charlesrussellspeechlys.com Robert Bond, CCEP Head of Data Protection and Cyber Security Law and DPO The Data Protection Officer in EU and elsewhere: Roles and responsibilities

Tel: 2 Partner, CCEP Robert Bond “Astounding” Legal "He continues to impress year on year. His spark of imagination and ability to grasp the technology is amazing” Chambers UK, 2014 Robert Bond has over 37 years' experience in advising clients on all of their commercial, IP, technology and data protection requirements. He is DPO and deputy ABO for the firm. He is a legal expert, presenter and author in the fields of e- commerce, computer games, media and publishing, data protection, information security and cyber risks. He is named in the National Law Journal's list of 50 Governance Risk & Compliance Trailblazers, listed in the top 10 in “the Who’s Who of Information Technology Lawyers 2014” and also in "Best Lawyers in UK 2015“. +44 (0)

Brief introduction to Charles Russell Speechlys −Leading law firm based in London with regional offices within the UK and international offices in Bahrain, Qatar, Geneva, Zurich, Luxembourg and Paris with a strong focus on the Technology, Media and Telecoms (“TMT”) Financial, Retail & Leisure and Life Science sectors. −Recognised for our Data experience and advisory services in the latest legal directories Chambers UK and Legal 500 amongst others. −Our clients range from large listed businesses, to small start-ups, governments, not-for- profit organisations and private individuals. We have specialised in data privacy and information security for 37 years. −Our Data Protection & Information Law team provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches “What I liked was the fact that the team was very willing for us to see itself as an extension of our existing in-house team. I like the way it integrated – members sat alongside and guided us. That was what impressed.” 3

UNITED STATES of AMERICA CANADA ALASKA (USA) MEXICO COLOMBIA VENEZUELA BRAZIL PERU BOLIVIA HONDURAS NICARAGUA ECUADOR GUYANA SURINAME FRENCH GUIANA COSTA RICA PANAMA GUATEMALA CUBA PARAGUAY ARGENTINA URUGUAY CHILE GREENLAND ICELAND UNITED KINGDOM REPULIC OF IRELAND NORWAY SWEDEN FINLAND DENMARK ESTONIA LATVIA LITHUANIA POLAND BELARUS GERMANY CZECH REPUBLIC NETHERLANDS BELGIUM FRANCE SPAIN PORTUGAL SWITZ. AUSTRIA SLOVAKIA HUNGARY ROMANIA BULGARIA ITALY UKRAINE TURKEY GREECE SYRIA IRAQ SAUDI ARABIA YEMEN OMAN UAE EGYPT LIBYA ALGERIA MOROCCO TUNISIA WESTERN SAHARA MAURITANIA MALI NIGER CHAD SUDAN ETHIOPIA SOMALIA UGANDA SENEGAL GUINEA LIBERIA COTE D’IVOIRE BURKINA GHANA NIGERIA CAMEROON CENTRAL AFRICAN REPUBLIC GABON CONGO DEMOCRATIC REPUBLIC OF CONGO KENYA TANZANIA ANGOLA ZAMBIA MOZAMBIQUE NAMIBIA BOTSWANA ZIMBABWE REPUBLIC OF SOUTH AFRICA MADAGASCAR RUSSIAN FEDERATION KAZAKHSTAN GEORGIA IRAN UZBEKISTAN TURKMENISTAN AFGHANISTAN KYRGYZSTAN TAHKISTAN PAKISTAN INDIA CHINA NEPAL MYANMAR THAILAND SRI LANKA MONGOLIA NORTH KOREA SOUTH KOREA JAPAN TAIWAN CAMBODIA LAOS VIETNAM PHILIPPINES MALAYSIA INDONESIA PAPUA NEW GUINEA AUSTRALIA NEW ZEALAND Bhutan OUR EXPERIENCE = countries where we have assisted clients with data privacy related issues 4

