N° 2017/2 • 24EME ANNÉE • TRIMESTRIEL • PARUTION : OCTOBRE 2017 Nr 2017/2 • 24STE JAARGANG • DRIEMAANDELIJKS • PUBLICATIE : OCTOBER 2017
THE IMPLICATIONS OF BREXIT FOR OWNERS OF UK INTELLECTUAL PROPERTY RIGHTS Although much uncertainty still remains, the process of shaping the postBrexit IP landscape is under way, and, whether based in the UK or elsewhere, owners of UK intellectual property rights are thinking about how Brexit will affect their intellectual assets and future strategies. In this article we explore the likely outcomes, especially in the light of the UK Government’s stated wish to end the jurisdiction of the Court of Justice of the European Union in the UK.
of the Court of Justice of the European Union (CJEU) in the UK. (1) In view of the substantial EU harmonization which exists in the IP field, the potential implications of this are significant, not only as regards unitary rights such as European Union Trade Marks (EUTMs) and Community Design Right (CDR) but also in relation to the harmonization and consistent interpretation of national IP laws. B. the
I
The divorce
On 29 March 2017 the UK Prime Minister, Theresa May, finally triggered Article 50 of the Treaty on European Union opening up a period of negotiation about the UK’s future political and economic relationship with the EU. Unless an extension is agreed by all the remaining 27 EU Member States, the parties now have until 29 March 2019 to come to an agreement before Brexit day. a. BreaKing
away from the
Cjeu
Intellectual property (IP) issues as such rarely make it into the Brexit headlines. However, high on the public agenda is the UK’s intention to “take control” of its own laws by ending the jurisdiction
legal meChanism for exit
The UK Government has stated that it will introduce a “Great Repeal Bill” repealing the European Communities Act 1972, which currently makes EU law supreme in the UK. At the same time the Bill will convert the existing EU law acquis into domestic law. This means that on Brexit day all directly applicable EU laws (such as EU regulations) will become UK laws and laws made in the UK to implement EU obligations (such as to implement directives) will be preserved. Changes will be made by secondary legislation where these laws would not otherwise “function sensibly” (2) after Brexit. As a result, both directly applicable EU laws and UK laws passed to implement EU directives will form part of UK law at Brexit. The Bill will also provide that historic CJEU case law will have the same binding or
(1) UK Government Policy Paper, 2 February 2017: The United Kingdom’s exit from, and new partnership with, the European Union, p.7, available https://www.gov.uk/government/publications/the-united-kingdoms-exitfrom-and-new-partnership-with-the-european-union-white-paper.
precedent status in the UK courts as decisions of the UK Supreme Court. (3) The UK legislature will then decide which elements of these laws to keep and which to discard in due course.
II
The Unified Patent Court conundrum
At the time of the UK referendum on EU membership in June 2016, the EU’s Unified Patent Court (UPC) and Unitary Patent project was just about to go live. This new system is intended to streamline the patent litigation system in Europe, making it more cost-effective and avoiding the “forum shopping” and intricate jurisdictional tactics that have traditionally plagued such litigation. It would also introduce a new, single “Unitary Patent” enforceable in up to 25 European countries. a. uK
to partiCipate in the new Court
In the immediate aftermath of the “leave” vote there was a general consensus in patent circles that Brexit would spell the end of UK participation in this project. However, in November 2016 the UK Government made the surprise announcement that it would press ahead with ratification of the UPC Agreement. This was
(2) Ibid., p. 5. (3) UK Government White Paper, 30 March 2017: Legislating for the United Kingdom’s withdrawal from the European Union, p. 14, available https:// www.gov.uk/government/publications/the-repeal-bill-white-paper.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 25
25
20/10/2017 09:55:55
good news as the absence of UK ratification was delaying the project as a whole. At the time of writing, the UPC Preparatory Committee’s timetable envisages that the new court will go live in December 2017 at which time Unitary Patents will also become available. (4) The UK had still not actually ratified by the time Article 50 was triggered at the end of March 2017 (see above), and questions were being raised about whether ratification might become a factor in its negotiations with the EU. However, the UK Intellectual Property Office (IPO) has confirmed that it remains ‘fully on track’ to ratify in accordance with the timetable. (5) The expectation is that the UK will initially go forward into the UPC project as a fully participating member. B. But
what will happen after
Brexit?
