIntended to evaluate certain personal aspects

ExamplesPerformance of work, creditworthiness reliability and conductAlso applies to DM “decisions” (e.g. send offer or not)



6. Right to be forgotten (art. 17)

Upon request by data subject, processor has to take all reasonable measures to permantently delete data

+ to ensure that third parties that have copies of or links to data are warned of the request and are asked to do the same



7. “Pseudonymous data”

8. “Privacy by design”

9. “privacy by default” (cfr. recent Telenet “personalized advertising…”)

10. …


Helping handCode of Conduct

= “ethical code” of associationsContain rules on how to handle data for their membersCan be approved by authoritiesAssociation has to provide control/supervision

Advantage: once approved can create presumption of compliance with series of obligations for association members

SafeShops is currently investigating possibility to draft code and apply for approval


Be prepared…

Follow up on discussion (e.g. through our website www.siriuslegal.be)Start audit om data use within your organisationStart review vendor contracts (in view of data security obligation) Start to prepare for full update of policies, contracts, business processesPut in place data breach notification procedureAppoint (temporary) data security officerPut in place impact assessment and/or risk analyses policyCreate compliance statements for annual business reportsTrain staffSit back and wait for final text of regulation for final details…


Be prepared…

Those who are not prepared face trouble…

Provisions of highest importance (cfr. profiling = high risk processing)Fines up to 20 million euroFines up to 4% of worldwide annual turnover (for undertakings)

Reform of Privacy Commission will lead to actual enforcement…

+ Remedies for data subject


Sirius LegalMedia & advertisement lawIP lawInternet & e-commercePrivacy & cookiesGambling lawTravel & consumer protectionCommercial contractsCorporate tax labour real estate

[email protected]@BartVdBrandeLinkedin.com/in/bartvdb