The European Union (EU) General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) (GDPR) commences its operation on 25 May 2018.
The GDPR regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.
Although GDPR is aimed at protecting data of individuals in the EU, it may apply to Australian businesses as well.
This article explains situations in which an Australian entity may be required to comply with obligations and requirements prescribed by the GDPR and discloses major obligations of the affected Australian entities in that regard.
Outline of the GDPR
The GDPR provides for new data protection requirements in addition to those which already exist in the Privacy Act 1988 (Cth). The main purpose of the GDPR is to harmonise data protection laws across the EU and replace existing national data protection rules.
Although the GDPR resembles the Privacy Act 1988 (Cth), it also includes additional measures aimed at protecting personal data of individuals in the EU which is controlled or processed by individuals and entities.
If an Australian entity is subject to the GDPR regime, it will be required to comply with both the GDPR and the Privacy Act with respect to data protection and data breach notifications.
When Australian Businesses Need to Comply with the GDPR?
The GDPR applies to ‘controllers’ and ‘processors’ of personal data.
Personal data includes any information relating to an identified or identifiable natural person, i.e., a person who can be identified, directly or indirectly, in particular by reference to an identifier (a name, an identification number, location data, an online identifier) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Controllers include natural or legal persons, public authority, agency or other body which, alone or jointly with others, determine the purposes and means of the processing of personal data.
Processors are third parties which process personal data on behalf of the controller.
Australian businesses may need to comply with the GDPR if they control or process the personal data and:
- they have an establishment in the EU, regardless of whether the processing takes place in the EU; or
- they offer goods and services (irrespective of whether a payment is required) in the EU. Pursuant to the GDPR, an entity offers goods or services if it is apparent that the controller or processor envisages offering services to individuals in the EU; or
- they monitor the behaviour of individuals in the EU, where that behaviour takes place in the EU. A processing activity will be considered as such if individuals are tracked on the internet. That includes potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning them or for analysing or predicting their personal preferences, behaviours and attitudes.
Based on the above, your Australian business entity may be required to comply with the GDPR in the following circumstances:
- if it has an office in the EU;
- if its Website targets EU customers, for example, by enabling them to order goods or services in a European language (other than English) or enabling payment in Euros;
- if its Website mentions customers or users in the EU; or
- if it tracks individuals in the EU on the Internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
Some Obligations of Australian Businesses Under the GDPR Scheme
Pursuant to the GDPR, controllers generally must comply with the requirements related to accountability and governance, in particular:
- demonstrate that they comply with the principles relating to the processing of personal data which are set out in Article 5 of the GDPR;
- implement appropriate and effective measures and be able to demonstrate their compliance with the GDPR;
- implement appropriate and effective measures to demonstrate that they have considered and integrated data protection into their processing activities (‘data protection by design and by default’);
- carry out a data protection impact assessment prior to data processing, where a type of processing is likely to result in a high risk for the rights and freedoms of individuals; and
- appoint data protection officers.
In addition to the above, Australian businesses which are covered by the GDPR but not established in the EU are generally required to appoint a representative established in one of the States of the EU. That representative will act as the point of contact for supervisory authorities and individuals in the EU on all issues related to data processing under the GDPR.
To ensure compliance with the GDPR, controllers must use processors which provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure data protection. It is in the best interests of the controllers to have those obligations and guarantees set out in a contract with third-party processors.
In addition to the requirements related to handling the personal information, which resemble those provided in the Privacy Act, the GDPR includes mandatory data breach notification requirements, which apply both to controllers and processors of the personal data.
Please also note that the GDPR restricts transfer of personal data outside the EU.
Personal data may be transferred to non-EU countries or international organisations if an ‘adequate’ level of data protection can be provided. What is ‘adequate’ level of protection is defined based on a wide range of factors which are set out in the GDPR. The ‘adequacy’ of protection is to be confirmed by an opinion of the European Data Protection Board.
In the absence of that opinion, such transfers may be permitted in limited circumstances where the proper safeguards may be ensured, for example:
- where the data controller has ‘standard data protection clauses’ or ‘binding corporate rules’ as prescribed by the GDPR;
- the data controller has entered into an agreement that contains the ‘standard data protection clauses’ adopted by the EU Commission or a data protection authority;
- approved codes of conduct are in place, and the recipient controller or processor gives binding and enforceable commitments to apply appropriate safeguards; or
- an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including data subjects’ rights are in place.
Failure to comply with the GDPR requirements may result in fines which may be imposed by supervisory authorities which may reach to 20 million Euro or 4 per cent of annual worldwide turnover (whichever is higher).
Solicitors of Pavuk Legal specialize in Privacy Law and compliance. We may advise you on the compliance of your information handling practices with both the GDPR and the Privacy Act and assist you in implementing necessary changes to comply with the requirements of the GDPR.
Many other essential hot topics for business owners is all found in the book Nobody Else’s Business. Nobody Else’s Business is about helping business owners live the life they want to live, now and in the future. It is the ultimate guidebook for succession planning of modern Australian businesses.
To purchase your own copy of Nobody Else’s Business please follow the link http://www.nobodyelsesbusiness.com.au/