While ratification will allow the UK to get its foot in the door of the new system, its long-term participation post Brexit is uncertain. A key political issue is how the intention to end the jurisdiction of the CJEU in the UK (see above) can be reconciled with continued UPC participation, as the UPC Agreement requires the new court to apply EU law in its entirety and respect its primacy and CJEU decisions are binding on it. Jo Johnson, Minister for Intellectual Property (and younger brother of UK Foreign Secretary Boris Johnson), has indicated that the Government believes the UPC has value to UK inventors and businesses, (6) although the nature of any participation by the UK post Brexit depends on the broader negotiations between the UK and the EU. He also commented that the UPC is not an EU institution and is independent of membership of the EU, raising the possibility that a “softer” approach might be found in relation to the UPC. The view here may be that because the UPC is not a domestic UK court, the fact that it is subject to CJEU jurisdiction does not amount to the CJEU having jurisdiction “in the UK” (7) and so does not conflict
with the policy goal of ending CJEU jurisdiction in the UK. C. The
legal position
From a legal point of view, the ability of the UK to participate in the new court system post Brexit is supported by a legal opinion from leading UK barristers obtained by the Chartered Institute of Patent Attorneys and others in September 2016. (8) This opinion argues that participation by the UK post Brexit would be possible under UK and EU constitutional law, provided, among other things, that the UK submits to EU law and to the rulings of the CJEU as regards proceedings before the court. Certain amendments would need to be made to the UPC Agreement and an international agreement entered into between the UK and the EU. (9) The UK would also have to sign up to an appropriate jurisdiction and enforcement regime. However, even if compromise on this point from the UK side were forthcoming and the UK were willing so to submit, it remains to be seen whether participation by non-EU states (as the UK would then be) would be accepted by the other EU Member States and the CJEU. Some readers may remember that an earlier draft of the UPC Agreement which included both EU Member and non-Member States foundered on the CJEU’s opinion in 01/09 (10) which held that the agreement was incompatible with EU law. This opinion was interpreted by the European Commission among others to mean that only EU member states could participate. The barristers’ opinion referred to above challenges that view but acknowledges that the CJEU might disagree. Ultimately, it may be a question of whether there is the political will to find a way through the legal morass. D. Participation
in the
While most commentary and interest has focused on participation in the UPC rather than the Unitary Patent as such, the barristers’ opinion referred to above
(4) To obtain a Unitary Patent an applicant for a European patent must apply for “unitary effect” within one month of grant of the European patent at the European Patent Office. (5) As reported in Managing Intellectual Property, 30 March 2017, available http://www.managingip.com/Article/3687198/UK-on-course-to-ratifyUPC-Agreement.html. (6) Hansard, 11 January 2017. (7) As argued in the IPKat blog, 4 April 2017, available http://ipkitten. blogspot.be/2017/04/the-upc-after-brexit-is-cjeu.html. (8) Re the effect of “Brexit” on the Unitary Patent Regulation and the Unified Patent Court Agreement, by Richard Gordon QC and Tom Pascoe
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 26
Unitary Patent
suggests that it would be legally possible for the UK to continue to participate in the Unitary Patent after Brexit. However, a new international agreement with the participating EU member states would be needed. E. Practical
hurdles
Aside from the political and constitutional questions, the potential practical difficulties of agreeing the necessary changes to the arrangements would represent a high hurdle. So although many patent owners may feel that a revised UPC arrangement that allowed non-EU Member States, including the UK, to participate post-Brexit would be an excellent solution, there still remains considerable doubt about whether this will become a reality. F. The
immediate consequences for patent
owners
Although the UPC has generally been welcomed by industry, the advent of the new court and unitary patent involves uncertainties. It should be noted that not only the new unitary patents but also existing, country-specific European patents (European patent (UK), European Patent (BE) etc.) will, in principle, automatically become subject to the jurisdiction of the new court on go-live day, currently scheduled for December 2017. This is, however, subject to transitional arrangements allowing patent owners, during a transitional period, to opt some or all of their patents out of the court’s jurisdiction so that these patents will continue only to be litigated before the national courts. Whereas the new system may bring powerful advantages in terms of streamlining multi-jurisdictional patent litigation in Europe and the availability of pan-European remedies including cross-border injunctions, it also brings the inevitable uncertainties of a new system bedding down and the specific risk of central revocation (whereby all the different country-specific parts of a
of Brick Court Chambers, 12 September 2016, available http://www.eip. com/assets/downloads/gordon-and-pascoe-advice-upca-34448129‑1-pdf. (9) If the UK takes part without amendment of the UPC Agreement, then, at Brexit, UK divisions of the UPC would have to cease operation – Barristers’ opinion referred to above, p. 39. (10) Opinion 1/09 of the Court (full court) 8 March 2011 (Opinion delivered pursuant to Article 218(11) TFEU – Draft Agreement – Creation of a unified patent litigation system – European and Community Patents Court – Compatibility of the draft agreement with the Treaties), available http://curia.europa.eu/juris/document/document_print.jsf?doclang= EN&text=&pageIndex=0&part=1&mode=lst&docid=80233&occ=first&dir =&cid=659569.
