Home / Publications / CMS series: At centre stage / Continuous education is a key to a company’s GDPR...

Continuous education is a key to company's GDPR compliance

At centre stage: Episode #8

Our eighth episode of "At Centre Stage" focuses on a topic heavily linked to consumer rights: data protection. It’s been clear for a while now that personal data protection is not just a problem for the chief data officer or the chief information security officer anymore. It spans the whole organization based on who works with the personal data. Personal data is managed at all levels of the organization – HR, sales, marketing, customer-service, management and so on.

After nearly five years since the implementation of the GDPR, one would think that everything would be running smoothly. But is it?

This is certainly not the case in Slovenia, which is now the only country that hasn’t yet fully incorporated the GDPR into its national law. And that’s why we’ve decided to once again to investigate the data protection regulation and try to explain why it is so important for businesses as well as consumers.

With our guests, Tajda Vrhovec, a privacy specialist with extensive experience in insurance and banking, and Amela Žrt, attorney-at-law in CMS Slovenia (who is also a go-to person when it comes to data protection and employment matters), will offer some clarity and guidance about data protection to all businesses operating in the EU, but especially in Slovenia.

Below you can watch the video, listen to the podcast or read the transcript of the lively debate on the topics currently rousing the country’s business, legal and political community.

Video

 

  • Importance of GDPR compliance for businesses related to protection of consumers rights;
  • The mistakes businesses make most often in the process of becoming GDPR compliant and how to avoid them;
  • The biggest changes we can expect based on the draft Slovenian Personal Data Protection Act;
  • How to ensure that all stakeholders that handle personal data are adequately informed.

 

Sašo Papp: Hi, everyone. Thanks for joining us for another episode in the at Centre Stage Video Podcast series. My name is Sašo Papp and I'm your host. In the last episode, we considered the effect the Omnibus directive will have on the protection of consumer rights in the EU. But we also touched upon the subject of data protection, which is heavily linked to consumer rights. Did you know that in 2023 the GDPR, the EU General Data Protection Regulation will celebrate its fifth anniversary? One would think that most countries have adapted their national laws to comply with the GDPR. And that more or less everything is running smoothly. But is this really true? Unfortunately, not. Slovenia is now the only remaining country that hasn't yet adapted its national law to fully incorporate the GDPR. 

Once the new National Data Protection Law is adopted, the use of corrective measures under the GDPR will become a hotter topic than it is now. Companies not just in Slovenia but also in other countries are left to their own ingenuity to evaluate the seriousness of the violations of certain provisions. One tool available to them is the CMS GDPR Enforcement Tracker, for example, which offers an overview of fines and penalties that data protection authorities within the EU have imposed under the GDPR. 

That being said, today’s episode will focus on the data protection regulation, why it is so important for businesses as well as consumers and, of course, around the changes that will be brought by the long awaited Slovenian Personal Data Protection Act – in Slovenian in Slovenian “Zakon o varstvu osebnih podatkov”. My guests today Tajda Vrhovec, privacy specialist with extensive experience in insurance and banking and Amela Žrt, attorney at law in CMS, Slovenia, who is also a go-to person when it comes to data protection and employment matters, will offer some clarity and guidance about data protection to businesses operating in the EU, but especially in Slovenia, died an umbrella. Thanks very much for joining us. 

Amela Žrt: Thank you.

Tajda Vrhovec: Thanks for having us. 

Sašo Papp: Many companies, especially micro and small companies, would argue that the obligations imposed by the GDPR are heavy administrative burden for them. I do get them to be honest. But on the other hand, looking from the consumer's perspective, I must admit that I become quite wary when it comes to sensitive data. For example, my financial and health data from the perspective of banks and insurance companies. Why is data protection so important? Tajda? 

Tajda Vrhovec: Well, you know, the financial sector processes really large, diverse and complex data. This includes structured as well as unstructured data, which is used for a really wide range of purposes. Every new product, every process, basically everything that a bank or insurance company does must therefore be evaluated from a data protection perspective. In addition, the insurance sector processes special categories of personal data, such as health data, which requires additional protection. The financial sector is also heavily regulated, and so this special legislation often requires the processing of additional personal data, such as for anti-money-laundering purposes and anti-fraud purposes. Because of this, there is a very high level of awareness of the importance of personal data. All data is carefully mapped and privacy by default and design is fully integrated in all processes.
 
Sašo Papp: But what about small companies? Startups, micro companies that don't have the resources of the big companies. What's the best way to start the process of GDPR Compliance? You probably have some insights into the most common mistakes companies make and how to best avoid them. Amela?