OUR EXPERIENCE We have advised clients on all matters pertaining to data protection, including: Rolling out comprehensive, global data privacy programmes and policies for multinationals Training: face-to-face, via webinars and tailored e-learning modules International data transfer solutions Data breaches and cyber incidents Employee monitoring The implications of data privacy on marketing strategies Cookies and similar technologies Data retention and destruction Subject access requests Social media and Bring Your Own Device Big Data and IoT Telemetry technology Outsourcing contracts Data protection in the procurement process Data protection issues in relation to corporate transactions and due diligence Privacy Impact Assessments Notifications/filings with data protection authorities 5

Polling questions Does your organisation have a DPO? Under the GDPR will your organisation appoints a DPO? Would your organisation use a DPO under a service contract? 6

Data protection is at the heart of any business PERSONAL DATA Commercial Contracts Outsourcing / Cloud Investigations & Claims Global Presence Reporting and Discovery M & A Employment s Corporate Restructuring Social media Big Data

Current DPO position in Europe Some jurisdictions mandate or legislate for the appointment of a Data Protection Officer (DPO), e.g. Germany, Belgium (for public bodies), Hungary, Slovenia, Russia, Poland In many countries the DPO is an optional appointment that can assist in mitigating risk CNIL “Seal Scheme” in France imposes detailed duties on DPO The DPO is empowered to ensure the company is compliant with all aspects of applicable data protection laws and regulations The contact details of the DPO may be required to be filed with the relevant data protection authority in some jurisdictions The filing of the details of the DPO may negate the requirement to register the data controller with the DPA The DPO may need to be an in-country employee but in some cases can be appointed to serve a Group DPO function Some DPO’s may be a service company appointed under a contract 8

Responsibilities: Notification / Registration Notifying the relevant Data Protection Authority of the company’s data processing activities Keeping notifications updated from time to time Maintaining separate notifications in respect of all data processing entities within the corporate group Making any necessary filings in relation to international data transfers with the Data Protection Authority 9

Data Protection notifications, filings and registrations – what is this? More than a tick the box exercise More than a bureacratic formality Purpose To assist the Data Protection Authorities (DPAs) enforcing the data protection law You must be fully informed to present a registration/notification Types of notifications: Prior registration of processing operations Prior checking of processing operations Notification of breaches to the DPA Notification of breaches to the data subjects Other types of notifications / requests for authorisation 10

DPO and Data Transfers Binding corporate rules – not valid in all countries Model clauses Strategies for transborder dataflows Safe Harbor Consent Presumption of adequacy Adequate destination Contractual necessity Seals and trust marks 11

Art 11(3) of French Data Protection Act 1978 sets out ability of CNIL to award Privacy Seal to data controller Deliberation published last year places many obligations on the DPO Must be independent to make decisions affecting compliance May be an internal or external entity (natural or legal) Must manage compliance and data breach reporting Must regularly audit privacy compliance of data controller 12 CNIL Seal Deliberation of 11 December 2014

ICO has concluded its consultation on its project Framework sets out scope of scheme, incentives for certification, assessment, complaints and fees Intention is to appoint UKAS to lead accreditation process for ICO and for there to be at least one accredited seal holder during 2016 Seal design will be announced by end of the year and will be licenced to users Several organisations have already expressed interest in obtaining a Seal 13 ICO’s privacy seal project

Controller and/or processor can request the relevant Supervisory Authority, for a fee, to certify that processing is in accordance with the GDPR Accreditation framework with hierarchy of auditors European Data Protection Board to keep a public register and define technical standards The Seal will not only certify compliance but also authorise data transfers 14 Art. 39 GDPR European data protection seal

Responsibilities: Managing data controllers and data processors To monitor the activities of all data controllers within the corporate group (e.g. HR, sales and marketing, procurement functions) Liaison with relevant departments in respect of changes to processing activities – such as HR in relation to staff leaving, interviews and recruitment, new members of staff, subcontractors To provide advice to the company, the board and staff on compliance To manage data processors on behalf of the company To monitor any outsourcing of data processing activities to third party processors To ensure third party data processors enter into suitable contracts to ensure compliance with applicable data protection rules To define information security and data handling practices to be observed by third party data processors 15