26 20/10/2017 09:55:55
European patent could be revoked as a result of one court action). g. opt-out In preparation for the new system patent owners have, therefore, been considering which, if any, of their patents to opt out, and a “sunrise period” for optout is scheduled to begin three months before the court goes live (September 2017) enabling patent owners to ensure that their patents are opted out from day one. We expect the additional uncertainties around the UK’s position after Brexit (see above) to increase the number of patents being opted out at least until the UK’s position is clarified. This will of course affect not only UK businesses but also any business holding European patents (UK). The hope is, therefore, that the position can be clarified soon.
III Brands – the UK to drop out of the EUTM As many readers will be aware, a European Union Trade Mark (EUTM) is a single, “unitary” trade mark covering the whole territory of the EU. Generally very popular with industry, they represent a “one-stop shop” for businesses to obtain pan-European protection for their brands on the basis of a single application, and pan-European injunctions and other remedies are available in some situations. The EUTM is governed by an EU regulation which largely mirrors the provisions of an EU harmonising directive governing the substantive national trade mark laws of the EU Member States. a. proviDing
equivalent
uK
national
rights
The current expectation is that EU Trade Marks will cease to cover the UK as from Brexit day, and the UK IPO is already in discussion with IP practitioners and others about the mechanisms for converting the UK “part” of existing EUTMs to UK national rights with equivalent priority. Key issues include whether it will be up to trade mark owners to ‘opt in’ to these UK rights, whether there will be an additional opposition period, whether additional fees will be payable and how pending applications for EUTMs before the EU IPO
will be dealt with. In view of such uncertainties some trade mark owners are already applying for parallel national UK trade marks for key brands; however, many seem to be adopting a “wait and see” approach. While brand owners will wish to keep the proposed conditions for such UK national rights under review, for many right holders such national rights are likely to be a satisfactory solution to the loss of the UK “part” of the EUTM. Those aspects of the EUTM which involve reciprocity with other EU jurisdictions, most importantly the ability to obtain cross-border remedies such as injunctions, will, however, almost certainly be lost. The EUTM is only open to EU countries. B. further Brexit-relateD
risKs for traDe
marK owners
EUTM holders whose use of an EUTM is currently primarily in the UK may find that, after the UK “part” has been split off, their use of the mark in other EU member states may not be sufficient to maintain the validity of the EUTM. Similarly, whereas at present a UK national trade mark may block registration of a conflicting EUTM by a competitor, this will no longer be the case after Brexit. Conversely, after Brexit, an EUTM will not block registration of a conflicting UK national trade mark.
IV The consequences for Community design rights Two types of “unitary” EU design rights (referred to as Community design rights) are currently available, a registered right and an unregistered right. As for EUTMs, the UK will almost certainly no longer be covered by these rights after Brexit day. As with EUTMs Community design rights are governed by an EU regulation which largely mirrors the provisions of an EU harmonising directive governing the substantive national registered design right laws of the EU Member States. The expectation is that holders of Community Registered Designs (rCDRs) will be able to convert the UK “part” of their rCDR to a form of UK registered design right, preserving the priority of their rCDR. As with EUTMs the precise mechanism for this is under discussion
and, as with EUTMs, aspects of the rCDR which involve reciprocity such as the ability to obtain cross border remedies will almost certainly be lost. The UK Government has also indicated that it will be joining The Hague Agreement on designs in a national capacity; this is an international system for registering multiple designs in different countries in which the UK currently participates through the EU. a. filling
the gap in unregistereD Design
proteCtion
In addition to the rCDR a three-year, unitary unregistered Community design right (uCDR) is also currently available covering all EU Member States. This right is particularly useful in fast-moving areas such as fashion and consumer goods as it arises automatically and protects both 3D and 2D designs, including surface decoration. A UK unregistered design right also exists in parallel to the uCDR, but this only covers 3D designs and excludes surface decoration, so that significant aesthetic aspects of designs are not covered by the UK right. Voices in the fashion industry in particular have been calling for the UK Government to plug this potential gap in unregistered design right protection after Brexit by introducing a new UK right. It is not yet clear how this issue will be handled. It is assumed that the uCDR will continue to be available to both EU and non-EU businesses in respect of the remaining EU Member States. However, there is case law in Germany at least to suggest that in order to benefit from the unregistered community design right first publication of the design must be within the EU. (11) This means that, after Brexit, showing a design for the first time at, for example, the London Fashion Show could put it outside the scope of the uCDR. Businesses will wish to develop mechanisms to avoid this where possible.
