Vietnam | New Decree on Internet Services and Online Information

9 Dezember 2024

  • Vietnam
  • Auslandsinvestitionen
  • Informationstechnologie
  • Privatsphäre - Datenschutz

The Government of Vietnam has issued a new decree governing internet services and online information, which shall come into force on 25 December 2024. Decree No. 147/2024/ND-CP, promulgated on 9 November 2024, supersedes the previous Decree No. 72/2013/ND-CP and its amendments.

This comprehensive legislation, comprising over 200 pages and 62 appended forms, addresses a wide array of internet and online topics. These include inter alia, internet services, domain names, cross-border information provision, social network services, aggregated information websites, online game services, and app store services.

Key Provisions

Cross-Border Information Provision

Offshore service providers, including those offering social network and app store services on a cross-border basis, are subject to stricter requirements if they either lease data storage in Vietnam or meet a threshold of 100,000 or more total visits per month from Vietnam for six consecutive months. These providers must:

  1. Notify the Authority of Broadcasting and Electronic Information (ABEI) of their contact information
  2. Monitor and remove illegal content
  3. Store and manage user data as required
  4. Authenticate social network user accounts using Vietnamese mobile numbers or identification numbers
  5. Submit annual and ad hoc reports to the ABEI
  6. Handle user complaints

Only cross-border providers who have notified the ABEI of their contact details may offer live stream and revenue-generating services. Non-compliance may result in blocks and penalties.

Social Networks

Decree 147 establishes distinct regimes for offshore and onshore social network services:

  1. Offshore providers meeting the aforementioned threshold must notify the ABEI of their contact information.
  2. Onshore providers reaching 10,000 total visits per month for six consecutive months or 1,000 regular users per month must obtain a Social Network Licence.
  3. Other onshore providers with low traffic must obtain a Notification Certificate from the ABEI.

The decree also regulates livestream activities by stipulating conditions for social network service providers to offer livestream functions and for social network accounts to conduct livestream activities.

Online Games

Foreign organisations and individuals are prohibited from providing online games to service users in Vietnam on a cross-border basis. To offer such services, they must establish a local enterprise in Vietnam.

This new decree is expected to have a significant impact on both onshore and offshore service providers in the respective fields and may tighten the regulatory landscape for internet services and online information provision in Vietnam.

Are insurers liable for breach of the GDPR on account of their appointed intermediaries?

Insurers acting out of their traditional borders through a local intermediary should choose carefully their intermediaries when distributing insurance products, and use any means at their disposal to control them properly. Distribution of insurance products through an intermediary can be a fast way to distribute insurance products and enter a territory with a minimum of investments. However, it implies a strict control of the intermediary’s activities.

The reason is that Insurers in FOS can be held jointly liable with the intermediary if this one violates personal data regulation and its obligations as set by the GDPR (Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).

In a decision dated 18 July 2019 , the CNIL (Commission Nationale Informatique et Libertés), the French authority in charge of personal data protection rendered a decision against ACTIVE ASSURANCE, a French intermediary, for several breaches of the GDPR.  The intermediary was found guilty and fined EUR 180,000 for failing to properly protect the personal data of its clients. Those were found easily accessible on the web by any technician well versed in data processing. Moreover, the personal access codes of the clients were too simple and therefore easily accessible by third parties.

Although in this particular case insurers were not fined by the CNIL, the GDPR considers that they can be jointly liable with the intermediary in case of breach of personal data. In particular, the controller is liable for any acts of the processor he has appointed, this one being considered as a sub-contractor (clauses 24 and 28 of the GDPR).

This illustrates the risks to distribute insurance products through an intermediary without controlling its activities. Acting through intermediaries, in particular for insurance companies acting from foreign EU countries in FOS under the EU Directive on freedom of insurance services (Directive 2016/97 of 20 January 2016 on insurance distribution) requires a strict control through enacting contractual dispositions whereas are defined:

  1. a clear distribution of the duties between insurer and distributor (who is controller/joint controller/processor ?) as regards technical means used for protecting personal data (who shall do/control what ?) and legal requirements (who must report to the authorities in case of breach of security/ who shall reply to requests from data owners?, etc.);
  2. the right of the insurer to audit the distributors’ technical means used for this protection at any time during the term of the contract. In addition to this, one should always keep in mind that this audit should be conducted efficiently by the insurer at regular times. As Napoleon rightly said: “You can govern from afar, but you can only administer closely”.

The concept of privacy by design has been around for a few decades. Although it has been referred to in studies since the 1970s and present in legislation since as far as the early 1990s, it was consolidated only in 2009 with the work of Ann Cavoukian, the Information & Privacy Commissioner of Ontario, Canada

 

This author defined the seven foundational principles of privacy by design: (i) to be proactive not reactive, preventative not remedial; (ii) privacy as the default setting; (iii) privacy embedded into design; (iv) full functionality – positive-sum, not zero-sum; (v) end-to-end security – full lifecycle protection; (vi) visibility and transparency – keep it open; and (vii) respect for user privacy – keep it user-centric.

 

After being adopted as a privacy standard by the International Data Protection and Privacy Commissioners in 2010, privacy by design was also included in the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016). However, in the GDPR (article 25) it no longer remains as a mere principle. Instead, it has become a mandatory legal obligation and failure to comply can lead to severe administrative fines (article 83/4/a).

 

Regarding privacy by design, the GDPR establishes that the data controller shall implement the appropriate technical and organisational measures designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing. The appropriate technical and organisational measures are to be determined taking into account (i) the nature, scope, context and purpose of processing, (ii) the risks for rights and freedoms, (iii) the state of the art, and (iv) the cost of implementation.

 

Regarding privacy by default, the GDPR establishes that the controller shall implement the appropriate technical and organisational measures to ensure that, by default, (i) only the necessary data is processed, (ii) only to the necessary extent of processing, (iii) is only accessible by the necessary individuals, and (iv) is only stored by the necessary period of time.

 

Both privacy by design and privacy by default are established around the idea of the implementation of the appropriate technical and organisational measures to safeguard the personal data protection principles and rules. The GDPR provides some examples of these measures (such as pseudonymisation, encryption, anonymisation), but it is not a catalogue for these measures or other privacy enhancing technologies (PET) and the provided examples should not be seen as mandatory measures.

 

Clear guidance on privacy by design and by default is not to be found in the GDPR and it is a work in progress by all the community and parties involved. But the GDPR has the clear intention of impacting the core of the digital age system, reshaping its values regarding privacy.

 

The success of this ambition is uncertain, but some important challenges are already very clear, such as the role of the producers of products, services and applications, the integration of data protection principles in the design of User Experience (UX) and User Interface (UI) and also in the software development planning (agile and scrum, for instance).

 

In the meantime, examples of the real impact of privacy by design and by default are coming to light. In 2018, Valve changed the privacy settings of the users of the gaming platform Steam, making games owned private by default. As a direct consequence, the analytics activity provided by SteamSpy and other similar companies was severely damaged.

 

Privacy by design certainly is, for those closely involved in the design process of products, services and applications, one of the most interesting and challenging topics in personal data protection.

On 25 May 2018, the EU Regulation 2016/679 came into force, concerning the „protection“ of personal data (hereinafter the „Regulation“ or „GDPR“). It is a Community legislative instrument aimed at strengthening the right of natural persons to have their personal data protected, which has been elevated to „fundamental right“ in the Charter of Fundamental Rights of the European Union (Article 8 paragraph 1) and in the Treaty on the Functioning of the European Union (Article 16 paragraph 1).

The Regulation has a direct application in Italian law and does not require any implementation by the national legislator. These provisions prevail over national laws. From a practical standpoint, this means that, in the event of a conflict between a provision contained in the Regulations and one provided for in the „old“ Legislative Decree 196/2003, the earlier would prevail over the latter.

The GDPR consists of 99 articles, of which only some constitute an in comparison with the preceding regime and bear specific relevance for the owners/managers of accommodation facilities.

Indeed, the first novelty concerns the „explicit consent“ for the processing of „sensitive“ data and the decisions based on automated processing (including profiling -Article 22- ). It is, in fact, necessary for the client to express his consent in relation to the processing of these data independently of that relating to other data. The consent obtained before 25 May 2018 remains valid only if it meets the requirements below.

It is required, for example, that the data owners modify their websites or promotional newsletters addressed to the customers. The latter need to be aware of the purposes for which the data is collected and of rights to which they are entitled. In order to subscribe to the newsletter, only the email address should be necessary, and if the owners request for more data, the purposes of such request ought to be specified. Before sending the subscription request, the customer must give his consent and accept the privacy policy. The privacy statement must be clearly accessible from the home page of the website. In particular, as to the newsletter, the privacy policy must also be indicated and linked in the relevant registration box.

Substantial changes were also introduced in relation to the duties of the Data Controller and the Data Processor. Both profiles are important in the hotel industry.

Now the Data Controller must (i) be able to prove that the data subject has consented to a specific processing, (ii) provide the contact details of the Data Protection Officer, (iii) declare the eventual transfer of the personal data towards third countries and, if so, through which means the transfer takes place, (iv) specify the retention period of the data or the criteria employed to establish the retention period, as well as the right to file a complaint with the supervisory authority; (v) indicate whether the processing involves automated decision-making processes (including profiling), and the expected consequences for the data subject concerned.

The Data Protection Officer (“DPO”), on the other hand, is a professional (who can be internal or external to the structure) who guarantees the observance of the rules of the GPDR and the management and processing of the data.

According to the new Regulation, the duties of this professional concern: (i) the keeping of the data processing reports (pursuant to Article 30, paragraph 2, of the Regulation), and (ii) the adoption of suitable technical and organisational measures to get the safety of the procedures (pursuant to Article 32 of the Regulation).

The name of the DPO must be indicated in the privacy policy to be delivered to the customer. The relationship between the data protection officer and the data controller is governed by a contract that must strictly regulate the subjects set forth in paragraph 3 of the article 28 in order to demonstrate that the manager provides „sufficient guarantees“ for the correct management and processing of data. The Officer can appoint a „sub-manager“ but only for limited processing activities, in compliance with the provisions of the contract, and responds to the non-compliance of the sub-manager.

In light of these provisions, the hotels will then have to make a more careful assessment of the risk deriving from data processing, prepare a detailed procedure as to enable the constant monitoring on, amongst others, the suitability of the treatment, and promptly notify a breach of the security procedure which involves the accidental disclosure of data, adapt its information to be delivered to the customer.

Finally, it is worth noting that the penalties for violations of the GDPR can be very significant and reach up to 4% of the company’s turnover. As such, they are far more severe than those previously specified. It is, therefore, necessary to pay close attention to compliance with the GDPR since an incorrect or defective application can cause severe prejudices to the company.

The author of this post is Giovanni Izzo.

The General Data Protection Regulation (EU regulation 2016/679) comes into force on May 25, 2018. It applies to all processing, whether automated or not. The most extraordinary part of the regulation, however, is its territorial field of application. Many believed that the virtual world had wiped out borders with the biggest players in the internet world having developed a quantity of arguments, in particular in tax matters, to escape from local legislation. Europe therefore decided to set the record straight. The message is clear, whether you are in America, in Asia or elsewhere, you must comply with the rules when processing the personal data of European residents. The high cost of the sanctions mean that this new legal framework must be taken very seriously. The maximum fine has been fixed at 4% of turnover for the preceding year, which is 2017 for any businesses that are sentenced in 2018. For example, the maximum risk for the GAFAs, if they do not comply with the Regulation, could be estimated as follows: for Amazon 7.1 billion for turnover of around 178 billion (higher than the profit…); for Apple, 5.6 billion for a turnover of around 141 billion; for Google, 4  billion for a turnover of around 100 billion and for Facebook, 1.28 billion for a turnover of around 32 billion (in dollars).

The limited territorial field of application of the preceding directive

European directive 95/46EC of October 24, 1995, transposed in France by law n° 2004-801 of August 6, 2004, updated the French data protection act (loi Informatique et Libertés) 78-17 of January 6, 1978.

The Directive may of course apply to Data Controllers who are not established on the territory of the European Union, but it obliges them to use a means of processing situated in the territory of the European Union.

It came to light that many processors were managing to avoid the European data protection regulations on the basis of the extraterritoriality of their processing.

For many years Google claimed that the data it collected in France and in Europe were not governed by French regulations but by Californian regulations since the company and its servers were based in California.

As the aim of the European Commission is to protect personal data, the new Regulation should rectify this shortcoming.

The extraterritorial field of application of the Regulation 

Starting from May 25, 2018, the European Regulation will be applicable to all processing of personal data for which the Data Controller or the Data Processor (in general the IT service provider) is established in the European Union, irrespective of whether or not the processing itself takes place within the European Union.  

The Regulation also provides for its application in cases where the Controller or Processor are not established in the European Union when the processing targets a data subject situated in the European Union, irrespective of the nationality of the person concerned.  

Controllers or Processors established in the European Union

The notion of establishment is not defined in the Regulation.  It has been interpreted extensively by the French and European courts, which give priority to a functional analysis based on the effective and real exercise of activity through a stable arrangement.

Establishment has already been judged to exist through the presence in the Member State concerned of a representative, a bank account and a letter box (CJEU October 1, 2015, Weltimmo).

Furthermore, the legal form of such an establishment is not decisive. Consequently, the processing of personal data carried out by a simple branch, which has no legal personality, by a non-European Controller, must be carried out in accordance with the Regulation.

Controllers or Processors not established in the European Union

When the Controller or Processor is not established in the European Union and has no establishment there, the Regulation applies when the processing relates to persons situated in the European Union and when the processing activities are linked to an offering or the monitoring of internet users in the 28 countries making up the European Union, comprising 520 million inhabitants.

  • (i) To the offering of goods or services destined to these persons, whether these services are free or paying services

The Regulation does not contain any definition of the offering of goods and services but it provides indications making it possible to characterise such an offering (whereas clause n°23), such as the use of the language or currency generally used in one or more Member States with the possibility of ordering goods and services in this language or even the mention of clients or users situated in the European Union.

However, the mere accessibility of a website, e-mail address or other contact details is insufficient to ascertain this intention.

In other words, it is necessary to check the intention of the Data Controller with regard to the persons concerned. Did he intend to offer goods or services to the persons concerned in the European Union or not?

  • (ii) To the monitoring of the behaviour of these persons, if this behaviour takes place in the European Union.

In particular, the Regulation provides for the profiling of a natural person in order to make decisions concerning him/her or to analyse or predict his/her personal preferences, behaviour and attitudes.

These two conditions (i) and (ii) are alterative and not cumulative.

What about the transfer of the personal data outside the European Union?

In principle, the transfer of personal data outside the European Union is prohibited. The aim is to protect personal data against data havens which apply more flexible regulations in this respect.

There are many exceptions to the principle:

    1. Transfer of data towards countries belonging to the European Economic Area

These countries have signed an agreement with the European Union through which they have adopted personal data protection regulations.

    1. Transfer of data towards countries with an adequacy agreement

Certain countries are recognised by the European Union as having regulations on the protection of personal data that are equivalent to European regulations.

    1. The transfer of data towards countries that have signed standard contractual clauses or BCR (“Binding Corporate Rules”)

These are countries for which no adequacy decision has been made or which have no personal data protection regulations. The idea is therefore to establish contractual rather than legal protection for data through standard clauses or an agreement within a group of companies.

Standard contractual clauses

Standard clauses have been drafted by the European Commission and are accessible via its website. These are agreements concluded between the Data Controller and the Processor established abroad either in the framework of an IT service agreement or in the context of the sending of personal data to a group subsidiary or entity.

Currently, the Data Controller may obtain authorisation from the national regulatory authority (CNIL in France) before using these clauses. This request for authorisation will be discontinued as of May 25, 2018.

Binding Corporate Rules (BCR)

BCR concern groups of companies exclusively. A charter is adopted within the group under the terms of which all the group subsidiaries and entities undertake to comply with the European data protection regulations.

Once the charter has been drafted, it is submitted for authorisation to the European data protection authorities via a mutual recognition system.

This request for authorisation will be maintained after May 25, 2018.

    1. Transfer of personal data towards the USA: the “Privacy Shield” system

This is an international agreement between the European Union and the American Federal Trade Commission (FTC) which American companies are free to adhere to. Under the terms of this agreement, the FTC undertakes to ensure that the companies that sign up to this system comply with the data protection rules contained in this international agreement.

To conclude, the aim of the European Regulation on the protection of personal data is to apply to companies all around the world which process the personal data of European residents.

It puts an end to the hide-and-seek of forum shopping which, for all services supplied on-line, made it possible to choose the most favourable and least strict country to develop a company’s economic model.

The level of sanctions removes any doubt as to the firmness with which this new framework is going to be implemented. It generates risks that can hardly be considered as minor.

It requires an in-depth thought process and the implementation of a compliance project for any company that uses the personal data of persons situated in one of the 28 European Union countries comprising 520 million inhabitants.

The author of this post is Thierry Aballéa.

The application of the General Data Protection Regulation (“GDPR”), in force since 25 May 2018, will oblige companies to deal with issues concerning IT security and liability for collection and storage of personal data, without the possibility of any further hesitation. Privacy protection will become an important part of corporate culture and will have to be necessarily managed from the top levels, i.e. the managing director as well as the management team. Employees will also be involved in this awareness process through adequate training on such matter. Companies should set forth order and priorities of some data-related procedures, in accordance with privacy by design and privacy by default principles. In other words, such companies should ensure data protection from the onset of the product phase or service ideation and design, opting for behaviors that are aimed to prevent possible issues affecting personal data.

An even wider definition of personal data

The concept of “personal data” refers to all the information that identifies or makes a person identifiable and provides details related to his/her features, habits, life-style, personal relationships, health and economic conditions. Also, the definition of “personal data” becomes even wider and more well-structured when considering electronic communications with new technologies including geolocation bearing significant weight.

This transition, certainly problematic, introduces new challenges and opportunities, and highlights the question of data protection as a fundamental human right at the center of the international debate and digital policies. This results in a significant turning point. In fact, digitalization has caused several information security issues, which until a few years ago could be handled by national authorities in each single EU country, and now require a more focused and structured legal framework. The induction of platforms such as SaaS (Software as a Service) and the cloud computing growth have completely changed the scenario.

Therefore, the European Data Protection Supervisor (EDPS) positively dealt with the request to reform the legal framework on personal data protection in 2011, since the existing legislation was no longer appropriate.

Even though it is way too early to predict the impact of such privacy regulation, we believe that it is interesting to focus on certain general considerations and some of the GDPR’s outcomes in the international scenario.

The potential applicability of the GDPR worldwide

Certainly, one of the important changes brought about by the GDPR is its potential applicability worldwide: the regulation thus overcomes European borders in the name of personal data protection.

Such regulation, in fact, not only applies to all cases where data are handled by EU based companies, but in all cases where a company, even though not EU based, also deals with EU based individuals’ personal data, within the scope to offer them goods or services or to monitor their behavior in the EU.

