Brexit: Further details on what to do in case of a deal

In a previous article, we have outlined what British citizens need to know (and do) to stay in Luxembourg in the event of a deal or in the event of a no-deal (the article can be found here).

A draft Grand-ducal Regulation (the “Draft Regulation”) has been published setting-out further details on the procedures and documents to submit for British citizens and their family members in the case of a Deal.

First of all, the Draft Regulation outlines the procedure for the submission of the applications and the issuance of the permits for beneficiaries of the Withdrawal Agreement, ie:

  • British nationals residing in Luxembourg as well as their family members (regardless of the nationality of the family members) at the time of the withdrawal from the UK,
  • British nationals, and their family members, arriving in Luxembourg as of the date the Withdrawal agreement of 30 March 2019 comes into force and before the end of the transition period, currently set to 31 December 2020 (with the possibility of an extension);
  • family members of a British national in the situation described above who arrive in Luxembourg after the end of the transition period.

According to the Draft Regulation, the permit to be issued to British citizens and their family members (if they are British citizens as well) will be valid for 10 years.

The permit to be issued to family members of British citizens who are third country nationals will be valid for 5 years. The validity of the permit to be issued for these family members may be shorter if the permit delivered to the British citizen who they are dependent on, is shorter than 5 years.

If and when the Draft Regulation becomes effective, will of course depend on the outcome of the Brexit negotiation.

For any questions regarding immigration issues, please do not hesitate to contact us.

Self-employment in Luxembourg for third country nationals

The Grand-Duchy of Luxembourg, known, among others, for its stability and strong financial industry, has become a destination of choice for business over the years.

Nationals from an EEA country as well as Swiss nationals only have to fulfill very few conditions to open a business or become self-employed in Luxembourg (at least from an Immigration Law point of view).

The conditions are more restrictive for third country nationals.

The self-employment permit for third country nationals is subject to the following requirements:

  • The person must provide evidence that he/she is in possession of the professional qualification for the given activity,
  • He/she qualifies for a business license (if the activity is subject to such business license)
  • That he/she is in possession of sufficient resources to exercise the contemplated activity,
  • that the exercise of the given activity serves the interests of the country.

The interests of the country for the contemplated activity are assessed in terms of economic utility, ie:

  • a response to an economic need,
  • the integration of the activity in the national or local economic context,
  • the viability and sustainability of the project,
  • job creation,
  • investment (especially in research and development),
  • innovative activity or specialization,
  • or in terms of social or cultural interest.

Once the application has been approved, the third country national can request the self-employment permit if he/she proves to have an appropriate accommodation.

It should finally be noted that a director or manager of a Luxembourg company holding a business license or an agreement delivered by the Ministry, shall request a self-employed permit in case he/she is the legal representative of the company without relationship of subordination towards the company.

If this director or manager has a relationship of subordination towards the company and has concluded an employment agreement, he/she shall apply for a specific employment work permit (which is subject to other requirements both for the application and the company).

Please do not hesitate to contact us for any further questions.

Brexit: What it means for British citizens working or residing in Luxembourg

The outcome of the Brexit negotiations are still uncertain.

In the meantime, Luxembourg just published a bill of law on 8 February 2019 (n°7406) to protect British citizens working as civil servants or government employees in case of a hard Brexit.

What does it mean for British citizens not working as civil servants in Luxembourg?

There are currently two foreseeable options:

  1. Either the UK remains in the EU or concludes an agreement with the EU that ensures that the same rules with regard to immigration apply in the future (as this was foreseen by the rejected UK-EU Withdrawal Agreement)
  2. Or the UK and the EU conclude no agreement, which leaves the UK with the option of a hard Brexit.

In the second option, a UK citizen could be treated, with regard to Luxembourg Law, as a third country national.

Luxembourg Government, announced in January 2019, that British citizens and their family members residing in Luxembourg will be allowed to continue residing in Luxembourg after 29 March 2019 under their current authorisations which will remain valid until 30 March 2020.

British nationals will however need to apply for a residence permit before 31 December 2019 (conditions and procedure of this simplified procedure are yet to be announced).

After this date, unless, in the meantime, a different regime is negotiated with, the rules for third-country nationals would apply to British nationals.

We have shortly summarized below the main differences between the obligations of EU citizens and third country nationals to stay in Luxembourg.