V
Will UK IP laws fall out of step with those in Europe?
As many readers will be aware, as part of the single market project the EU has provided for extensive European harmonisation in IP fields including trade marks, designs and copyright.
(11) Decision of the Federal Supreme Court (Bundesgerichtshof), 9 October 2008 I ZR 126/06, available http://www.beck.de/cms/?toc=GRUR.3009 &docid=273342.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 27
27
20/10/2017 09:55:55
This has been achieved through EU legislation, including both directly applicable European regulation and directives (such as the recent Trade Secrets Directive). (12) CJEU case law has also been crucial in providing a uniform interpretation of this legislation across Europe and, in so doing, developing important concepts in IP law. A question in many people’s minds now is whether after Brexit aspects of UK law will be “resurrected” as they were prior to this body of EU case law. a. historiC Cjeu
Case law will Constitute
BinDing preCeDent
This will not be the case, at least initially, because (as mentioned above) under the Great Repeal Bill historic CJEU case law will have the same status as decisions of the UK Supreme Court so far as law derived from the EU is concerned; in other words CJEU case law will constitute binding precedent under UK law. So, although the CJEU will not have any role in the interpretation of UK law made after Brexit, for as long as EU-derived law remains on the UK statute book the starting point will be CJEU case law as it stood on Brexit day. As the UK Government points out in its White Paper, (13) this will not necessarily mean that the law will be “fossilised” as at Brexit day, because although the Supreme Court normally treats its own decisions as binding, it can depart from them “when it appears right to do so” – although in practice this arises rarely. In its White Paper the UK Government also indicates that it is considering whether to take steps to “give further clarity” about the circumstances in which the Supreme
Court may depart from such CJEU precedent. It remains to be seen whether this might lead to a loosening of the approach to precedent in the case of EU-related law. In addition, of course, the UK Parliament may amend the law through legislation. At least initially, therefore, UK IP laws will not fall out of step with those in Europe as CJEU case law will be preserved, but in the long run laws may begin to diverge.
The UK Government has indicated that it is not seeking access to the single market as such. (14) The impact of Brexit on the rules on exhaustion of rights is therefore likely to depend on the trading agreements (if any) negotiated between the EU and the UK. These may affect the shape of parallel trade to and from the UK in the future and require current licensing arrangements to be reviewed.
VI International trade and exhaustion of rights
VII Conclusion
As many readers will be aware, EU rules on the free movement of goods mean that, with some exceptions, the owner of a national intellectual property right in an EU Member State (e.g. a trade mark or patent) cannot use this national right to prevent goods circulating in the EU once they have been put onto the market in the EU with his consent. This principle has been extended to the European Economic Area. The position the EU has taken in an international context is, however, that, so far as harmonised or partially harmonised rights such as trade marks and copyright are concerned at least, the owner of an IP right within the EU may use his IP right to prevent goods which he has put on the market outside the EU from entering his EU territory without his consent. In other words, there is European exhaustion of rights but generally not international exhaustion. This results in a market in “grey” goods or parallel imports, and many current licensing arrangements are also structured with these rules in mind.
(12) Directive (EU) 2016/943. (13) Legislating for the United Kingdom’s withdrawal from the European Union, March 2017, p. 16. (14) Theresa May, the UK Prime Minister’s letter to President Tusk on triggering, Article 50 TFEU, 29 March 2017, p. 4, numbered para i, available
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 28
As can be seen from the above discussion, Brexit raises some immediate, specific issues for owners of UK IP rights in terms particularly of the single, unitary European IP rights such as the EUTM and CDRs and in relation to future involvement in the Unified Patent Court. So far as UK national rights are concerned, however, IP laws and their interpretation is likely to continue much as before, at least initially. This reflects the UK Government’s wish to “maximise legal certainty at the point of departure”. (15) What will happen later, and particularly the extent to which UK IP laws may begin to diverge and what persuasive weight may be afforded to CJEU case law by the UK courts in future still remains a question for crystal ball gazing. In the wider context, IP owners will wish to be aware of the effect of trade agreements in areas such as exhaustion of rights and to adjust licensing arrangements where needed. Tom Lingard Lawyer Astrid Arnold Lawyer
https://www.gov.uk/government/publications/prime-ministers-letter-todonald-tusk-triggering-article-50. (15) Secretary of State David Davis’s Commons statement on the Great Repeal Bill White Paper, 30 March 2017, available https://www.gov.uk/government/ speeches/david-davis-commons-statement-on-the-great-repeal-bill-white-paper.