Amela Žrt: Well, the best way to start the process of GDPR compliance is, of course, to map the personal data. I mean, the personal data that you process and also the data processing activities. Then, as a company, you should check what you do with this data in terms of: Do you really need this data? Do you have the legal grounds for its processing? How long do you keep this data and why do you keep it for so long? And so forth. This is, of course, a difficult exercise for a lot of companies. But it's important because this exercise actually leads us to a very simple document. The so-called privacy policy and the privacy policy is a document with which you inform the individuals about how you process their data and for which purposes, before you start with the processing.
 
By doing this, you're actually already fulfilling your other obligation under the GDPR. That is to notify the individuals about data processing before you start with it. Another important aspect from data protection point of view is also to have the so-called roles defined of who’s a controller, who’s a processor, who’s a joint controller. Why this is important is because with this, then you can as a company further implement the obligations that you need to do. For example, if you have someone else, another company, processing data on your behalf, let's say that this is your accountant and an extra accounting service. Then you need to enter into a data processing agreement, and the GDPR explicitly stipulates what such an agreement has to include. So these are just examples about what you need to do to be GDPR compliant. Of course, there is much more than that. But what we notice as lawyers is that a lot of time small companies, they just simply are not aware of the importance of this first step. The background for the preparing of the documents and usually they just come to us with an existing template or they want us to drop the policy from scratch without taking the time to do the data mapping and analysis. And, of course, usually they want this to be done very quickly and not give us the time to do this for them. 

I think small companies are also not that aware of the general principles of the GDPR, such as transparency, data, minimization and purpose limitation. Just because you have a certain set of personal data, it doesn't mean that you can use this data outside the purposes that you have collected the data for. For example, in the reference to data minimization, a simple example would be that companies tend to copy the personal documents for identifying individuals, whereas you can achieve the same purpose without copying the personal documents, you can just simply look into the document and make a note that you looked in it and identify the person. You don't have to, actually, you should not also copy the personal document. Like you mentioned before, my focus of work next to data protection is also employment, and in this respect, I notice a lot of mistakes done in relation to video surveillance. A lot of times, companies think that they have video surveillance covered and the problem appears when they want to use the footage of the video surveillance in the cases where the employees has violated their employment contracts. And a lot of times then they realise that they don't actually have the video surveillance in place in a legal manner as they should, and that they themselves are in a bigger violation than the employee. They didn't notify the employees in the manner that they should, or they didn't have valid reasons for introducing the video surveillance and so forth. These are the main aspects that we noticed in our work.
 
Sašo Papp: Thank you, Amela. It’s so funny to me that after so many years that the GDPR has been around, we’re still talking about it, right? Yeah. So if we shift towards the Slovenian regulation prior to the GDPR. Slovenia already had legislation that regulated data privacy, the Personal Data Protection Act, Zakon o varstvu osebnih podatkov. But with the enforcement of the GDPR, the Slovenian legislation was supposed to undergo some changes to fully comply with the EU regulation. Unfortunately, as I mentioned nearly five years after the GDPR started to apply, the draft of the Personal Data Protection Act is still waiting to be passed by the government. But looking at the current proposal, what are the biggest changes we can expect? Amela?

Amela Žrt: Well, the concept of the new proposal of the – for short we’ll call it ZVOP-2, let's say it like that, the new act – the concept is to address the issues to further implement the GDPR. Like you mentioned Sašo. Then there will be some changes related to procedural and other issues and, of course, some national specific features. There will be some changes that are envisaged in terms of defining the principles of legality, fairness and proportionality. To align these definitions more with the GDPR there will be also some changes related to the terms to be more aligned with the GDPR. We can expect changes related to processing of special categories of personal data; data related to criminal convictions and offences sentences. ZVOP-2 will also regulate conditions for data protection officers, data impact assessments and it will also regulate the rights of data subjects. Last, but not least, of course, it will also regulate how we approach administrative fines. The proposal stipulates that administrative fines under the GDPR will be treated as offences and that the information commissioner will be the offence authority. It will also regulate the way in which the level of fines are to be imposed for infringements of the GDPR. Further, one of the changes that I would mention is related to traceability. We already have traceability provisions in the existing Personal Data Protection Act, but the new act will also regulate this but just a little bit in a different manner. It will regulate measures on the internal traceability of personal data transfers and the so-called external traceability of the processing of personal data, and it will also include specific provision about the establishment and keeping of log records that is the processing logs to ensure this traceability. I mentioned earlier also that ZVOP-2 will be also regulating some country specific matters which we already have regulated in the Personal Data Protection Act, and this will be revised of course. Such areas are video surveillance, data of deceased persons and biometrics. For example, when it comes to video surveillance; the provisions in the ZVOP-2 draft are more detailed in comparison to the existing one. 