Consequently, in the light of the above, all foreign companies still pursuing to offer and provide their services to EU-citizens cannot avoid complying with the GDPR.

Furthermore, even UK organizations may be forced to comply with the regulation to protect UK citizens’ personal data and maintain their competitiveness in the EU market, for reasons of opportunity and convenience, apart from compulsoriness as above described and, in any case, for as long as Brexit does not materialize.

The lack of connection with the data location

The regulation not only limits foreign companies that deal with EU citizens’ personal data, but also aims to govern all the processing of personal data, irrespective of the place where such data are located. It therefore provides that all the personal data processing made by EU based companies will be subject to the GDPR, regardless of the fact whether such processing is carried out within or outside the EU.

From a legal point of view, such data will be in the spotlight and subjected to this new regulation rather than to national laws. This means that the physical position loses relevance before the aim to grant interested individuals with a greater control on the information that is collected, processed and used by third parties.

For sure companies may stop their business with EU citizens in order to avoid compliance with the GDPR principles, but such choice should be correctly made: i.e. the GDPR’s application should be taken into account when a company provides a web service which is available also to EU citizens.

The disposition of strict fines

The fines for companies that are not in compliance with such regulation can amount to up to 4% of their global revenue and up to Euro 20 million. The relevance of such measures drew attention of all the parties, particularly in the US where organizations have a strong presence in the EU. Furthermore, the GDPR applies to organizations of any dimension and to both individual enterprises as well as large companies.

The forward-looking companies started to set forth their compliance programs immediately after the EU regulation announcement, but this appears complex and as a result meeting the set deadline called for 25 May could be difficult.

According to PwC’s reports, 9% of US companies declare to have allocated more than 10 million dollars with the aim to obtain such compliance.

Some compliance requirements for companies

  • Accountability principle: data processing needs to be carried out by recorded procedures, regardless of the fact that such procedures will be managed by the companies or by third parties on their behalf. Doing so will make the data controller responsible and oblige him to be compliant with the GDPR.
  • Risk based approach: the driving force of such a regulation is the aim to make companies responsible, which are therefore asked to comply with the GDPR principles by adopting a new risk based approach and risks assessment.
  • Clear and concise consent: much attention is paid to the consent of personal data processing, which should be clear, concise, distinguishable and unequivocal.
  • Data protection by design and by default: privacy management and implementation executed by means of default settings since the design phase; it means that companies should take into account the personal data protection, from the beginning a product, service or app is designed and developed.
  • Right to be forgotten: individuals are entitled to obtain, without delay, that their data is deleted by the data controller when certain conditions- provided by the GDPR -are met, such as for example when data become redundant and no longer necessary, or regarding the aims for which data have been collected or in the event when the individual’s consent is withdrawn.
  • Right to data portability: individuals are entitled to receive their personal data in a frequently-used, well-structured and machine-readable format, so as to transfer such data to another data controller, excluding any possible encumbrance by the former data controller.
  • Appointment of an EU Representative: the Representative should act on behalf of the data controller or the data processor and may be questioned by any surveillance Authority.

How to make the transition process easier?

The EU regulation relating to personal data protection requires a strong legal formation and, at the same time, tremendous technical implementation skills on the basis of the ongoing digitalization processes and use of even more innovative and complex technologies.

In such regard, companies may rely on professionals who are able to provide multidisciplinary services and consultancy, not only of a legal and IT nature, but who can exchange and implement synergies between professionals and business workers such as engineers and mathematicians.

Consequently, this burdensome commitment to follow the GDPR together with the obligation to comply with the law shall also enable companies to combine the aforesaid skills and join forces to commence a transition process that will ensure and ultimately result in growth.

The author of this post is Giorgio Piccolotto

Less than one year from now, on May 25, 2018, the new European Regulation on the protection of personal data (EU) 2016/679 will come into force. Whatever its size or business activity, every company has to process personal data files at some point.

The new sanctions provide a strong incentive to prepare organisations for compliance with the new legal framework in twelve months’ time.

Non-European undertakings must also be particularly careful regarding these new measures, the principal aspects of which are summarised below.

Extraterritorial application

The Regulation applies to personal data processing when the controller is established on the territory of the European Union.

If the controller is not established in the European Union, the Regulation applies when data processing involves persons situated within the European Union and when the processing is linked to the offering of goods or services to such persons.  Non-EU companies must appoint a representative for this purpose.

The right to data portability and appointment of a DPO

This new right enables a person to recover the data that he has supplied in a form that is easily reusable, such as a USB key for example. Companies must get organised in order to be able to satisfy these portability requirements.

Appointment of a Data Protection Officer

Companies must appoint a DPO (Data Protection Officer), successor to the CIL (Correspondant Informatique et Libertés) who is appointed based on his professional skills (legal and technical), his independence and his accessibility in order to ensure compliance.

We would like to point out that a specialist lawyer should be authorised to carry out this role provided relevant Bar rules do not prevent it.

Sanctions

These measures must imperatively be respected at the risk of seeing heavy sanctions imposed.

Depending on the category of infraction, these sanctions may amount to:

  • 10 to 20 million euro; or
  • 2% to 4% of annual world revenues,

The higher of the above two amounts is applied.

Recommendations

To ensure that your practices comply with the new legislation, it is necessary to:

  • Set in motion an internal project dedicated to compliance with the new legislation within the next 9 months;
  • Anticipate the obligations specified by the Regulation;
  • Budget for the right to data portability and the position of DPO;
  • Organise, for SME, the sharing of the DPO position with other companies.

The author of this post is Thierry Aballéa.

Federico Vasoli

Tätigkeitsgebiete

  • Unternehmen
  • Auslandsinvestitionen
  • Fusionen und Übernahmen
freight container

The Milestone EU-Mercosur Trade Deal

  • Vertrieb
  • Auslandsinvestitionen
  • Argentinien
  • Brasilien
  • Italien
  • Uruguay
Vietnam - Legalmondo

Vietnam Tackles Global Minimum Tax Implications

  • Unternehmen
  • Auslandsinvestitionen
  • Vietnam
energy - legalmondo

Incentives for green hydrogen production in Egypt

  • Agentur
  • Auslandsinvestitionen
  • Ägypten
gdpr - legalmondo

GDPR – Privacy by design and by default

  • Privatsphäre - Datenschutz
  • Europa
  • Portugal
venice - legalmondo

Application of GDPR to hotel businesses

  • Privatsphäre - Datenschutz
  • Tourismus
  • Italien
gdpr- legalmondo

GDPR – Entry into force and field of application

  • Privatsphäre - Datenschutz
  • Italien

Schreiben Sie an Federico





    Legalmondos Datenschutzbestimmungen lesen.
    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Insurance in FOS (Freedom of Service) – Joint liability with intermediaries for violation of GDPR

    26 November 2019

    • Vertrieb
    • Versicherung
    • Privatsphäre - Datenschutz

    The Government of Vietnam has issued a new decree governing internet services and online information, which shall come into force on 25 December 2024. Decree No. 147/2024/ND-CP, promulgated on 9 November 2024, supersedes the previous Decree No. 72/2013/ND-CP and its amendments.

    This comprehensive legislation, comprising over 200 pages and 62 appended forms, addresses a wide array of internet and online topics. These include inter alia, internet services, domain names, cross-border information provision, social network services, aggregated information websites, online game services, and app store services.

    Key Provisions

    Cross-Border Information Provision

    Offshore service providers, including those offering social network and app store services on a cross-border basis, are subject to stricter requirements if they either lease data storage in Vietnam or meet a threshold of 100,000 or more total visits per month from Vietnam for six consecutive months. These providers must:

    1. Notify the Authority of Broadcasting and Electronic Information (ABEI) of their contact information
    2. Monitor and remove illegal content
    3. Store and manage user data as required
    4. Authenticate social network user accounts using Vietnamese mobile numbers or identification numbers
    5. Submit annual and ad hoc reports to the ABEI
    6. Handle user complaints

    Only cross-border providers who have notified the ABEI of their contact details may offer live stream and revenue-generating services. Non-compliance may result in blocks and penalties.

    Social Networks

    Decree 147 establishes distinct regimes for offshore and onshore social network services:

    1. Offshore providers meeting the aforementioned threshold must notify the ABEI of their contact information.
    2. Onshore providers reaching 10,000 total visits per month for six consecutive months or 1,000 regular users per month must obtain a Social Network Licence.
    3. Other onshore providers with low traffic must obtain a Notification Certificate from the ABEI.

    The decree also regulates livestream activities by stipulating conditions for social network service providers to offer livestream functions and for social network accounts to conduct livestream activities.

    Online Games

    Foreign organisations and individuals are prohibited from providing online games to service users in Vietnam on a cross-border basis. To offer such services, they must establish a local enterprise in Vietnam.

    This new decree is expected to have a significant impact on both onshore and offshore service providers in the respective fields and may tighten the regulatory landscape for internet services and online information provision in Vietnam.

    Are insurers liable for breach of the GDPR on account of their appointed intermediaries?

    Insurers acting out of their traditional borders through a local intermediary should choose carefully their intermediaries when distributing insurance products, and use any means at their disposal to control them properly. Distribution of insurance products through an intermediary can be a fast way to distribute insurance products and enter a territory with a minimum of investments. However, it implies a strict control of the intermediary’s activities.

    The reason is that Insurers in FOS can be held jointly liable with the intermediary if this one violates personal data regulation and its obligations as set by the GDPR (Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).

    In a decision dated 18 July 2019 , the CNIL (Commission Nationale Informatique et Libertés), the French authority in charge of personal data protection rendered a decision against ACTIVE ASSURANCE, a French intermediary, for several breaches of the GDPR.  The intermediary was found guilty and fined EUR 180,000 for failing to properly protect the personal data of its clients. Those were found easily accessible on the web by any technician well versed in data processing. Moreover, the personal access codes of the clients were too simple and therefore easily accessible by third parties.

    Although in this particular case insurers were not fined by the CNIL, the GDPR considers that they can be jointly liable with the intermediary in case of breach of personal data. In particular, the controller is liable for any acts of the processor he has appointed, this one being considered as a sub-contractor (clauses 24 and 28 of the GDPR).

    This illustrates the risks to distribute insurance products through an intermediary without controlling its activities. Acting through intermediaries, in particular for insurance companies acting from foreign EU countries in FOS under the EU Directive on freedom of insurance services (Directive 2016/97 of 20 January 2016 on insurance distribution) requires a strict control through enacting contractual dispositions whereas are defined:

    1. a clear distribution of the duties between insurer and distributor (who is controller/joint controller/processor ?) as regards technical means used for protecting personal data (who shall do/control what ?) and legal requirements (who must report to the authorities in case of breach of security/ who shall reply to requests from data owners?, etc.);
    2. the right of the insurer to audit the distributors’ technical means used for this protection at any time during the term of the contract. In addition to this, one should always keep in mind that this audit should be conducted efficiently by the insurer at regular times. As Napoleon rightly said: “You can govern from afar, but you can only administer closely”.

    The concept of privacy by design has been around for a few decades. Although it has been referred to in studies since the 1970s and present in legislation since as far as the early 1990s, it was consolidated only in 2009 with the work of Ann Cavoukian, the Information & Privacy Commissioner of Ontario, Canada

     

    This author defined the seven foundational principles of privacy by design: (i) to be proactive not reactive, preventative not remedial; (ii) privacy as the default setting; (iii) privacy embedded into design; (iv) full functionality – positive-sum, not zero-sum; (v) end-to-end security – full lifecycle protection; (vi) visibility and transparency – keep it open; and (vii) respect for user privacy – keep it user-centric.

     

    After being adopted as a privacy standard by the International Data Protection and Privacy Commissioners in 2010, privacy by design was also included in the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016). However, in the GDPR (article 25) it no longer remains as a mere principle. Instead, it has become a mandatory legal obligation and failure to comply can lead to severe administrative fines (article 83/4/a).

     

    Regarding privacy by design, the GDPR establishes that the data controller shall implement the appropriate technical and organisational measures designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing. The appropriate technical and organisational measures are to be determined taking into account (i) the nature, scope, context and purpose of processing, (ii) the risks for rights and freedoms, (iii) the state of the art, and (iv) the cost of implementation.

     

    Regarding privacy by default, the GDPR establishes that the controller shall implement the appropriate technical and organisational measures to ensure that, by default, (i) only the necessary data is processed, (ii) only to the necessary extent of processing, (iii) is only accessible by the necessary individuals, and (iv) is only stored by the necessary period of time.