28 20/10/2017 09:55:55
DATA PROTECTION : LA FUTURE NOUVELLE AUTORITÉ DE PROTECTION DES DONNÉES La protection des données personnelles et partant de la vie privée connaît ces dernières décennies de nombreuses évolutions liées principalement aux nouvelles technologies, au développement des réseaux sociaux et également à une prise de conscience accrue par tous les acteurs concernés des risques y afférents. Au niveau européen, les dernières modifications du régime légal de protection des données datent de 2016 avec la publication du règlement du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, (ci-après le RGPD) (1). Ce dernier entrera en vigueur le 25 mai 2018. Tout comme c’est déjà le cas actuellement sous l’empire de la loi du 8 décembre 1992 (2), pour veiller à la bonne application de ce règlement, une autorité de contrôle nationale est nécessaire et prévue, avec force détails, par le RGPD. À ce jour, c’est la Commission de la protection de la vie privée qui exerce cette mission en Belgique. Le RGPD, dans sa volonté d’harmonisation, considère qu’il faut « prévoir, dans les États membres, des pouvoirs équivalents de surveillance et de contrôle du respect des règles relatives à la protection des données à caractère personnel et des sanctions équivalentes pour les violations » (3). C’est pourquoi, il fixe un cadre précis afin de permettre une uniformisation ainsi qu’un renforcement du rôle et des pouvoirs des différentes autorités de contrôle des États membres. Pour traduire en droit belge les recommandations du RGPD relatives à cette autorité de contrôle, le Secrétaire d’État De Backer a déposé un projet de loi portant création de l’Autorité de protection des données, projet actuellement à l’examen au Parlement (4).
I
Que prévoit le projet de loi de réforme de l’Autorité de contrôle ? « La mise en place d’autorités de contrôle dans les États membres, habilitées à exercer leurs missions et leurs pouvoirs en toute indépendance, est un élément essentiel de la protection des personnes physiques à l’égard du traitement des données à caractère personnel », édicte le RGPD (considérant 117). C’est donc une des premières mesures à mettre en œuvre dans chaque État membre et notamment chez nous : la création d’une autorité de contrôle qui réponde aux dispositions du règlement. Si ce dernier prévoit la mise en place d’une ou plusieurs autorités de contrôle, la Belgique a opté pour une seule autorité comme c’est déjà le cas actuellement.
II
La Commission de la protection de la vie privée portera désormais le nom d’Autorité pour la protection des données Ce changement de nom répond à deux considérations. D’une part, on reprend la terminologie utilisée dans le RGPD. Ainsi, l’institution est mieux identifiable par les partenaires des autres États membres. D’autre part, la protection de la vie privée est un concept plus large que la protection des données. L’Autorité pour la protection des données, à l’instar de la Commission de la protection de la vie privée, n’a pas vocation à traiter les problématiques telles que le droit à la vie familiale ou encore le droit à l’image qui sont pourtant des aspects du droit à la vie privée. Dès lors, en choisissant de l’appeler Autorité de protection des données (ciaprès « APD »), on assure une meilleure
(1) Règlement (UE) n° 2016/679 du Parlement européen et du conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données).