Responsibilities: Policies, Procedures and Practices To provide guidelines to the company board and members of staff To provide guidelines to new members of staff To provide guidelines to contractors and third parties using company information HR liaison in relation to policies, procedures and practices specifically for members of staff, interviewees and job applicants Liaison with IT department in relation to developing policies, procedures and practices for information security, data handling, outsourcing and monitoring To liaise with sales and marketing to ensure compliance with applicable law and regulations for marketing, advertising and PR 16

Responsibilities: Training To provide facilities for training/raise awareness of existing staff, new staff and the Board To advise and coordinate in-house training by departments and groups To produce regular articles to update on new legislation and guidelines To raise awareness of new developments as they emerge 17

Responsibilities: Subject Access Requests To manage and administer Subject Access Requests Initial point of contact for employees in relation to Subject Access Requests To raise employees’ awareness of Subject Access Requests and the importance of a timely response To ensure responses to Subject Access Requests comply with the law (in the appropriate time frames) To provide the company board and staff with policies, procedures and practices in relation to compliance with Subject Access Requests and where applicable freedom of information access requests 18

Responsibilities: Audit To regularly audit for compliance with applicable legislation and regulations To advise the company of any changes to policies, procedures and practices as a result of any annual audit To implement any authorised changes to policies, procedures and practices resulting from an audit To consider where necessary the use of specialist advisors in relation to audit and compliance 19

20 What the future holds…

Mandatory appointment in certain circumstances, e.g. where there is the “regular and systematic monitoring of data subjects on a large scale” or where the “core activities” mean that the controller or processor will process a large volume of “special categories of data” or “data relating to criminal convictions and offences” 21 Data Protection Officer – Article 35 onwards The General Data Protection Regulation

EU DATA PROTECTION OFFICER – WHO AND HOW Data Protection Officers chosen for their professional qualities Expert knowledge of data protection law and practices, including: Technical & organisational measures & procedures Mastery of technical requirements for privacy by design, by default and data security Industry specific knowledge in accordance with The size of the controller or processor The sensitivity of the data processed Ability to carry out inspections, consultation, documentation and log file analysis Ability to work with employees’ representatives Organisation must enable the DPO to take part in advanced training measures to maintain specialised knowledge 22

EU DATA PROTECTION OFFICER – TASKS AND FORMALITIES Tasks – trusted adviser or police? Raise awareness Monitor implementation and applicability of the policies Monitor implementation and applicability of the Regulation Ensure mandatory documentation is maintained Monitor, the documentation, notification and communication of data breaches Monitor privacy impact assessment and prior consultation Monitor responses to the Data Protection Authorities Contact point to the Data Protection Authorities Inform employees’ representatives on employees’ data processing Verify compliance with this Regulation There is a catch… DPOs will be protected employees! 23

OBLIGATION TO MAINTAIN DOCUMENTATION – ACCOUNTABILITY PRINCIPLE Organisations must keep appropriate policies & procedures such as data retention and data management Policies & procedures reviewed at least every two years Reports of the activities of the controller shall contain summary of policies & procedures Documentation must also contain: Name & contact details of the controller, joint controller, processor and representative Name & contact details of the DPO Name & contact details of controllers to whom personal data is disclosed 24

The Proposed EU Data Protection Regulation Remedies and sanctions Fines of up to EUR 20million / 4% total worldwide annual turnover of preceding financial year, whichever is the higher. Criteria to set out the level of fine will include the degree of technical and organisational security measures and procedures implemented to: Data protection by design and by default Security of processing Data protection impact assessment Data protection compliance review Designation of the Data Protection Officer 25

Questions? 26

charlesrussellspeechlys.com