The main data protection regulation adopted on 27 April 2016 is principally aimed at strengthening the level of protection of personal data by increasing the accountability of data collectors.
This regulation will apply throughout the European Union from May 25, 2018. Also, treatments already implemented will, by that time, have to comply with the provisions of the regulation.
Some of the provisions of the regulation are actually already effective in French law since the adoption of Law No. 2016-1321 for the Digital Republic of October 7, 2016, which reformed the Data Protection Act of January 6, 1978.
Regardless of their business sector, companies must be mindful of the responsibility created by the regulation and autonomous compliance, upstream and throughout the life of treatments, and thus review their internal processes in this regard.
- Organizational and institutional matters
- Companies will be in contact with a "one-stop shop" - the data protection authority of the Member State where their "main establishment" (the "lead" authority) is located. In France, it is the CNIL.
- The national protection authorities will be grouped together in a European Data Protection Committee (EDPC), which will ensure the uniform application of the law and thus replace the current G291: companies will thus benefit from a single point of contact for the European Union when they implement transnational treatment.
- Enhanced consent and transparency required
The consent of the user whose data are collected is at the heart of the regulation: users must be informed of the use of their data and must agree to the processing of their data, or be able to oppose it. The materialization of this consent must be clear.
The burden of proof of consent lies with the data controller.
- New rights :
The right to the portability of data: anyone can retrieve the data they have provided in a reusable form and then transfer it to a third party. People must be able to regain control of their data.
Right of action for associations : associations will now have the possibility to introduce collective actions in the field of personal data protection.
A right to repair damage : Anyone who has suffered damage as a result of the violation of the Regulations, may request the Controller or the Subcontractor for compensation for the damage suffered..
- Reduced red tape and accountability of stakeholders
In order to ensure optimal protection of the personal data they process, Process Managers and Subcontractors will have to put in place appropriate data protection measures and demonstrate this compliance at all times ("accountability").
- Elimination of reporting obligations as long as the treatments do not pose a risk to the privacy of individuals.
- With regard to treatments currently subject to authorization, the authorization regime may be maintained by national law (for example in the field of health) or will be replaced by a new procedure centered on the privacy impact assessment.
Also, appearance of new compliance tools:
- keeping a record of the treatments implemented
- notification of security breaches (to the authorities and persons concerned)
- certification of treatments
- adherence to codes of conduct
- the Data Protection Officer (DPO)
- Privacy Impact Assessment (PIA)
4.1 Privacy Impact Assessment (PIA)
For all treatments at risk, the Treatment Manager must conduct a full impact study, showing the characteristics of the treatment, the risks and the measures adopted.
- In particular, this concerns the processing of sensitive data (data revealing racial or ethnic origin, political, philosophical or religious opinions, trade union membership, data concerning health or sexual orientation, but also, newly, genetic or biometric data) and treatments based on "the systematic and thorough evaluation of personal aspects of natural persons", that is to say including
4.2 Changes concerning non-EU data transfers
Processors and Subcontractors can transfer data outside the EU as long as they manage these transfers with tools ensuring a sufficient and appropriate level of protection for individuals.
In addition, data transferred outside the Union will be subject to Union law not only for their transfer but also for any further processing and transfer.
Thus, and apart from transfers based on a European Commission adequacy decision, Process Managers and Subcontractors can set up:
- binding corporate rules (BCR);
- standard contractual clauses approved by the European Commission;
- contractual clauses adopted by an authority and approved by the European Commission.
New tools are also planned:
- for Subcontractors: the possibility of setting up binding corporate rules;
- for public authorities: the use of binding agreements;
- for Process Managers and Subcontractors: adherence to codes of conduct or a certification mechanism. Both tools must contain binding commitments.
Finally, a specific authorization from the CNIL is no longer required.
- The appointment of a sometimes mandatory delegate
Processors and Subcontractors will be required to designate a delegate:
if they belong to the public sector,
if their main activities lead them to carry out regular and systematic monitoring of people on a large scale,
if their main activities lead them to process (still on a large scale) so-called "sensitive" data, or data relating to criminal convictions and offenses
Apart from these cases, the appointment of a data protection officer will also be possible (shared or external).
The delegate is responsible for:
informing and advising the Controller or the Subcontractor, as well as his employees;
monitoring compliance with the European regulation and national data protection law;
advising the organization on conducting an impact assessment (PIA) and verifying its implementation;
cooperating with the supervisory authority and being its point of contact.
- Principle of so-called "minimization" under the responsibility of the controllers
Process managers (organizations that determine the purposes and methods of processing personal data) must implement all the technical and organizational measures necessary to respect the protection of personal data, both from the design of the product or service and by default.
They will have to take care to limit the amount of data processed from the beginning ("minimization" principle)
- Obligations specific to subcontractors
These obligations apply to all organizations that process personal data on behalf of another organization as part of a service or service. In particular:
- IT service providers (hosting, maintenance, etc.),
- software integrators,
- computer security companies,
- Digital service companies or formerly Computer Service and Engineering Companies (CSECs) that have access to the data,
- marketing or communication agencies that process personal data on behalf of their clients.
- must take into account the protection of data from the design of the service or product and by default, and put in place measures to ensure optimal data protection,
- are required to comply with specific obligations regarding security, confidentiality and accountability,
- In particular, they have an obligation to advise the Controller for compliance with certain obligations of the Regulation (EIVP, faults, security, destruction of data, contribution to audits),
- must keep a record of the processing activities performed on behalf of their clients and designate a DPO under the same conditions as a controller.
- Enhanced sanctions
The administrative fines are more severe: they may be, according to the category of the offense, 10 or 20 million euros, or, in the case of a company, 2% to 4% of the annual total turnover, the highest amount being withheld.
In this respect, Processors and Subcontractors may be subject to significant administrative penalties in the event of a breach of the provisions of the Regulation.
The business line should therefore be: to ensure that they have the tools and documentation that will allow them to integrate the new logic of their accountability and respect the new rights of the users whose data are collected and treated.
Their duties are therefore:
to verify that their processing activities are subject to the provisions of the Regulation,
to audit their current data protection process,
to manage in writing their relations with their business partners and / or the companies of the group,
to appoint, if necessary, a Data Protection Officer,
and to put in place - if necessary - a register of data processing.
Gwendal Barbaut and Anne Rossoux
Court Advocates at IPSIDE AVOCAT
ESTABLISHING A SIMPLIFIED PROCEDURE
AND ISSUE OF PATENTS IN BRAZIL
Due to a large backlog accumulated by the Brazilian Patent Office for several years, the substantive examination of the patentability of a patent application by this Office does not begin at present until after 10 years on average.
To remedy this, Brazil will very shortly adopt a regulation introducing automatic patent grant, without substantive patentability review, for certain pending applications.
The final text of this Regulation is not yet known, but it is likely that the applications concerned will be those filed / entered in the Brazilian phase before 31 December 2016, which will have been published and for which the request for examination will have been filed before the entry into force of the new Regulation (however, 30 days from the date of entry into force should be available). This simplified procedure should not, however, apply to applications for pharmaceutical products and processes, certificates of addition and divisional applications.
In addition, it should be possible to require that a patent application be excluded from this simplified procedure, within 90 days of the publication by the Brazilian Patent Office of the mention of the admission of that application in the simplified procedure.
If you do not wish to benefit from this simplified procedure, it is therefore advisable to immediately identify your pending patent applications in Brazil that may benefit from the simplified procedure, so that you can file a request for exclusion within the prescribed period. 90 days.
In addition, the filing of observations on a third party's patent application, within 90 days of the publication of the mention of the admission of that application in the simplified procedure, should lead to the exclusion of that application. patent application from the simplified procedure. Also, it is advisable to consider immediately the filing of such observations for any third party patent application pending in Brazil that could be troublesome for you.
We will be sure to keep you informed of the exact provisions that will be finally adopted, so that you can establish the best strategy to implement regarding patent protection in Brazil.
Counsel in Industrial Property Patents
On the occasion of this new year, please accept on behalf of the President and all
the employees of IPSIDE, our best wishes for happiness, health and prosperity.
May the year a2018aa let you realise, according to your hopes, whatever you desire,
both for you and for your loved ones.
Our undertakings: to accompany you, listen to you and constantly improve
the services and the quality that you expect from our company.