adéquation entre le nom de l’institution et ses missions telles que prévues dans le RGPD. a. CompétenCes La mission principale de cette nouvelle autorité est le contrôle du respect des principes fondamentaux de la protection des données à caractère personnel repris dans la loi vie privée ainsi que dans toutes les lois contenant des dispositions relatives à la protection du traitement des données à caractère personnel. Tout comme la Commission de la protection de la vie privée, la compétence de contrôle de l’APD s’étend à l’entièreté du territoire belge. S’il existe également au niveau des régions des mécanismes de protection des données mis en place ces dernières années, ces organes de contrôle régionaux ne sont cependant pas, à l’heure actuelle, des organismes de régulation à part entière, ni dans le sens de l’article 28 de la directive de 95 sur la protection des données (95/46/CE), ni dans le sens du RGPD. Seule l’APD possède cette fonction de surveillance et donc un contrôle global en termes de protection des données comme c’est le cas actuellement de la Commission de la protection de la vie privée. Toutefois, en vertu de l’article 55, § 3, du RGPD, la compétence de l’APD ne peut pas s’étendre au traitement de données à caractère personnel effectué par les cours et tribunaux dans l’exercice de leur fonction juridictionnelle, afin de préserver l’indépendance du pouvoir judiciaire dans l’accomplissement de ses missions judiciaires, y compris lorsqu’il prend des décisions. Son rôle est beaucoup plus large que celui de la Commission pour la protection de la vie privée. On passe d’un organe d’avis à une autorité de contrôle et de sanction. Le RGPD lui confère, en effet, des compétences et des pouvoirs tout à fait nouveaux. Elle est, en effet, dotée
(2) Loi du 8 décembre 1992 relative à la protection de la vie privée à l’égard des traitements de données à caractère personnel (M.B., 18 mars 1993). (3) Considérant 11 GDPR. (4) Doc. parl., Chambre, 54-2648/001.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 29
29
20/10/2017 09:55:55
de pouvoirs d’enquête et de sanction administrative, alors que la Commission de la protection de la vie privée n’a, à l’heure actuelle, essentiellement qu’un pouvoir d’avis. D’une autorité d’avis, elle devient donc une autorité de contrôle aux pouvoirs coercitifs. En outre, il n’y aura plus deux régimes de surveillance différents entre les responsables de traitement du secteur public et les responsables de traitement du secteur privé. La nouvelle Autorité contrôlera, avec la même rigueur, le traitement des données des citoyens et des consommateurs. Les nouvelles compétences de l’APD sont de quatre ordres : 1) L’information et le conseil L’APD a pour mission d’informer et de conseiller les individus, les responsables de traitement et leurs sous-traitants ainsi que les décideurs politiques et ce, afin de faire respecter la législation en matière de protection des données. 2) L’accompagnement des responsables de traitement Cette compétence d’accompagnement des responsables de traitement ainsi que de leurs sous-traitants (pour ces derniers, c’est une nouveauté également) afin qu’ils utilisent efficacement les outils de prévention est prévue dans le RGPD. Cela concerne notamment l’aide des intéressés dans le cadre de la certification, de l’adhésion à des codes de conduite, de l’opportunité ou de l’obligation de recourir à un délégué à la protection des données. 3) Le contrôle L’APD est en charge du contrôle des responsables de traitement et de leurs sous-traitants. 4) Les sanctions L’APD pourra appliquer des sanctions – allant de l’avertissement à la sanction financière – qui seront déterminées en fonction des différentes situations en veillant à réserver un traitement équitable et proportionné à la gravité des faits. B. Personnalité
juridique
L’APD dispose dorénavant de la personnalité juridique, à l’instar des autorités
administratives indépendantes comparables, telle que l’Autorité belge de concurrence, l’Autorité des services et marchés financiers… (5). À l’heure actuelle, la Commission de la protection de la vie privée n’a pas de personnalité juridique.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 30
2) Le secrétariat général
C. Structure La structure de l’APD sera totalement différente de celle de la Commission de la protection de la vie privée. En effet, la nouvelle structure a été calquée, ici également, sur celle des autorités administratives indépendantes, dont les pouvoirs sont comparables. Si l’actuelle Commission est composée de la direction générale, d’un secrétariat (6) ainsi que de cinq comités sectoriels, l’Autorité sera désormais composée de six organes. 