Photo of Azim ChowdhuryPhoto of Tracy Marshall

The new European Union (EU) General Data Protection Regulation (GDPR) replaces the Data Protection Directive on May 25, 2018 and will directly impact all companies, including vapor product retailers and businesses, that market and sell products to consumers in the EU and/or employ residents of the EU. The reforms will give European consumers new rights and control over the personal data collected from and about them, and impose new obligations on businesses within and outside of the EU that collect personal information from EU citizens, regardless of where they reside, or from individuals who reside in the EU, regardless of their nationality.  Given the magnitude of potential penalties for violations of the GDPR (supervisory authorities are authorized to impose fines of up to 4% of global annual turnover for serious infringements and 2% for less serious infringements), it is imperative that vapor product retailers and others selling into the EU or handling data about Europe-based individuals ensure they are GDPR-ready.

The new rules empower individuals by, among other things, (1) providing easier access to personal data and more information on how data is processed, (2) facilitating data portability, or transfers of personal data between service providers, (3) clarifying the fundamental “right to be forgotten” for individuals who no longer wish for their data to be processed, and (4) requiring expedited notifications to the national supervisory authority by companies that experience a data breach affecting personal data.

Most companies operate with multiple streams of data, such as HR data, consumer data, vendor/supplier data, and the like. A good starting point is for businesses to assess their current data collection practices and identify gaps, and use that to map out a step-by-step compliance plan specific to their data collection practices that fully prepares them for the new GDPR world.

We provide below a summary of the key requirements in the GDPR and a compliance checklist for businesses. Please note that the summary and checklist are provided for informational purposes only, and do not constitute legal advice regarding specific facts or circumstances.

GDPR KEY REQUIREMENTS
Personal Data The term “personal data” means “any information concerning an identified or identifiable natural person.” An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.
Extraterritorial Effect The Regulation applies not only to the processing of personal data by controllers and processors in the EU, but also the processing of personal data of data subjects who are in the EU by a controller or a processor not established in the EU, if the processing activities are related to offering goods or services to the data subjects or monitoring their behavior within the EU.
Lawfulness of Processing To be lawful, at least one of the following must apply:

  • The data subject consents;
  • Processing is necessary for the performance of a contract to which the data subject is a party;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject (under EU or Member State law);
  • Processing is necessary to protect the vital interests of the data subject or another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (under EU or Member State law);
  • Processing is necessary for legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Consent Consent to processing must be unambiguous, specific, informed, and freely given (for example, checking a box at a website or choosing technical settings). Pre-checked boxes do not constitute consent. For sensitive data (for example, data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation), consent must be explicit. When processing has multiple purposes, consent should be given for all of them. Consent may be withdrawn.
Data Processing Processing of personal data must be lawful, fair, and transparent. Individuals should be made aware of the risks, rules, safeguards and their rights in relation to the processing of personal data. The specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection. Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. Time limits should be established for erasure or periodic review. Personal data should be processed in a manner that ensures appropriate security and confidentiality.
Right to be Forgotten Individuals have a right to request deletion of data, with some exceptions (for example, if retention is legally required).
Data Portability Individuals have the right to easily transfer personal data between different service providers.
Children Special rules apply to children’s data. Where a child is below age 16, processing is lawful only if parents or guardians consent. Member States may establish a lower age for these purposes, so long as the age is not below age 13.
Controller Responsibility Personal data must be processed under the responsibility and liability of the controller, who must ensure and document compliance for each processing operation. Controllers should only use processors who provide sufficient guarantees in terms of expert knowledge, reliability and resources to implement technical and organizational measures that will meet the requirements of the Regulation. Adherence to an approved code of conduct or certification mechanism may be used to demonstrate compliance. There must be controller-processor agreements in place that describe the subject matter, duration, nature and purposes of the processing, type of personal data, and categories of data subjects. Upon completion of the processing, the processor must, at the controller’s election, return or delete the data, unless the processor is required by law to store it. Joint and several liability for controllers and processors.
Data Protection Impact Assessments

Data controllers must conduct Data Protection Impact Assessments (DPIAs) for “risky” processing. DPIAs should be completed before beginning any type of processing which is “likely to result in a high risk.” This means even though the actual level of risk may not have been assessed, a DPIA may be necessary based on identifying factors that point to the potential for a widespread or serious impact on individuals. Some jurisdictions may impose DPIA requirements on specific types of processing.

 

If the DPIA indicates that processing involves a high risk that cannot be mitigated, controller should consult supervisory authority (DPA) prior to the processing.

Data Protection Officer Organizations must appoint a data protection officer (DPO) in three situations: the processing is carried out by a public authority; the core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or the core activities involve processing sensitive data or criminal convictions on a large scale.
Documentation Controllers and processors must document all processing and make documentation available to DPA on request.
Data Breach Notification Controllers must notify DPA within 72 hours of learning of a breach, where feasible; no notification is required if a breach is unlikely to result in risk to the rights or freedoms of individuals. Controllers must notify data subjects without undue delay, where the breach is likely to result in a high risk to their rights or freedoms. Notifications to data subjects should describe the nature of the breach and recommendations for individuals to mitigate potential adverse effects. Processors must notify controllers.
Streamlined Approvals A single DPA can be designated the lead, enabling multiple DPAs to handle cases in a more streamlined manner.
Codes of Conduct and Certification Codes of conduct are encouraged, and are subject to approval by the Commission, and compliance should be monitored by an appropriate expert, accredited body. Approved codes of conduct will be registered and published. Data protection certification mechanisms, seals and marks are encouraged.
Transfers to Other Countries Transfers to other countries are permitted based on a determination that the country provides adequate protection of privacy; transfers are subject to adequate safeguards (for example, binding corporate rules, standard contractual clauses, an approved code of conduct, approved certification mechanisms, explicit informed consent).
Reduced Notifications Supervisory notifications about data processing are no longer required, but permission is required to process certain categories of data.
Art 29 Working Party (WP29) WP29 will be “upgraded” to an independent European Data Protection Board.
WP29 Guidance WP29 has issued guidance on several aspects of the GDPR that provide clarification and recommendations:

