The new EU General Data Protection Regulation (2012/0011/COD) implies that companies doing business in Norway should review their contracts and internal procedures.
Written by Jeppe Songe-Møller, Senior Lawyer at Advokatfirmaet Schjødt AS – NICCI partner member.
Many data transfers between companies contain personal data, typically when a company purchases IT services from an external provider. Furthermore, international corporations are exchanging personal data between group companies in different countries on a daily basis. Some companies may also collect customer data via web sites or online applications.
1. Focus on export of data to non-EU/EEA countries
Personal data is any information or assessment that can be linked, either directly or indirectly, to a physical person. Information about employees or customers will normally be considered as personal data.
As a direct consequence of the new regulation, companies should consider whether personal data is being transferred from one country to another and whether personal data is transferred to countries outside the EU/EEA. An example will be outsourcing of IT services by a Norwegian company and transfer of information about employees or customers electronically to a subcontractor in India. In such instances, Norwegian data protection rules require that agreements and internal procedures are in order.
The European Commission recently issued a communication summarising the actions taken to restore trust in EU-US data flows since the 2013 Snowden-revelations. A new framework for commercial data exchange, the EU-U.S. Privacy Shield, will most likely be implemented shortly.
2. Emerging technologies
In some instances it may be difficult to know which country the personal data is transferred to, e.g. by the use of cloud computing services. A cloud service allows companies, by using external server parks that are connected to the internet, to command almost unlimited computing power as required. For this reason, many businesses choose not to make significant investments in own hardware. Export of personal data outside of the EU/EEA, and in particular the use of international cloud computing service providers, requires that measures are taken in accordance with the Norwegian Personal Data Act.
3. Verify documents
Any company that enters into an agreement with an external service provider whereby personal data will be exchanged, or groups initiating intra-group transfers of personal data, should ensure that data processing agreements have been signed. Companies should also prepare an internal risk analysis which shows that the company has evaluated the safety and vulnerability associated with data transfer. This is particularly important for international transfers, be it between group companies, using IT providers with servers located outside the EU/EEA or using cloud computing where the server’s location is not clearly specified.
4. Regulatory compliance
The new EU General Data Protection Regulation will lead to increased government focus on requirements for internal documentation, such as security assessments, vulnerability analysis and data processing agreements. The new regime will also authorize local data protection agencies to issue substantial fines for violations.
All companies that process personal data shall follow the data protection rules and should adopt a proactive approach to data exchange, especially when data cross borders.
Senior Lawyer Jeppe Songe-Møller, Advokatfirmaet Schjødt AS, LLM in European Law (King’s College London), Cand.Jur. (University of Bergen)