1) Le comité de direction Le comité de direction détermine la politique générale de l’APD, y compris l’affectation de son budget. Il détermine les priorités, décide des moyens et de leur répartition parmi ses différents organes. Il représente également l’action de l’autorité devant les instances de contrôle parlementaire et juridictionnel. Le comité de direction est composé des dirigeants des cinq autres organes à savoir le directeur du secrétariat général, le directeur du centre de connaissances, le directeur du service de première ligne, l’inspecteur général et le président de la chambre contentieuse. Ces cinq personnes sont des mandataires désignés par la Chambre des représentants sur des listes présentées par le Conseil des Ministres. Ils exerceront leur mandat à temps plein (7). On reste donc dans un système de nomination politique. Les membres du comité de direction, comme ceux du centre de connaissances et de la chambre contentieuse sont nommés pour une durée de six ans renouvelable une seule fois. Le législateur estime qu’au-delà de 12 ans, occuper le même mandat pourrait porter préjudice à l’institution, qui doit rester indépendante, proactive et en phase avec les évolutions de la matière, celles-ci ayant lieu non pas au sein de l’institution elle-même mais bien
(5) De même, l’article 68, § 1 er, du GDPR donne la personnalité juridique au Comité européen de la protection des données, qui regroupe toutes les autorités de protection des données des États membres. (6) Le secrétariat sert de soutien administratif à la Commission et est composé de trois sections à savoir la section organisation et gestion
sur le terrain. Pour renforcer ces trois caractéristiques, il est prévu que chacun des organes peut se faire assister d’experts externes dans l’exercice de ses missions. La parité linguistique devra être respectée. Le secrétariat général a des tâches horizontales d’appui et s’occupe notamment de gérer les questions relatives aux ressources humaines, au budget et à l’informatique et de la communication interne et externe. Il a également pour tâche importante de surveiller les développements sociaux, économiques et technologiques qui ont un impact sur la protection des données à caractère personnel ainsi que d’établir la liste des traitements qui requièrent une analyse d’impact relative à la protection des données. Ce sera également lui qui approuvera les codes de conduite (art. 40 à 43 du RGPD). 3) Le service de première ligne Le service de première ligne joue un rôle particulier dans la réception et le traitement des plaintes et des demandes mais aussi une fonction très importante en ce qui concerne l’accompagnement des responsables des traitements et des collaborateurs ainsi que dans l’information et la sensibilisation au sujet des droits des personnes concernées. D’un point de vue juridique, le rôle de cet organe n’est pas très clair. 4) Le centre de connaissance Le centre de connaissances émet, soit d’initiative, soit sur demande du Gouvernement, des Chambres législatives, des Gouvernements de communauté ou de région, des Parlements de communauté ou de région, des avis sur toutes questions relatives au traitement de données à caractère personnel et des recommandations sur tout sujet pouvant avoir une incidence sur ces traitements. 5) Le service d’inspection Le service d’inspection est l’organe d’enquête de l’APD. Pour instruire le dossier, les inspecteurs disposent de nombreux moyens : ils peuvent notamment auditionner les personnes, procéder à des examens sur
des ressources, la section études et recherche (soutien juridique de la Commission) et la section relations externes. (7) Rappelons que l’actuelle Commission de la protection de la vie privée est composée de huit membres effectifs, dont seuls le président et le vice-président exercent cette fonction à temps plein, et de huit membres suppléants.
30 20/10/2017 09:55:56
place, consulter et copier des systèmes informatiques et les données qu’ils contiennent, accéder à des informations par voie électronique, saisir ou mettre sous scellés des biens ou des systèmes informatiques et requérir l’identification de l’abonné ou de l’utilisateur habituel d’un service de communication électronique ou du moyen de communication électronique utilisé. Le service d’inspection peut ordonner la suspension, la limitation ou le gel temporaire du traitement de données qui font l’objet d’une enquête s’il convient d’éviter une situation susceptible de causer un préjudice grave, immédiat et difficilement réparable. 6) La chambre contentieuse L’article 58, § 2, du RGPD précise que l’APD dispose du pouvoir d’adopter des mesures correctrices. La chambre contentieuse en est donc l’organe juridique administratif. Un tel organe existe également auprès d’autres autorités administratives indépendantes aux pouvoirs comparables qui disposent d’un organe statuant sur les amendes et autres sanctions. La palette de sanctions que peut prendre la chambre contentieuse à l’issue d’une procédure de plainte est extrêmement variée et permet d’adapter la sanction à la gravité de la situation ainsi que d’appliquer des sanctions de manière graduelle. Elle a, entre autres, le pouvoir de proposer une transaction, formuler des avertissements et des réprimandes, ordonner le gel, la limitation ou l’interdiction temporaire ou définitive du traitement, donner des astreintes et/ou des amendes administratives, ordonner la suspension des flux transfrontières de données vers un autre État ou un organisme international, décider au cas par cas de publier ses décisions sur le site internet de l’APD. Un recours contre les