DPA Enforcement DPAs have enhanced enforcement powers, including expanded investigatory authority.
Complaints and Remedies EU citizens can lodge complaints with local DPAs, even where data is processed extra-territorially, and have the right to a judicial remedy against supervisory authorities who fail to act and against controllers and processors.
Penalties DPAs are authorized to impose fines of up to 4% of global annual turnover for certain serious infringements; 2% for less serious infringements.


GDPR Compliance Checklist 

Types of Personal Data Collected
Identify types of data collected
Identify sensitive data
Identify data collected from children/ whether parental consent is required
Data Processing
Appoint data protection officer (DPO)
DPOs must be appointed if:

  • The processing is carried out by a public authority;
  • The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
  • The core activities involve processing sensitive data or criminal convictions on a large scale.
  • May also be Operating/established in a jurisdiction (such as Germany) with more stringent requirements.
  • WP29 guidance on DPOs
  • “Core activities”: defined by WP29 as those that are integral to “the controller’s or processor’s activity.”
  • “Large scale”: WP29 recommends that businesses consider the number of data subjects concerned; the volume of data or range of data items; and the duration and the geographical extent of the processing.
  • “Regular and systematic monitoring”: WP29 states this would “include all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising.”
Confirm the lawful basis for the processing:

  • Consent
  • Necessary for compliance with a legal obligation to which the controller is subject
  • Necessary for the performance of a contract to which the data subject is a party
  • Necessary to protect an individual’s vital interest
  • Legitimate interests of the controller (i.e., providing client services or preventing fraud)
  • Transfers of personal data among controllers within an affiliated group for internal administrative purposes
  • Strictly necessary and proportionate for ensuring network and information security
If consent is the basis for the processing:

  • Must be unambiguous, specific, informed, and freely given
  • Must obtain consent for each processing activity/purpose
  • Explicit consent required for sensitive data
Confirm that personal data collected is adequate, relevant and limited to what is necessary for the purpose(s)
Determine whether a data protection impact assessment (DPIA) is required (high-risk processing)

  • Systems that analyze a person’s economic situation, location, health, personal preferences, reliability or behavior
  • Video surveillance systems
  • Data in large scale filing systems on children, genetic or biometric data
DPIA, if required, should address

  • Contemplated processing and purposes
  • Necessity and proportionality of the processing in relation to the purposes
  • Risks to the rights and freedoms of data subjects
  • Safeguards and security measures to address the risks
If DPIA indicates that processing would result in high risk, then consult DPA prior to processing
Data subjects must be informed about:

  • Identity and contact information for controller and DPO
  • Purposes of the processing and legal basis
  • Recipients/ categories of recipients of personal data
  • Period for which personal data will be stored
  • Right to request access to and correction or erasure of personal data or to restrict processing
  • Right to withdraw consent at any time
  • Right to file complaint with supervisory authority
Review privacy policies and update as necessary
Establish system for documenting processing operations
Amendments to third-party contracts to ensure compliance with GDPR and e-Privacy Directive (and eventually e-Privacy Regulation)
Data Storage
Determine where and how data is stored
Establish limits for erasure of data and periodic reviews
Review data retention policies to ensure data only kept for as long as necessary
Establish and/or review processes for rectifying or deleting inaccurate data
Prepare template responses for data access requests
Data Transfers to Other Countries
Review and analyze global data flows
Assess validity of current mechanisms for transfers of personal data from the EU to the U.S. or other countries, for example:

  • Adequacy determination
  • Binding corporate rules
  • Standard contractual clauses
  • EU–U.S. Privacy Shield
  • Codes of conduct
  • Certification mechanisms
  • Explicit, informed consent in limited circumstances
Assess feasibility/benefits of approved codes of conduct and certification mechanisms
Assess need for controller-controller and/or controller-processor agreements; review content for compliance with new requirements
Data Security
Review technical and organizational measures in place to prevent unlawful destruction, loss, alteration, disclosure of/ access to personal data

  • Pseudonymization and encryption
  • Ability to ensure ongoing confidentiality integrity, availability, and resilience of processing systems and services
  • Ability to restore availability and access to data in timely manner in the event of a physical or technical incident
  • Process for regularly testing, assessing and evaluating the effectiveness of the security measures in place
Ensure that processors are employing adequate technical and organizational measures; address in contracts
Establish and/or update data breach response plan

For more information on the GDPR or other privacy or data security matters, and how they affect businesses involved in e-liquid and vapor products, please contact Tracy Marshall (+1 202.434.4234, marshall@khlaw.com), Azim Chowdhury (+1 202.434.4230, chowdhury@khlaw.com), or Nathan A. Cardon (+1 202.434.4254, cardon@khlaw.com).