BHL Bogen

BHL Bogen
BridgehouseLaw LLP - Your Business Law Firm

Thursday, May 31, 2018

I’m a Business and GDPR Applies to Me—Now What?

The General Data Protection Regulation (GDPR) is here! Now, compliance and, thus, the avoidance of hefty penalties should be a concern for any business processing personal data of European Union citizens. Naturally, the first and most important question is: what obligations, if any, are imputed to businesses in regard to EU citizens under the new General Data Protection Regulation (GDPR) scheme? The answer may surprise you: any company, regardless of whether or not the company is physically present in the EU, that processes personal data of natural persons (called “data subjects”) in the European Union (EU) for professional or commercial purposes[1] must comply with GDPR mandates[2]. This includes email-based marketing and newsletters. Interestingly, GDPR’s application to “natural persons” means that data from corporations and other legal entities do not fall within GDPR mandates.[3]
Also, it is noted that there may be potential loopholes to GDPR that allow some to fall outside GDPR compliance; however, such possibilities are outside the scope of this article and may or may not actually remove compliance mandates.

Key Compliance Requirements:
Data Audits: Companies should audit personal data and document: what personal data are held; how and where the data were acquired; and with whom the data are shared.[4] If an entity has at least 250 employees or processes certain types of highly sensitive personal data (e.g., religious or political beliefs, and similar), GDPR generally requires that records be maintained as to what is collected and held.[5] This also means information must be kept up-to-date, with inaccurate data being deleted or corrected[6] within the entity’s systems and with any third parties with whom the data have been shared.
Privacy Policies: Privacy policies and notices should be reviewed and potentially updated.[7] Privacy policies should reflect that data is processed in a lawful, fair, and transparent manner.[8] Thus, the following should be addressed to varying degrees based on whether personal data have or have not been obtained from the data subject: (1) the identity and contact information of the controlling or processing entity; (2) the lawful basis for processing the data; (3) that data are being processed and the purpose of the processing; (4) with whom the data will be shared; (4) how long the data will be stored; (5) generally, the rights of the subject and the obligations of the processing or controlling entity, as determined by GDPR; (6) if data will be processed for a different use, thus requiring additional disclosures[9]; and (7) lastly, the policy must be in plain language and easy to understand.[10]
Also, note that where data are obtained from one other than the data subject, the controlling or processing entity must, at specific times in relation to when obtained and in what context, disclose to the data subject that it obtained data.[11]
Essentially, the above means that privacy policies and notices will need to be separate and distinct based upon how and from whom the data was received.
Rights of Individuals: GDPR enumerates a host of rights now enjoyed by data subjects: “the right to be informed; the right to access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not be subject to automated decision-making including profiling”.[12] Thus, generally, GDPR gives data subjects the right to largely restrict, direct, or otherwise control what and how personal data are used. Also note that a data subject has the right to request information about what data an entity possesses regarding the subject. Thus, procedures should be implemented to address such requests fully and in a timely manner.
Lawful Basis or Bases for Processing Personal Data: GDPR requires that, for processing of personal data to occur, a controller or processor must have a lawful basis for doing so.[13] Though only one basis is needed, it may prudent to have multiple bases for processing personal data. Some such bases are: (1) where consent has been obtained from the data subject; (2) where processing is necessary to perform a data subject’s contract or perform activities at the request of the data subject prior to forming a contract; and (3) where processing is necessary to further legitimate interests of the controller or a third party, unless the data subject’s interests or rights and freedoms override such legitimate interests.[14]
Also, please remember that there are certain requirements for consent[15], special rules where children are involved[16]; and special rules for certain types of personal data (i.e., highly personal data (religious beliefs, political beliefs, and others) and some criminal matters).[17]
Data Breach Policies: Generally, GDPR now requires controllers to notify the relevant authorities of any personal data breach “without undue delay” and within 72 hours after learning of the breach where such time period is feasible.[18]
Additionally, where a breach likely brings a high risk to rights and freedoms of data subjects, the breach must be communicated to data subjects without undue delay and in plain language.[19]
Data Protection by Design and Data Protection Impact Assessments: GDPR imparts upon controllers and processors the general requirement to implement necessary technical and organizational steps to create a default system where only the personal data needed for processing are so processed, stored, and accessible.[20] Further, where processing is likely to create high risk to rights and freedoms of data subjects, such as where new technologies are in use, entities must perform a data protection impact assessment.[21]
Data Protection Officers: Where processing is: (1) executed by a public authority or body, other than the courts in a judicial capacity; or (2) executed by entities that, as part of their core activities, monitor data subjects or process personal data on a large scale, GDPR requires the appointment of a data protection officer (DPO) within the organization and the publishing of  contact information for the DPO.[22] Articles 38 and 39 of GDPR set forth the scope of the DPO’s work, which is generally to be involved with data protection and compliance within the entity.[23]
Lead Supervisory Authority: If an entity processes personal data in more than one EU member country, the entity should determine which supervisory authority is the lead supervisory authority for compliance with GDPR, as determined by the entity’s primary location.[24]