décisions de la chambre contentieuse existe auprès de la Cour des Marchés ; la décision est néanmoins exécutoire nonobstant recours. 7) Le conseil de réflexion Il est, en outre, prévu de mettre en place un conseil de réflexion, indépendant de l’APD. Son rôle est d’apporter une vision de terrain au comité de direction afin de l’aider à orienter son action vers les défis actuels et à venir en matière de protection des données. Il fournira des avis non contraignants. Sa composition sera déterminée par la Chambre des représentants. Les membres seront en principe issus des milieux académiques et professionnels et ne feront pas partie de l’APD. Ce conseil de réflexion est une spécificité belge. 8) Disparition des comités sectoriels Au sein de la Commission de la protection de la vie privée, il existe actuellement cinq comités sectoriels, chacun dévolu à des matières spécifiques : le Registre national, la Banque-Carrefour Entreprises, la Banque-Carrefour Sécurité sociale, l’Institut national des statistiques et un comité pour les autorités fédérales. Ni la loi vie privée ni les lois sectorielles qui les créent ne définissent les compétences ni le champ d’application de ces comités sectoriels. En pratique, ces comités décident de l’accès à des banques de données ou autorisent des flux entre banques de données. Si cette structure était adéquate à l’époque où la Commission de la protection de la vie privée ne possédait qu’un pouvoir d’avis, elle ne correspond plus aux exigences du RGPD. Le projet de loi prévoit dès lors la suppression de ces comités sectoriels. Le processus d’autorisation d’accès à certaines banques de données ou d’échange de données sera donc
modifié : les autorisations jusque-là octroyées par ces comités seront désormais traitées directement par le fonctionnaire de la protection des données des institutions concernées par l’accès ou l’échange des données.
III
Conclusions
La protection des données et partant de la vie privée des individus revêt une importance croissante dans notre société numérique. L’Autorité de la protection des données en est un des garants dans un univers hyperconnecté où les personnes concernées ne prennent pas toujours la mesure des enjeux de cette protection qui leur est offerte et des risques auxquels ils peuvent être confrontés dans ce cadre. La mise en place de cette nouvelle Autorité de la protection des données est prévue pour le 25 mai 2018, en même temps que la mise en œuvre effective du RGPD. Il est néanmoins prévu, pour des raisons organisationnelles, que le Roi peut anticiper l’entrée en vigueur de certains articles. Certaines questions sont encore en suspens quant à son organisation, comme par exemple son financement. Avec la mise en place de cette Autorité et la disparition de la Commission de la protection de la vie privée, le mandat des membres de la Commission ainsi que des membres externes des comités sectoriels prendra fin. Le projet de loi dont j’ai décrit les grandes lignes doit encore passer l’épreuve du Parlement. Espérons que le texte de ce projet soit rapidement approuvé afin de permettre l’organisation de cette nouvelle Autorité qui devrait déjà être opérationnelle dans huit mois. Nathalie Ragheno Juriste d’entreprise
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 31
31
20/10/2017 09:55:56
EVERYTHING YOU ALWAYS WANTED TO KNOW ABOUT DPO (BUT WERE AFRAID TO ASK) I Introduction 1. Even if the concept of Data Protection Officier (here after “DPO”) existed in another wording (1) and scope in Directive 95/46/EC, (2) the General Data Protection Regulation (3) (here after “GDPR”) now puts it at the center of all attentions. Directive 95/46/EC (4) did not require any organisation to appoint a DPO. The Working Party founded by Article 29 of Directive 95/46/EC (here after “WP 29”) advocated for a wider designation, arguing on a competitive advantage for businesses. (5) Belgian Law has integrated the principle of this function, (6) but failed to turn it to life by adopting a Royal Decree. Even if some organisations have to designate a Security Counsellor for the Information System, (7) this function remains exceptional in Belgium and devoted to IT specialists. 2. The GDPR goes far beyond the Directive. (8) It provides for mandatory cases of appointement, even for processors, and now considers the DPO as a cornerstone of accountability (9) and
facilitator for compliance. It lays down conditions for DPO’s appointment, position and tasks upon three articles. The GDPR is going to come into effect on 25th May, 2018. It does not need to be converted in Belgian Law, as it is a regulation and not a directive. In case of infringement, organisations can bear administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. (10) Considering the importance of the DPO in the compliance process, we try in the next pages to shed some light in a concrete manner on this fundamental change for organisations.
II
When to appoint a DPO?
3. Mandatory cases – The size of the controller/processor is not a relevant factor. (11) Even small businesses could have to designate a DPO. The GDPR provides for public authorities and bodies to appoint a DPO, but
(1) The terminology “DPO” is the same as in Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data. (2) