Over the next few weeks Class 46 will have several posts on the workshops taking place during the MARQUES Annual Conference in Paris. To start with, Sarah Bailey of the MARQUES Regulatory Team previews workshop 2 on how the GDPR affects trade mark business:

On 25 May 2018, the EU General Data Protection Regulation (GDPR) replaced the current EU directive governing data protection, bringing with it certain key changes (see the EU GDPR Portal).

The definition of personal data under the GDPR remains broad, and has in fact been expanded to expressly include information such as online identifiers (e.g. IP addresses or cookie identifiers) – presenting potential issues for any company processing this type of personal data via its website or app. Certain other additions include genetic and biometric data as types of sensitive data.

Although the basic rule of “fair and lawful” processing remains unchanged under the new regulation, individuals must be provided with far more information about the processing of their data, such as the legal basis for processing and how long that data will be retained.

Giving consent

Consent as a justification for processing must be unambiguous, intelligible, informed and explicit – i.e. in plain language. Silence, pre-ticked boxes, inferred consent or inactivity will therefore not constitute consent under the GDPR. Consent given as condition for performance of a contract or where there is a significant imbalance in the relationship of the parties (e.g. employer/employee) is unlikely to constitute valid consent. Companies should therefore be reviewing any existing consent documents in place under the previous EU directive to ensure that they meet the more stringent requirements of the GDPR, if they have not already done so.

The rights of individuals are further enshrined under the new regulation. For example, the degree of information that must be provided under the “right to access” is expanded, along with the introduction of the “right to data portability” – allowing individuals to have their data returned to them in a commonly used, structured format. The much publicised “right to be forgotten” is also extended, with data controllers needing to take reasonable steps to ensure that third parties to whom they have provided the data, erase it.

Data processing

The heavier administrative burdens of the GDPR require companies to put in place additional processes and documentation surrounding data processing activities. The regulation is far more prescriptive as to the systems and controls that must be used to achieve an adequate level of data security. Notably, the GDPR has introduced two broad principles: privacy by design (whereby compliance principles should be built into system/design process from the outset) and privacy by default (namely, that businesses should not collect more information than is needed). Certain types of data controller will also be required to appoint a designated “data protection officer”.

Although data controllers no longer have to notify a data protection authority of the processing of personal data (except in certain limited cases), they will have to conduct (and document) a privacy impact assessment in relation to data processing that is likely to result in a high risk for the rights and freedom of individuals. Such assessment can be a time-consuming and challenging operation. The introduction of more stringent governance procedures means that some data controllers must maintain detailed records of their data processing activities and other related information.

The GDPR applies to all data processed by an entity that either is established in the EU or which has equipment in the EU that processes personal data. Also within the scope of the new regulation are entities located outside the EU if they are found to be monitoring the behaviour of individuals in the EU or are targeting individuals in the EU with the selling of goods or services.

Where there are data breaches, data controllers must inform the regulatory authority and, depending on the severity of the breach, the data subjects themselves. Increased fines under the GDPR for a failure to meet its requirements could lead to companies having to pay the greater of €20 million or 4% of their global annual turnover. The liability for unlawful processing will be jointly shared between a data controller and a data processor.

Find out more

You will be able to learn more about GDPR and how to carry out a compliance programme at the Regulatory Team’s workshop that will take place during the MARQUES Annual Conference in Paris. We have guest speakers from the French Data Protection Authority (CNIL) and the French home appliances group SEB who will provide insight into the new Regulation and how to ensure compliance from the regulator's perspective and what were (are) the main challenges for becoming GDPR compliant from the businesses perspective.

Sarah Bailey is a Partner with Simmons & Simmons LLP in Paris and a member of the MARQUES Regulatory Team