     

    Both privacy by design and privacy by default are established around the idea of the implementation of the appropriate technical and organisational measures to safeguard the personal data protection principles and rules. The GDPR provides some examples of these measures (such as pseudonymisation, encryption, anonymisation), but it is not a catalogue for these measures or other privacy enhancing technologies (PET) and the provided examples should not be seen as mandatory measures.

     

    Clear guidance on privacy by design and by default is not to be found in the GDPR and it is a work in progress by all the community and parties involved. But the GDPR has the clear intention of impacting the core of the digital age system, reshaping its values regarding privacy.

     

    The success of this ambition is uncertain, but some important challenges are already very clear, such as the role of the producers of products, services and applications, the integration of data protection principles in the design of User Experience (UX) and User Interface (UI) and also in the software development planning (agile and scrum, for instance).

     

    In the meantime, examples of the real impact of privacy by design and by default are coming to light. In 2018, Valve changed the privacy settings of the users of the gaming platform Steam, making games owned private by default. As a direct consequence, the analytics activity provided by SteamSpy and other similar companies was severely damaged.

     

    Privacy by design certainly is, for those closely involved in the design process of products, services and applications, one of the most interesting and challenging topics in personal data protection.

    On 25 May 2018, the EU Regulation 2016/679 came into force, concerning the „protection“ of personal data (hereinafter the „Regulation“ or „GDPR“). It is a Community legislative instrument aimed at strengthening the right of natural persons to have their personal data protected, which has been elevated to „fundamental right“ in the Charter of Fundamental Rights of the European Union (Article 8 paragraph 1) and in the Treaty on the Functioning of the European Union (Article 16 paragraph 1).

    The Regulation has a direct application in Italian law and does not require any implementation by the national legislator. These provisions prevail over national laws. From a practical standpoint, this means that, in the event of a conflict between a provision contained in the Regulations and one provided for in the „old“ Legislative Decree 196/2003, the earlier would prevail over the latter.

    The GDPR consists of 99 articles, of which only some constitute an in comparison with the preceding regime and bear specific relevance for the owners/managers of accommodation facilities.

    Indeed, the first novelty concerns the „explicit consent“ for the processing of „sensitive“ data and the decisions based on automated processing (including profiling -Article 22- ). It is, in fact, necessary for the client to express his consent in relation to the processing of these data independently of that relating to other data. The consent obtained before 25 May 2018 remains valid only if it meets the requirements below.

    It is required, for example, that the data owners modify their websites or promotional newsletters addressed to the customers. The latter need to be aware of the purposes for which the data is collected and of rights to which they are entitled. In order to subscribe to the newsletter, only the email address should be necessary, and if the owners request for more data, the purposes of such request ought to be specified. Before sending the subscription request, the customer must give his consent and accept the privacy policy. The privacy statement must be clearly accessible from the home page of the website. In particular, as to the newsletter, the privacy policy must also be indicated and linked in the relevant registration box.

    Substantial changes were also introduced in relation to the duties of the Data Controller and the Data Processor. Both profiles are important in the hotel industry.

    Now the Data Controller must (i) be able to prove that the data subject has consented to a specific processing, (ii) provide the contact details of the Data Protection Officer, (iii) declare the eventual transfer of the personal data towards third countries and, if so, through which means the transfer takes place, (iv) specify the retention period of the data or the criteria employed to establish the retention period, as well as the right to file a complaint with the supervisory authority; (v) indicate whether the processing involves automated decision-making processes (including profiling), and the expected consequences for the data subject concerned.

    The Data Protection Officer (“DPO”), on the other hand, is a professional (who can be internal or external to the structure) who guarantees the observance of the rules of the GPDR and the management and processing of the data.

    According to the new Regulation, the duties of this professional concern: (i) the keeping of the data processing reports (pursuant to Article 30, paragraph 2, of the Regulation), and (ii) the adoption of suitable technical and organisational measures to get the safety of the procedures (pursuant to Article 32 of the Regulation).

    The name of the DPO must be indicated in the privacy policy to be delivered to the customer. The relationship between the data protection officer and the data controller is governed by a contract that must strictly regulate the subjects set forth in paragraph 3 of the article 28 in order to demonstrate that the manager provides „sufficient guarantees“ for the correct management and processing of data. The Officer can appoint a „sub-manager“ but only for limited processing activities, in compliance with the provisions of the contract, and responds to the non-compliance of the sub-manager.

    In light of these provisions, the hotels will then have to make a more careful assessment of the risk deriving from data processing, prepare a detailed procedure as to enable the constant monitoring on, amongst others, the suitability of the treatment, and promptly notify a breach of the security procedure which involves the accidental disclosure of data, adapt its information to be delivered to the customer.

    Finally, it is worth noting that the penalties for violations of the GDPR can be very significant and reach up to 4% of the company’s turnover. As such, they are far more severe than those previously specified. It is, therefore, necessary to pay close attention to compliance with the GDPR since an incorrect or defective application can cause severe prejudices to the company.

    The author of this post is Giovanni Izzo.

    The General Data Protection Regulation (EU regulation 2016/679) comes into force on May 25, 2018. It applies to all processing, whether automated or not. The most extraordinary part of the regulation, however, is its territorial field of application. Many believed that the virtual world had wiped out borders with the biggest players in the internet world having developed a quantity of arguments, in particular in tax matters, to escape from local legislation. Europe therefore decided to set the record straight. The message is clear, whether you are in America, in Asia or elsewhere, you must comply with the rules when processing the personal data of European residents. The high cost of the sanctions mean that this new legal framework must be taken very seriously. The maximum fine has been fixed at 4% of turnover for the preceding year, which is 2017 for any businesses that are sentenced in 2018. For example, the maximum risk for the GAFAs, if they do not comply with the Regulation, could be estimated as follows: for Amazon 7.1 billion for turnover of around 178 billion (higher than the profit…); for Apple, 5.6 billion for a turnover of around 141 billion; for Google, 4  billion for a turnover of around 100 billion and for Facebook, 1.28 billion for a turnover of around 32 billion (in dollars).

    The limited territorial field of application of the preceding directive

    European directive 95/46EC of October 24, 1995, transposed in France by law n° 2004-801 of August 6, 2004, updated the French data protection act (loi Informatique et Libertés) 78-17 of January 6, 1978.

    The Directive may of course apply to Data Controllers who are not established on the territory of the European Union, but it obliges them to use a means of processing situated in the territory of the European Union.

    It came to light that many processors were managing to avoid the European data protection regulations on the basis of the extraterritoriality of their processing.

    For many years Google claimed that the data it collected in France and in Europe were not governed by French regulations but by Californian regulations since the company and its servers were based in California.

    As the aim of the European Commission is to protect personal data, the new Regulation should rectify this shortcoming.

    The extraterritorial field of application of the Regulation 

    Starting from May 25, 2018, the European Regulation will be applicable to all processing of personal data for which the Data Controller or the Data Processor (in general the IT service provider) is established in the European Union, irrespective of whether or not the processing itself takes place within the European Union.  

    The Regulation also provides for its application in cases where the Controller or Processor are not established in the European Union when the processing targets a data subject situated in the European Union, irrespective of the nationality of the person concerned.  

    Controllers or Processors established in the European Union

    The notion of establishment is not defined in the Regulation.  It has been interpreted extensively by the French and European courts, which give priority to a functional analysis based on the effective and real exercise of activity through a stable arrangement.

    Establishment has already been judged to exist through the presence in the Member State concerned of a representative, a bank account and a letter box (CJEU October 1, 2015, Weltimmo).

    Furthermore, the legal form of such an establishment is not decisive. Consequently, the processing of personal data carried out by a simple branch, which has no legal personality, by a non-European Controller, must be carried out in accordance with the Regulation.

    Controllers or Processors not established in the European Union

    When the Controller or Processor is not established in the European Union and has no establishment there, the Regulation applies when the processing relates to persons situated in the European Union and when the processing activities are linked to an offering or the monitoring of internet users in the 28 countries making up the European Union, comprising 520 million inhabitants.

    • (i) To the offering of goods or services destined to these persons, whether these services are free or paying services

    The Regulation does not contain any definition of the offering of goods and services but it provides indications making it possible to characterise such an offering (whereas clause n°23), such as the use of the language or currency generally used in one or more Member States with the possibility of ordering goods and services in this language or even the mention of clients or users situated in the European Union.

    However, the mere accessibility of a website, e-mail address or other contact details is insufficient to ascertain this intention.

    In other words, it is necessary to check the intention of the Data Controller with regard to the persons concerned. Did he intend to offer goods or services to the persons concerned in the European Union or not?

    • (ii) To the monitoring of the behaviour of these persons, if this behaviour takes place in the European Union.

    In particular, the Regulation provides for the profiling of a natural person in order to make decisions concerning him/her or to analyse or predict his/her personal preferences, behaviour and attitudes.

    These two conditions (i) and (ii) are alterative and not cumulative.

    What about the transfer of the personal data outside the European Union?

    In principle, the transfer of personal data outside the European Union is prohibited. The aim is to protect personal data against data havens which apply more flexible regulations in this respect.

    There are many exceptions to the principle:

      1. Transfer of data towards countries belonging to the European Economic Area

    These countries have signed an agreement with the European Union through which they have adopted personal data protection regulations.

      1. Transfer of data towards countries with an adequacy agreement

    Certain countries are recognised by the European Union as having regulations on the protection of personal data that are equivalent to European regulations.

      1. The transfer of data towards countries that have signed standard contractual clauses or BCR (“Binding Corporate Rules”)

    These are countries for which no adequacy decision has been made or which have no personal data protection regulations. The idea is therefore to establish contractual rather than legal protection for data through standard clauses or an agreement within a group of companies.

    Standard contractual clauses

    Standard clauses have been drafted by the European Commission and are accessible via its website. These are agreements concluded between the Data Controller and the Processor established abroad either in the framework of an IT service agreement or in the context of the sending of personal data to a group subsidiary or entity.

    Currently, the Data Controller may obtain authorisation from the national regulatory authority (CNIL in France) before using these clauses. This request for authorisation will be discontinued as of May 25, 2018.

    Binding Corporate Rules (BCR)

    BCR concern groups of companies exclusively. A charter is adopted within the group under the terms of which all the group subsidiaries and entities undertake to comply with the European data protection regulations.

    Once the charter has been drafted, it is submitted for authorisation to the European data protection authorities via a mutual recognition system.

    This request for authorisation will be maintained after May 25, 2018.

      1. Transfer of personal data towards the USA: the “Privacy Shield” system

    This is an international agreement between the European Union and the American Federal Trade Commission (FTC) which American companies are free to adhere to. Under the terms of this agreement, the FTC undertakes to ensure that the companies that sign up to this system comply with the data protection rules contained in this international agreement.

    To conclude, the aim of the European Regulation on the protection of personal data is to apply to companies all around the world which process the personal data of European residents.

    It puts an end to the hide-and-seek of forum shopping which, for all services supplied on-line, made it possible to choose the most favourable and least strict country to develop a company’s economic model.

    The level of sanctions removes any doubt as to the firmness with which this new framework is going to be implemented. It generates risks that can hardly be considered as minor.

    It requires an in-depth thought process and the implementation of a compliance project for any company that uses the personal data of persons situated in one of the 28 European Union countries comprising 520 million inhabitants.

    The author of this post is Thierry Aballéa.

    The application of the General Data Protection Regulation (“GDPR”), in force since 25 May 2018, will oblige companies to deal with issues concerning IT security and liability for collection and storage of personal data, without the possibility of any further hesitation. Privacy protection will become an important part of corporate culture and will have to be necessarily managed from the top levels, i.e. the managing director as well as the management team. Employees will also be involved in this awareness process through adequate training on such matter. Companies should set forth order and priorities of some data-related procedures, in accordance with privacy by design and privacy by default principles. In other words, such companies should ensure data protection from the onset of the product phase or service ideation and design, opting for behaviors that are aimed to prevent possible issues affecting personal data.

    An even wider definition of personal data

    The concept of “personal data” refers to all the information that identifies or makes a person identifiable and provides details related to his/her features, habits, life-style, personal relationships, health and economic conditions. Also, the definition of “personal data” becomes even wider and more well-structured when considering electronic communications with new technologies including geolocation bearing significant weight.

    This transition, certainly problematic, introduces new challenges and opportunities, and highlights the question of data protection as a fundamental human right at the center of the international debate and digital policies. This results in a significant turning point. In fact, digitalization has caused several information security issues, which until a few years ago could be handled by national authorities in each single EU country, and now require a more focused and structured legal framework. The induction of platforms such as SaaS (Software as a Service) and the cloud computing growth have completely changed the scenario.

    Therefore, the European Data Protection Supervisor (EDPS) positively dealt with the request to reform the legal framework on personal data protection in 2011, since the existing legislation was no longer appropriate.

    Even though it is way too early to predict the impact of such privacy regulation, we believe that it is interesting to focus on certain general considerations and some of the GDPR’s outcomes in the international scenario.

    The potential applicability of the GDPR worldwide

    Certainly, one of the important changes brought about by the GDPR is its potential applicability worldwide: the regulation thus overcomes European borders in the name of personal data protection.

    Such regulation, in fact, not only applies to all cases where data are handled by EU based companies, but in all cases where a company, even though not EU based, also deals with EU based individuals’ personal data, within the scope to offer them goods or services or to monitor their behavior in the EU.

    Consequently, in the light of the above, all foreign companies still pursuing to offer and provide their services to EU-citizens cannot avoid complying with the GDPR.

    Furthermore, even UK organizations may be forced to comply with the regulation to protect UK citizens’ personal data and maintain their competitiveness in the EU market, for reasons of opportunity and convenience, apart from compulsoriness as above described and, in any case, for as long as Brexit does not materialize.

    The lack of connection with the data location

    The regulation not only limits foreign companies that deal with EU citizens’ personal data, but also aims to govern all the processing of personal data, irrespective of the place where such data are located. It therefore provides that all the personal data processing made by EU based companies will be subject to the GDPR, regardless of the fact whether such processing is carried out within or outside the EU.

    From a legal point of view, such data will be in the spotlight and subjected to this new regulation rather than to national laws. This means that the physical position loses relevance before the aim to grant interested individuals with a greater control on the information that is collected, processed and used by third parties.

    For sure companies may stop their business with EU citizens in order to avoid compliance with the GDPR principles, but such choice should be correctly made: i.e. the GDPR’s application should be taken into account when a company provides a web service which is available also to EU citizens.

    The disposition of strict fines

    The fines for companies that are not in compliance with such regulation can amount to up to 4% of their global revenue and up to Euro 20 million. The relevance of such measures drew attention of all the parties, particularly in the US where organizations have a strong presence in the EU. Furthermore, the GDPR applies to organizations of any dimension and to both individual enterprises as well as large companies.

    The forward-looking companies started to set forth their compliance programs immediately after the EU regulation announcement, but this appears complex and as a result meeting the set deadline called for 25 May could be difficult.

    According to PwC’s reports, 9% of US companies declare to have allocated more than 10 million dollars with the aim to obtain such compliance.

    Some compliance requirements for companies

    • Accountability principle: data processing needs to be carried out by recorded procedures, regardless of the fact that such procedures will be managed by the companies or by third parties on their behalf. Doing so will make the data controller responsible and oblige him to be compliant with the GDPR.
    • Risk based approach: the driving force of such a regulation is the aim to make companies responsible, which are therefore asked to comply with the GDPR principles by adopting a new risk based approach and risks assessment.
    • Clear and concise consent: much attention is paid to the consent of personal data processing, which should be clear, concise, distinguishable and unequivocal.
    • Data protection by design and by default: privacy management and implementation executed by means of default settings since the design phase; it means that companies should take into account the personal data protection, from the beginning a product, service or app is designed and developed.
    • Right to be forgotten: individuals are entitled to obtain, without delay, that their data is deleted by the data controller when certain conditions- provided by the GDPR -are met, such as for example when data become redundant and no longer necessary, or regarding the aims for which data have been collected or in the event when the individual’s consent is withdrawn.
    • Right to data portability: individuals are entitled to receive their personal data in a frequently-used, well-structured and machine-readable format, so as to transfer such data to another data controller, excluding any possible encumbrance by the former data controller.
    • Appointment of an EU Representative: the Representative should act on behalf of the data controller or the data processor and may be questioned by any surveillance Authority.

    How to make the transition process easier?

    The EU regulation relating to personal data protection requires a strong legal formation and, at the same time, tremendous technical implementation skills on the basis of the ongoing digitalization processes and use of even more innovative and complex technologies.

    In such regard, companies may rely on professionals who are able to provide multidisciplinary services and consultancy, not only of a legal and IT nature, but who can exchange and implement synergies between professionals and business workers such as engineers and mathematicians.

    Consequently, this burdensome commitment to follow the GDPR together with the obligation to comply with the law shall also enable companies to combine the aforesaid skills and join forces to commence a transition process that will ensure and ultimately result in growth.

    The author of this post is Giorgio Piccolotto

    Less than one year from now, on May 25, 2018, the new European Regulation on the protection of personal data (EU) 2016/679 will come into force. Whatever its size or business activity, every company has to process personal data files at some point.

    The new sanctions provide a strong incentive to prepare organisations for compliance with the new legal framework in twelve months’ time.

    Non-European undertakings must also be particularly careful regarding these new measures, the principal aspects of which are summarised below.

    Extraterritorial application

    The Regulation applies to personal data processing when the controller is established on the territory of the European Union.

    If the controller is not established in the European Union, the Regulation applies when data processing involves persons situated within the European Union and when the processing is linked to the offering of goods or services to such persons.  Non-EU companies must appoint a representative for this purpose.

    The right to data portability and appointment of a DPO

    This new right enables a person to recover the data that he has supplied in a form that is easily reusable, such as a USB key for example. Companies must get organised in order to be able to satisfy these portability requirements.

    Appointment of a Data Protection Officer

    Companies must appoint a DPO (Data Protection Officer), successor to the CIL (Correspondant Informatique et Libertés) who is appointed based on his professional skills (legal and technical), his independence and his accessibility in order to ensure compliance.

    We would like to point out that a specialist lawyer should be authorised to carry out this role provided relevant Bar rules do not prevent it.

    Sanctions

    These measures must imperatively be respected at the risk of seeing heavy sanctions imposed.

    Depending on the category of infraction, these sanctions may amount to:

    • 10 to 20 million euro; or
    • 2% to 4% of annual world revenues,

    The higher of the above two amounts is applied.

    Recommendations

    To ensure that your practices comply with the new legislation, it is necessary to:

    • Set in motion an internal project dedicated to compliance with the new legislation within the next 9 months;
    • Anticipate the obligations specified by the Regulation;
    • Budget for the right to data portability and the position of DPO;
    • Organise, for SME, the sharing of the DPO position with other companies.

    The author of this post is Thierry Aballéa.

    Alexandre Malan

    Tätigkeitsgebiete

    • Schiedsgerichtsbarkeit
    • Vertrieb
    • Insurance
    • Internationaler Handel
    • Rechtsstreitigkeiten