Stays of less than 3 months

  1. EU citizens

Every EU citizen has the right to reside freely in Luxembourg for a stay of up to 3 months if he is in possession of a valid ID card or passport.

 2. Third country nationals

Third country nationals however who intend to stay in Luxembourg for a period of less than 3 months, are legally required to be in possession:

  • Of valid travel documents,
  • of a valid passport with a valid visa (unless otherwise provided in a bilateral agreement),
  • a valid medical insurance applicable in Luxembourg,
  • the proof of sufficient resources for the duration of stay and the return to the country of origin.

This being said, the EU Commission has published a proposal for a regulation exempting British nationals from visa requirements in the Schengen area for stays less than 3 months (subject to reciprocal visa-travel of Schengen area nationals to the UK).

Stays of longer than 3 months

  1. EU citizens

EU citizens are allowed to stay in Luxembourg for longer than 6 months if they fulfill one of the following conditions:

  • exercise a remunerated activity in Luxembourg (as an employee or self-employed), or
  • prove to be in possession of sufficient resources for themselves and their family and a have valid health insurance, or
  • be registered in a public or private educational institution accredited by the Luxembourg authorities in order to pursue studies or professional training together with the prove of sufficient resources and a valid health insurance.

Although the authorization is limited in time, it is renewable and permanent residence may be requested after 5 years under certain conditions.

2. Third country nationals

Third country nationals are allowed to stay in Luxembourg for longer than 6 months, only if they are in possession of one of the following authorizations:

  • As employees (regular, highly qualified or ICT worker) (see our article here on ICT workers)
  • Sportspeople
  • Students, trainees, pupils or young au pairs
  • Researchers
  • Family members
  • Investors (see our article here on the investor status)
  • Personal reasons

Strict conditions apply to each of these authorizations.

For example, for one of the most common authorizations, as regular employees, the following conditions must be fulfilled:

  • the job must be declared vacant with the Luxembourg Unemployment Agency (ADEM),
  • Have all the required qualifications for the job,
  • Luxembourg nationals and EU citizens have priority for the given activity. Only if the employer is unable to find an appropriate candidate for its activity and after a certain period, he may consider employing a third country national,
  • The activity exercised must serve the interests of the country.

Conclusion

While the outcome remains uncertain, Luxembourg has already started foreseeing a temporary protection regime for British citizens, at least until 2020.

For any questions regarding immigration issues, please do not hesitate to contact us.

Etat de nécessité et infraction routière

Un arrêt rendu en date du 12 juillet 2010 (Not 20696/09/CC) par la cour d’appel, rappelle les conditions par lesquelles il est possible de s’affranchir des règles du code de la route en cas de nécessité.

Il était reproché au conducteur, ambulancier volontaire, d’avoir circulé à une vitesse de 106 km/h alors que la vitesse maximale autorisée était de 50 km/h,

Le prévenu n’avait pas contesté avoir conduit à une vitesse de 106 km/h, mais il a fait plaider son acquittement au motif qu’il aurait agi en état de nécessité.

En effet, le conducteur explique qu’au moment du contrôle, il devait rejoindre avec sa voiture privée le Centre de Secours à Remich pour ensuite se rendre avec l’ambulance de Remich à Grevenmacher où il aurait dû s’occuper de la réanimation d’une patiente à l’aide d’un défibrillateur se trouvant à bord de l’ambulance

L’état de nécessité, sur lequel se base le prévenu pour demander son acquittement, est la situation dans laquelle se trouve une personne qui ne peut raisonnablement sauver un bien, un intérêt ou un droit que par la commission d’un acte qui, s’il était détaché des circonstances qui l’entourent, serait délictueux (P. FORIERS, De l’état de nécessité en droit pénal, Bruxelles, Bruylant, 1951, p.7, n°9).

L’état de nécessité exige donc :

  • la menace d’un péril imminent, et
  • que l’intérêt sacrifié soit de valeur inférieure au droit sauvegardé et enfin qu’il soit impossible d’éviter le mal par d’autres moyens qu’en commettant une infraction (G.SCHUIND, Traite pratique de droit criminel p. 172).

La Cour comme le Tribunal d’Arrondissement a retenu que le conducteur avait commis cette infraction parce qu’il n’avait pas d’autres moyens pour sauvegarder un intérêt majeur, à savoir tenter de porter secours à une personne dont il était établi que le pronostic vital était en jeu.