A Note on Consent:
Consent will likely be one of the predominant legal bases for processing personal data. As such, it is necessary to explore the contours of consent with some specificity.
GDPR inserts a presumption that consent is not freely given.[25] Thus, care should be used in determining if consent is the appropriate legal basis to use in relation to personal data processing.[26] Generally, consent requests must address the following: (1) the entity’s name must be provided (and that of any third parties with access to the data), as well as the purposes, methods, and uses of personal data; (2) must be separate and distinct from other terms of use or service (e.g., in a separate document or email); (3) should not be a pre-condition to use or service; (4) must be a clear and affirmative action (no pre-checked boxes); (5) must address each type of processing, if more than one; (6) must include information about the right to withdraw consent, and withdrawal must be simply and easy to complete; and (7) must be easy to read and understand.[27]
Additionally, consent records for each consent obtained (who, when, what he or she was told, how he or she consented, and whether consent has been withdrawn and, if so, when) must be kept.[28] Reviewing existing consents is strongly encouraged to ensure compliance with GDPR’s new, more stringent consent standards.[29] Lastly, give careful attention to any possible imbalance in the relationship between the controller and data subject (e.g., employer/employee), as this greatly raises the difficulty in achieving true consent under GDPR.[30] The use of consent as a legal basis in such cases should likely be avoided.[31]

[1] GDPR, Recital 18,
[2] GDPR, Art. 3(2),
[3] GDPR, Art. 1(1),; GDPR Recital 1,; GDPR Recital 2,
[4] Information Commissioner’s Office,
[5] Id.
[6] GDPR, Art. 5(1),
[7] See Footnote 4.
[8] See Footnote 6.
[9] GDPR, Art. 13,; GDPR, Art. 14,
[10] GDPR, Recital 58,
[11] GDPR, Art. 14(3),
[12] See Footnote 5; GDPR, Chapter 3,
[13] GDPR, Art. 6,
[14] Id.
[15] GDPR, Art. 7,
[16] GDPR, Art. 8,
[17] GDPR, Art. 9,; GDPR, Art. 10,
[18] GDPR, Art. 33(1),
[19] GDPR, Art. 34,
[20] GDPR, Art. 25,
[21] GDPR, Art. 35(1),
[22] GDPR, Art. 37,
[23] GDPR, Art. 38,; GDPR, Art. 39,
[24] GDPR, Art. 60,; GDPR, Recital 124
[25] GDPR, Recital 43,
[26] Information Commissioner’s Office,
[27] Id.
[28] Id.
[29] Id.
[30] Id.
[31] Id.

Tuesday, May 29, 2018

Immigration Update

The Department of Homeland Security announced on May 29, 2018 that it plans to end the immigration parole program for international entrepreneurs because “this program is not the appropriate vehicle for attracting and retaining international entrepreneurs and does not adequately protect U.S. investors and U.S. workers employed by or seeking employment with the start-up."

For more information:

Monday, May 07, 2018

US Supreme Court Upholds Arbitration Provisions for Employment Contracts

On May 21, the United States Supreme Court ruled in a 5-4 decision that companies may continue to use arbitration clauses in employment contracts which could affect approximately 25 million employment contracts. The case is the latest attempt by the court to determine the extent to which employers are legally allowed to insist that workplace disputes be resolved through individual arbitration rather than inside a court room and prohibits workers from banding together to take legal action over employment issues.
The decision is the result of a trio of cases in which employees tried to bring class-action lawsuits over the employers’ failure to pay legally-required overtime, but the employers argued that standard hiring agreements, which the employees signed, require them to take their individual cases to private arbitration. This makes it more difficult for employees to pursue minor claims en masse, whether in class actions or in mass arbitration. The legal dispute essential pits two longstanding laws against each other; the 1925 Federal Arbitration Act which protects the right to agree to divert court disputes to private arbitration and the 1935 National Labor Relations Act which recognizes workers’ rights to form unions and take other collective actions to improve workplace conditions.
In 2011 the Supreme Court rule in AT&T Mobility v. Concepcion that the Federal Arbitration Act allowed companies to avoid class action lawsuits by insisting on individual arbitration in their contracts with consumers and barring consumers from banding together with unhappy customers. In the most recent cases, workers argued that their employment contracts differed from contracts between producers and consumers. They claimed that the National Labor Relations Act prohibits class waivers and protects workers’ rights to engage in “concerted activities.” Labor advocates say a ruling against the employees would destroy the incentives lawyers have to investigate and litigate broad-based legal violations in the workplace, including claims of wage discrimination.
The close decision highlights the staunch political differences between the Supreme Court Justices. Justice Anthony Kennedy, who was appointed to the Supreme Court by President Ronald Reagan in 1988, signaled support for individual arbitration stating that, “many of the advantages of concerted action can be obtained by going to the same attorney.” However, the Democrat-nominated Justices, opposed the employer’s ability to ban group legal action by workers. Justices Ruth Bader Ginsburg and Sonia Sotomayor warned that confidentiality provisions in certain employment contracts bar workers from sharing information about their grievances.