DEAL OR NO DEAL: EPISODE VII – THE LAST CONTRACT Session 5: 1:30-2:30 Presented by Baker McKenzie Title: GDPR 2.0 - Non-Privacy Implications of Europe's Privacy Regulation Speakers: Matthew Gemellow - Partner, Baker McKenzie, Palo Alto Yana Komsitsky - Associate, Baker McKenzie, Palo Alto Barbara Klementz - Partner, Baker McKenzie, San Francisco Veronika Nemeth - Partner, Baker McKenzie, San Francisco Lothar Determann - Partner, Baker McKenzie, Palo Alto Margaret Bang – Director, Legal, Gigamon
46
Embed
Session 5: 1:30-2:30 Presented by Baker McKenzie · Session 5: 1:30-2:30 Presented by Baker McKenzie Title: GDPR 2.0 ... related to the procurement and contract management process,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
DEALORNODEAL:EPISODEVII–THELASTCONTRACT
Session 5: 1:30-2:30 Presented by Baker McKenzie
Title:
GDPR 2.0 - Non-Privacy Implications of Europe's Privacy Regulation
Speakers:
Matthew Gemellow - Partner, Baker McKenzie, Palo Alto
Yana Komsitsky - Associate, Baker McKenzie, Palo Alto
Barbara Klementz - Partner, Baker McKenzie, San Francisco
Veronika Nemeth - Partner, Baker McKenzie, San Francisco
Margaret Bang Director, Legal Gigamon, Inc. • Implement and manage efforts to comply with the General Data Protection Regulation (GDPR) through the following: Identify and map out the data flows of each business unit to develop a comprehensive overview and record of the data flows, within, to and from the company; • Identify, negotiate and complete Data Sub-processing Agreements (DPA’s) with applicable vendors to support the transfer of data internationally; Negotiate and complete vendor agreements to insure compliance with the GDPR for “data subject rights” and company rights; Develop training modules summarizing the consent requirements, restrictions on data use and transfer, for marketing communications by mail, e-mail, text message, phone and fax; Support and complete the data protection impact assessment; Provide training on the data breach and security protocol; and Prepare privacy policies, including the privacy website notice. • Principal legal support for a wide variety of go-to-market agreements with channel partners, strategic alliance partners and end customers, including end user licenses, professional services, support and maintenance and other purchase agreements; Prepare and provide training on marketing, trademark and logo guidelines; Coordinate and review customer and partner-facing marketing materials, web, digital and print marketing and advertising campaigns and associated corporate communications and press releases. • Coordinate and collaborate with different business units on streamlining processes related to the procurement and contract management process, draft and automate templates for vendor service agreements, statement of work agreements and data processing agreements.
§ Records of data processing activities (aka 'maps') § Accountability documentation: dossier § Vendor & intercompany contracts § Data protection by design, toms § Notices
Work with Business Units to Collect Data & Establish an Internal Privacy Team
11
§ Work with Business Units to identify which vendors receive personal information on EU data subjects § HR, IT, Marketing, Finance, Sales § Confirm which vendor agreements are relevant
§ Identify Key Stakeholders to participate on Privacy Team
Determine Justification for Data Processing & Information to be Provided to Data Subjects when Collecting Personal Data
14
§ Article 6 - Consent § "Legitimate Interest" is our primary justification for processing Personal
Information § Internal Administrative Work (HR/Benefits) § Protect and Preserve our network and computer system (IT)
§ Article 13 - Information to be provided when collecting Personal Information from Data Subjects § Employee Onboarding:
§ "Notice Regarding the Monitoring of Gigamon Computer Systems" – Most of the information required to be provided under Article 13 is included in this Notice regarding IT related data
§ "Data Processing Notice" – Most of the information required to be provided under Article 13 is included in this Notice regarding human resource related data
§ Increased focus in M&A and other corporate transactions § Key considerations @ deal kickoff § Due diligence: contemporaneous yet often competing activities § Allocation of liability for noncompliance
§ Impact of rep and warranty insurance § Compliance in post acquisition reorganizations
§ Identify data processed, location and extent of processing § Consider whether minimization is required § Determine if each type of data processing is legally justified
§ Contract, local law, legitimate interests OR § Consent – a last resort
§ Can it be freely given by an employee? § May be withdrawn
§ Vendors with access to HR data and other third parties § Existing or new terms?
§ § Create new or update notices to meet new robust requirements: Create new or update notices to meet new robust requirements: § Employees § Employees § Employee data protection notice § IT monitoring/security/acceptable use policy § Hotline notice (if applicable), consider addressing recent local
§ Hotline notice (if applicable), consider addressing recent local law compliance changes § Job applicants
§ Candidate statement on job portal, elsewhere? law compliance changes
Specify, among other things, all of the following: § § Employer and DPO/privacy contact information
Specify, among other things, all of the following: § Purposes and legal basis for processing § Categories of recipients § Description of non EU transfers, including details of safeguarding
§ Employer and DPO/privacy contact information § Retention period § Purposes and legal basis for processing
§ Whether provision of data is required § Whether provision of data is required § By statute or contract, or optional § Consequences of failing to provide
§ By statute or contract, or optional § § Consequences of failing to provide
§ If automated decision making will take place §
§ Finalized wording (possibly, even extent of processing) Implementation of updated employee privacy documentation
§ Data Protection Impact Assessments § Data security breaches
§ Data intake and governance, including legacy HR data
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
§ US companies granting stock options and other share-based or incentive awards to employees of subsidiaries in Europe
§ Awards administered by US parent company, usually with assistance from US-based broker (e.g., E*Trade, Fidelity, Charles Schwab)
§ Employee personal data maintained by US parent and US broker (to administer employee’s participation in plan) § Services agreement entered into between US parent and US broker § Grant agreement entered into between US parent and employee § Participant agreement entered into between US broker and
§ Most companies (and US brokers) relying on employee’s consent to collect, process and transfer employee data (to administer employee’s participation in plan)
§ Consent included in grant agreement and participant agreement (or may have been obtained separately) § Need express acceptance § Issue of informed/coerced employee consent
§ Some companies relying on Safe Harbor/Privacy Shield, Model Contractual Clauses or Binding Corporate Rules, but won’t cover transfer of data to broker
§ Some companies argue that collection/processing/transfer necessary for execution of grant agreement (notification sufficient), but uncertain if covers transfer of data to broker
§ Still able to rely on consent? § Coercion issue unchanged under GDPR § If continue to rely on consent, update consent language to reflect GDPR
and require separate acceptance (may need separate consent language for rest of world)
§ Alternatively, could rely on Privacy Shield, MCC or BCR or legitimate aim defense to justify transfer to US parent § But would need to require US broker to enter into MCC with US parent to
cover onward data transfer (not all brokers may agree)
§ Services contracts inbound, outbound § SCC 2010, Privacy Shield, BCR in practice
7 Q&A and take-aways
Baker & McKenzie LLP is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.