L’état de nécessité a donc été retenu.

Il convient de préciser que le conducteur, avec l’aide de son conseil, avait parfaitement documenté son dossier.

Les chances de réussite d’une telle défense dépendent d’une étude précise du cas d’espèce et des pièces pouvant être produites.

GDPR: New Guideline on territorial scope

The European Data Protection Board (« EDPB ») issued a new draft guideline (“Guideline 3/2018”) on the territorial scope of the General Data Protection Regulation (“GDPR”).

The Guideline 3/2018 brings long awaited clarifications on questions in relation to the criteria of “establishment” and “targeting”, processing in places where Member State law applies by virtue of public international law (which will not be analysed here) and the need for a representative for controllers or processors not established in the EU.

As a reminder, Article 3 GDPR foresees that the EU Regulation applies to processing of personal data in the context of activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the EU or not.

The EU legislator’s intention was, with regard to territorial scope, to establish a level playing field for companies active in the EU markets, in a context of worldwide data flows.

The territorial scope uses two main criteria: establishment (1) and targeting (2). If one of these 2 criteria is met, the relevant provisions of the GDPR will apply. In cases where the controller or the processor does not have an establishment in the EU, he must designate a EU representative (3).

(This article gives an overview only of the Guideline 3/2018 and shall not be considered as exhaustive and/or legal advice.)

  • Establishment

The GDPR does not provide a definition of the term “establishment” for the purpose of Article 3. However, the EDPB reminded that ECJ Case law on the interpretation of this term remains applicable (see for example ECJ Google Spain and ECJ Weltimmo). While the Guideline 3/2018 confirms that the interpretation of the term establishment is broad (and the legal form of the establishment is irrelevant), it also insisted that is not without limits (e.g. the mere fact that an undertaking’s website is accessible in a Member State of the EU is not sufficient to conclude that it has an establishment).

Another interesting clarification provided by the Guideline 3/2018 is that processing by the establishment is not necessary: it is sufficient that the processing is carried out “in the context of the activities” (EDPB also refers to applicable EU Case Law to understand this difference).

The Guideline 3/2018 further confirms that, with regard to “processing in the context of the activities”, location and nationality of the data subjects who are in the EU is not relevant. This means that neither the controller / processor, nor the data subjects need to be in EU in order for the GDPR to apply.

  • Targeting

The EDPB reminds that the absence of an establishment in the EU does not mean that a data controller or procession is excluded from the scope of GDPR (However, it is also reminded that in the absence of an establishment, the data controller or processor cannot benefit from the one-stop shop)

To see whether the targeting criteria applies (i.e. criteria applicable to a controller or processor without an establishment in the EU) the EDPB recommends to:

  1. determine that the processing relates to personal data of data subjects who are in the EU and
  2. whether it relates to the offering of goods or services or to the monitoring of data subject’s behavior in the EU.
  1. Data subjects in the EU

The EDPB reminds that this criteria is not limited by citizenship, residence or other type of legal status. This criterion must be assessed at the moment when the relevant trigger activity takes place (i.e. moment of offering goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer). The EDPB however also reminds that the processing alone is not sufficient, the controller or processor must also target individuals in the EU.

These 2 examples provided in the Guideline 3/2018 helps to clarify the distinction:

Example GDPR is applicable

A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, London, Paris and Rome. The US start-up, via its city mapping application, is offering services to individuals in the Union (specifically in London, Paris and Rome). The processing of the EU-located data subjects’ personal data in connection with the offering of the service falls within the scope of the GDPR as per Article 3(2).

Example GDPR is not applicable

A bank in Taiwan has customers that are residing in Taiwan but hold German citizenship. The bank is active only in Taiwan; its activities are not directed at the EU market. The bank’s processing of the personal data of its German customers is not subject to the GDPR.

  1. Offering of goods and services

The Guideline 3/2018 referred once more to EU law and Case law where the concept of these terms have already been defined and reminding that the payment by the data subject for the offered goods or services is not a criteria to fall within the territorial scope of GDPR.

The Guideline 3/2018 then mentions that ECJ Case Law Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Case Law on the interpretation of the Brussel I Regulation which clarifies when a trader is directing his activity towards the Member State of the consumer’s domicile) might be of assistance to determine whether goods or services are offered to a data subject in the EU. The Guideline provides a non-exclusive list of factors that may be taken into consideration:

– The EU or at least one Member State is designated by name with reference to the good or service offered;

– The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and  advertisement campaigns directed at an EU country audience

– The international nature of the activity at issue, such as certain tourist activities;

– The mention of dedicated addresses or phone numbers to be reached from an EU country

– The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;

– The description of travel instructions from one or more other EU Member States to the place where the service is provided;

– The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;

– The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;

– The data controller offers the delivery of goods in EU Member States.

The following examples provided by the Guideline 3/2018 clarify when goods or services are offered to EU data subjects in a manner that renders GDPR applicable or not:

Example GDPR is applicable

A website, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the UK, France, Benelux countries and Germany. In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of EU law. The fact that the website is available in four languages of the EU and that photo albums can be delivered by post in six EU Member States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the Union. As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offering of a service to data subjects in the Union and is therefore subject to the obligations and provisions of the GDPR, as per its Article 3(2)(a). In accordance with Article 27, the data controller will have to designate a representative in the Union.

Example GDPR is not applicable

A private company based in Monaco processes personal data of its employees for the purposes of salary payment. A large number of the company’s employees are French and Italian residents. In this case, while the processing carried out by the company relates to data subjects in France and Italy, it does not takes place in the context of an offer of goods or services. Indeed human resources management, including salary payment by a third-country company cannot be considered as an offer 17 Adopted of service within the meaning of Art 3(2)a. The processing at stake does not relate to the offer of goods or services to data subjects in the Union (nor to the monitoring of behaviour) and, as a consequence, is not subject to the provisions of the GDPR, as per Article 3. This assessment is without prejudice to the applicable law of the third country concerned

  • Monitoring of data subject’s behaviour

The Guideline clarifies that behavioural monitoring can be undertaken not only through the internet (as suggested by Recital 24 GDPR), but also other types of network or technology (e.g.. wearable and other smart devices). Other than for offering of goods and services, monitoring does not require an “intention to target” to trigger the application of the GDPR, it is sufficient that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data.

The mere collection of data is not automatically considered as monitoring. The purpose of the processing needs to be considered (e.g. the subsequent behavioural analysis or profiling techniques).

Monitoring activities include, among others:

– Behavioural advertisement

– Geo-localisation activities, in particular for marketing purposes

– Online tracking through the use of cookies or other tracking techniques such as fingerprinting

– Personalised diet and health analytics services online – CCTV – Market surveys and other behavioural studies based on individual profiles

– Monitoring or regular reporting on an individual’s health status

  • Representatives of controllers or processors not in the EU

If a data controller or processor is subject to the GDPR, he shall designate a representative in the EU. The EDPB clarified that this provision was not entirely new and already existing under the previous Directive 95/46/EC.

It is also clarified that the designation of an EU representative will not be considered as an “establishment” by virtue of article 3(1) GDPR.

The written mandate given to the EU representative will typically be a service contract concluded with an individual or an organization (e.g. law firms, consultancies, private companies etc…) provided that these individuals / organizations are established in the EU. If the representative is a company or any other type of organization, it is recommended that a lead person (person in charge) within the company / organization is appointed.

The EDPB also confirmed that, in their view, the role of EU representative is not compatible with the external data protection officer (DPO).

The Guideline 3/2018 also clarifies the obligations and responsibilities of the EU representative.

While not itself responsible for complying with data subject rights, the legal representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects’ rights effective. The EDPB further considers that the maintenance of a record of processing activities is a joint obligation of the controller and the processor and that if they are not established in the EU, they must provide to the representative with all accurate and updated information so that the record can be maintained and made available by the representative.

The EU representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. In practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations of a controller or processor established outside the Union, and the representative shall be able to facilitate any informational or procedural exchange between a requesting supervisory authority and a controller or processor established outside the Union.

With the help of a team if necessary, the representative in the Union must therefore be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.

It should however be noted that the concept of the representative was introduced precisely with the aim of ensuring enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable.

  • Conclusion

The Guideline 3/2018 provides useful insight on the scope of GDPR to controllers and processors outside the EU and the role of the EU representative. Unfortunately, the Guideline 3/2018 (in its current draft form) does not provide any further specifications on the responsibility of a controller or processor that falls within the scope of GDPR, but does not comply with it and how such third country controller / processor will be sanctioned. Hopefully there will be some further clarification on this point in the final version of Guideline 3/2018.  Indeed, the draft version is still subject to comments from the public until 18 January 2019. Thereafter, a final version of the Guideline 3/2018 will be published.

Residence permit in Luxembourg for temporary Intra-company transfers (ICT)

Besides introducing a new regime for certain investors, the law of 8 March 2017 (modifying the law of 29 August 2008, the “Law of 2008”) foresees a new status for third-country nationals (“TCN”) in the case of temporary Intra-company transfer (“ICT”). This new law implements the Directive 2014/66/EU on the conditions of entry and residence of TCNs in the framework of an intra-corporate transfer (“Directive 2014/66/EU”)

An Intra-group temporary transfer is defined, by the Law of 2008 (in identical terms to the definition provided by the Directive 2014/66/EU), as the temporary secondment for occupational or training purposes of a TCN who, at the time of application for an intra-corporate transferee permit, resides outside the territory of the Member States, from an undertaking established outside the territory of a Member State, and to which TCN is bound by a work contract prior to and during the transfer, to an entity belonging to the undertaking or to the same group of undertakings which is established in that Member State, and, where applicable, the mobility between host entities established in one or several second Member States.

This new regime applies to qualified executives, experts and trainees (as defined by the Law of 2008).

The application is filed by the host entity that shall, among others:

  • provide proof that the host entity and the company established in the third country belong to the same undertaking or group,
  • provide evidence of employment within the same company or group from 3-12 months (for managers and experts) and 3-6 months (for trainees)
  • provide a work contract containing certain information on the details of the transfer and the work conditions (e.g. duration, location, remuneration, required qualification, etc…)

The authorisation of stay as ICT is granted for a minimum of 1 year up to the duration of the assignment (however max. 3 years). For trainees, the authorisation of stay is limited to 1 year maximum.

A new application by the same TCN for an ICT work permit is possible, however only after a period of 6 months after the end of the validity of the ICT work permit and the new application.

Once issued, this authorisation to stay gives an employee and his/her family members the right to reside and to work in Luxembourg. The authorization of stay of the family members expires simultaneously with the ICT work permit.

With regard to intra-EU mobility, the ICT regime foresees the following:

For short term mobility:

A TCN that holds a valid ICT work permit of another EU country is entitled to work in Luxembourg in a company part of the same group for a period of up to 90 days in any 180-day period, provided certain notification requirements are fulfilled.

For long-time mobility:

A TCN that holds a valid ICT work permit of another EU country may also be authorized to work in Luxembourg in a company part of the same group for a longer period than 90 days. Such authorization is however subject to a separate authorization and a simple notification to Luxembourg authorities is not sufficient. In certain cases, the TCN may already start working in Luxembourg also before the Luxembourg authorities have decided upon the application.

 

Manni Case: Not everyone has the “right to be forgotten”

Mr. Manni was the sole director of Italiana Costruzioni Srl, an Italian building company which was awarded a contract for the construction of a tourist complex.

In 2007, he brought proceedings before the Lecce Court (Italy) against the Lecce Chamber of Commerce, claiming that the complex buildings were not selling. This was due to the fact that it appeared from the companies register that he had been, in the past, the sole director and liquidator of another company, Immobiliare e Finanziaria Salentina Srl, which had been declared insolvent in 1992 and struck off the companies register, following liquidation proceedings, on 7 July 2005.

By judgment of 11 August 2011, the Lecce Court ordered the Lecce Chamber of Commerce to anonymise the data linking Mr. Manni to the liquidation of the first company and to pay compensation for damages suffered by him.

The Lecce Chamber of Commerce appealed the decision before the Italian Corte suprema di cassazione (Court of Cassation), which decided to stay the proceedings and refer several questions to the European Court of Justice (“ECJ”), asking, in substance, if the provisions of Directive 68/151 (the first Company Law Directive) and Directive 95/46 ( the EU Data Protection Directive which will be repealed by the EU GDPR as of 25 May 2018)  must be interpreted as meaning that it is mandatory, or, on the contrary, that it is prohibited, for personal data appearing in the register of companies, after a certain period has elapsed and upon the request of the person concerned, to be removed, anonymised or blocked, or made accessible only to a restricted category of third parties, namely those who can demonstrate a legitimate interest in having access to such data.

First of all, ECJ reminded that for a public authority to maintain a companies register was considered “processing data” and that said authority was to be considered the “controller” under the EU Data Protection Directive.

The ECJ then noted that such processing was legitimate as it was satisfying several grounds for legitimation as foreseen in the EU Data Protection.

Finally, the ECJ analysed whether the authority responsible for keeping the register should, after a certain period has elapsed since a company ceased to trade, and on the request of the data subject, either erase or anonymise that personal data, or limit their disclosure.

The ECJ noted that the purpose of the disclosure of information contained in an official company register public is to protect the interests of third parties in relation to joint stock companies and limited liability companies, since the only safeguards these companies offer to third parties are their assets. The ECJ also reminded that the purpose of the First Company Directive was to provide legal certainty in relation to dealings between companies and third parties.

The ECJ also found that, even after the dissolution of a company, the rights and legal relations relating to this company continue to exist. In the event of a dispute, this data may be necessary to assess the legality of an act carried out on behalf of that company during the period of its activity or so that third parties can bring an action against the members of the organs or against the liquidators of that company.

In those circumstances, the ECJ said, Member States cannot guarantee that people whose data is included in the company register have the right to have their personal data erased after a certain period of time has passed.

In this case, the ECJ considered that the mere fact that, the properties of the tourist complex built by Mr. Manni’s company do not sell because of the fact that potential purchasers of those properties have access to that data in the company register, cannot be regarded as constituting as a sufficient legitimate interest to limit third parties’ access to data concerning Mr. Manni.

Nevertheless, the ECJ did not completely exclude the possibility that, in specific situations, overriding and legitimate reasons relating to the specific case of the person concerned may justify, exceptionally, that access to personal data concerning him/her should be limited.

National Courts, facing a similar case in the future, will need to assess, having regard to all the relevant circumstances and taking into account the time elapsed since the dissolution of the company concerned, the possible existence of legitimate and overriding reasons which, as the case may be, exceptionally justify limiting third parties’ access to the data.

 

Guidelines on Data Protection Impact Assessment for the purposes of GDPR

The new European Union’s General Data Protection Regulation (“GDPR”) was published on 4 May 2016.  It will be enforced after a two-year transition, beginning on 25 May 2018, replacing the national laws and regulations and reaching all companies that target EU consumers from outside the EU.

GDPR introduces the concept of a Data Protection Impact Assessment (“DPIA”).

The Article 29 Data Protection Working Party (“DPWP”) has adopted, on 4 April 2017, guidelines to further understand the concept of DPIA (DPWP is the European advisory body on data protection and privacy and is composed of a representative of the supervisory authority (ies) designated by each EU country, a representative of the authority(ies) established for the EU institutions and bodies and a representative of the European Commission).

GDPR does not give a formal definition of DPIA but only its minimal content (Article 35(7) GDPR).

DPWP gives the following definition of DPIA:  a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them).

DPWP explains that DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation. In other words, a DPIA is a process for building and demonstrating compliance.

DPWP further reminds that under the GDPR, non-compliance with DPIA requirements can lead to fines imposed by the competent supervisory authority. Failure to carry out a DPIA when the processing is subject to a DPIA, carrying out a DPIA in an incorrect way, or failing to consult the competent supervisory authority where required, can each result in an administrative fine of up to 10M€, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Since GDPR only enters into force in May 2018, the requirement to carry out a DPIA applies to processing operations after this date.

However, DPWP strongly recommends to carry out DPIAs for processing operations already underway prior to May 2018.

This being said, the DPWP also indicates that carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”.

The DPIA Guidelines provide useful information on when the processing is likely to present a high risk and, therefore a DPIA is required. Although this should only be considered as a “rule of thumb”, according to the DPWP, a DPIA should be carried out when a processing operation meets at least 2 criteria of those that are considered as relevant when assessing if a DPIA should be carried out or not.

The DPIA Guidelines provide the following list that give some concrete example of situations in which a DPIA may be required:

It should be noted however that this list cannot be considered as a strict rule for DPIA as several exceptions foreseen by GDPR may apply.

The DPIA Guidelines also provide insight on when the supervisory authority shall be consulted after a DPIA has been carried out. This may be the case when the identified risks cannot be sufficiently addressed by the data controller.