For example, the law clearly stipulates that a decision on video surveillance must be adopted; the notification of individuals about the video surveillance is different. It's not going to be just the classic sticker that we know that this place is being recorded. But individuals will have to be informed about all the details pursuant to Article 13 of the GDPR. Whereas controllers will be able to refer the individuals for certain information to their websites. So not everything will have to be in this notice. And then there are also some changes related to provisions. There are more specific provisions on data retention periods, on the scope of waiting to be processed, on the keeping of records related to video surveillance than certain situations. Another example of more stringent regulation in comparison to ZVOP-1 are the provisions regarding consultations with the trade unions before the introduction of video surveillance on the work premises. In such case, ZVOP-2 extends this consultation obligation not only to the trade unions but also to the works councils, and it also stipulates a deadline for such a consultation, which was not the case before. And it also introduces regulation of video surveillance in public passenger transport vehicles and video surveillance in public areas. These two areas of video surveillance were not regulated specifically in ZVOP-1, so this is new in comparison to that. 

Sašo Papp: Quite a lot of changes.

Amela Žrt: Quite a lot. There is even more, but I think it would be difficult to summarize all [of them] and probably quite boring for the listeners as well. 

Sašo Papp: Tajda, what about biometric data? Are there any developments here as well? 

Tajda Vrhovec:  Yes, there are. The general rule, which is that the processing of biometric personal data is not allowed, still applies; however, [the new regulation] does provide a few novelties. In my opinion, for the private sector, the most important changes are that the exemption for processing of biometric data is no longer limited only to employees, but it extends also to customers for the purpose of protecting the accuracy of the customer's identity. Clients’ personal data may be processed based on a statutory provision, a contract or the client's consent, and a very important thing to note is that the customer must still have an option of alternative means of identification, meaning identification without the processing of biometric personal data. Also, the processing of biometric personal data may be carried out in a way that it is under the sole control of the customer. This means that, for instance, a fingerprint is stored only on the customer's device, and the data controller does not have access to this fingerprint. 

Sašo Papp: Okay, Amela, you also mentioned that we expect to see changes in the provisions concerning the establishment and keeping of log records like processing logs. What is the main change here? And how will that affect day to day business operations? 

Amela Žrt: True. So the current law, the Personal Data Protection Act, already regulates the external traceability of the transfer of personal data. For example, which personal data have been transferred to whom, when and on what basis? All of this is something that you already need to trace. And it also stipulates the period for the external traceability that is as long as the legal protection of the individual's right as possible. The new law regulates this a bit differently. So in addition to the requirements of the, let's say, a law. it also requires the purpose of the transfer of the personal data. So this is new and it opposes a two year period for maintaining traceability, starting at the end of the year in which the data were transmitted. Then new provisions are related to the so called internal traceability, and they are stipulated in Article 21 which provides a legal basis for the establishment and keeping of law records and for its use for four categories of so called special processing. A processing log is a record which is often automated. That shows that the data has been processed when it has been processed, who processed it, which data was processed and to whom it was transmitted. And the new law also states that the external traceability record is not required. If the required data can be found in the so-called internal processing log. With these provisions, I would say the companies will face a little bit more of an additional administrative burden to keep all these logs;  although to be honest, this was already in place with the new law. Now it's going to be just a little bit different. Let's say that. 

Sašo Papp: Okay, the topic that struck me as odd, let's say in the mild way, correct me if I'm wrong Tajda, the data of deceased persons – could you elaborate a bit on this? Which businesses need to be mindful of this provision? 

Tajda Vrhovec: This is a very seasonal topics is, since November 1st is coming up, but the joke's on the side. Information relating to a deceased person does not constitute personal data under the GDPR. So member states may adopt their own rules on this subject. The new law brings some changes in comparison to the old one. So the first one [states] that the protection of this data will apply only for 20 years after the death of the data subject. The current law, for instance, does not limit this protection. There are also some changes to the categories of persons which are entitled to receive the personal data of the deceased. Before these were legal heirs of the first and second order of succession. Now the categories are spouse, cohabiting partner, child, parent or heir. So it's a bit different, but the most important change, in my opinion, is that it will no longer be necessary to demonstrate legal interest to obtain this data. In practice, this part was quite hard to explain to the relatives who were demanding this data. So from a DPO s point of view, this will definitely make some processes easier. Also, one more thing to add this topic is probably more relevant for bigger controllers who received many requests of this sort. I don't think that smaller controllers even come in contact with demands of this kind. 

Sašo Papp: OK, can we also touch the Schrems II ruling that created a major disruption in the data protection environment because it created significant uncertainty for organizations that have personal data on customers, employees or other so called data subjects in Europe and also have any connections or data transfers outside the European Union, especially in the U. S. Amela?

Amela Žrt: True Sašo, it caused quite a disruption. So for those listening to us that do not know what this ruling was about, here just a small introduction on transfers to third countries and how this judgement relates to it. A transfer of personal data to third countries occurs when a controller or processor from Slovenia or another EU member state transfers personal data to countries outside the EU or the European economic area or to an international organization. This includes also a situation when access to personal data is granted to organizations companies, individuals outside the EEA, even if this data is stored within the EEA. So because not all third countries ensure adequate levels of data protection, in comparison to the EU, the GDPR envisages certain mechanisms to ensure safe transfers of personal data to such countries. 

Such mechanisms are the so-called adequacy decisions adopted by the European Commission, which basically confirmed that a certain country has an adequate data protection level compared to the EU; then the standard contractual clauses, the binding corporate rules and for transfers to the US there was a mechanism called the privacy shield. So, the privacy shield was basically a mechanism ensuring an adequate level of data protection for transfers to the United States. And what happened in the summer 2020 was that the Court of Justice of the European Union delivered a judgement in the case Schrems II, so this is where the name comes from, which invalidated the privacy shield. 

The judgement covered both the validity of the standard contractual clauses and the privacy shield framework and basically said that the SCC, this is the short abbreviation for the standard contractual clauses, that they remain valid but invalidated the privacy shield. So, in essence, that means that for the transfers to the US, the controllers have to rely on other mechanisms. Particularly this is the standard contractual clauses or the binding corporate rules. But the judgement didn't stop here. To [cut] a long story short, the standard contractual clauses can be used for data transfers, but only the mere conclusion of a contract will not be sufficient for this purpose. This, of course, applies also to the binding corporate rules, and in case of transfer of personal data by means of standard contractual clauses, the data exporter will have to assess whether an adequate level of data protection is guaranteed in the third country for the data affected by the transfer. It is not the general level of data protection in the third country that must be assessed, but the specific level of protection for the transfer data. And this assessment is basically something that is causing practical issues to controllers. Because if this assessment reveals that the level of protection is not comparable to that in the EU, then the data exporter will have to take additional measures to guarantee the protection of the data before the transfer. 

And if these measures are then not sufficient, personal data may no longer be transferred based on the standard contractual clauses. So just to be clear, this assessment is not necessary only in relation to transfers to the US but also to any third country that is not deemed adequate based on the adequacy decision. 

Sašo Papp: Tajda, your thoughts on this.

Tajda Vrhovec: My thoughts? Well, maybe just that conducting a data transfer impact assessment in practice can be really tricky because you need to evaluate the law of the third country as well as the practice there. So, this can sometimes be really challenging, especially because of the language barrier. Because if you don't speak the language of the third country, then it's more difficult to make the research. 

Amela Žrt: Are there any tools that controllers can [use to help with] these types of assessments?

Tajda Vrhovec: I believe there are some tools available online, but I'm not really familiar with any of them. But any tool any controller will be using in the end, it's the responsibility of the controller. So using third party tools can also be, um... 

Sašo Papp: Tricky?

Tajda Vrhovec: Yes.

Sašo Papp: It's quite clear that personal data protection is not just a problem for the chief data officer or the chief information security officer anymore. It really spans the whole organization based on who works with the personal data. Personal data is managed at all levels of the organization from HR sales, marketing, customer service management, etc. So how can companies best ensure that all stakeholders that handle personal data are adequately informed of their duties and obligations in this regard? 

Tajda Vrhovec: I think that the only way to achieve GDPR compliance, is just continuous training of all employees because, as you said yourself, this is not just the task of the DPO or the compliance function. It's a group effort. So what the DPO or the compliance Officer can do, is just spread the awareness in the company and make the business function, understand that these rules are not there just to complicate their lives but are also there to protect them. So just achieving that is a great start. 
 

Amela Žrt: Yeah, it’s difficult to say anything else than what Tajda already did. But I think that companies definitely should invest resources and time into educating and training their employees about data protection. As Tajda said, raising the awareness of the importance of it is really the key, because if the employees that are processing data within the company, if they are not doing this in a compliant manner, if they are not trained how to do it in a compliant manner, then the company as an organisation is not compliant. So it really comes down to the point that the training of employees on this topic is not just recommendable but mandatory for the company to be able to prove that it really did everything in its power to ensure data protection compliance. 

Sašo Papp: Let's wrap it up on a positive note. Structural learning processes concerning data protection can save businesses quite a bit of money. Right? Tajda, Amela, it was a pleasure to have you here. 

Amela Žrt: Likewise. Thank you for having us. 

Tajda Vrhovec: Thank you 

Sašo Papp: To all of you who were listening or watching, thanks for joining us. If you would like to watch our previous episodes, you can find them on the CMS website or you can revisit them through your Linked in profile. For audio versions of this podcast, just search for At Centre Stage in your favorite podcast app. Until next time. Bye bye. 

more less

Speakers

Amela Žrt
Amela Žrt
Partner
Ljubljana
Tajda Vrhovec
Privacy specialist, NLB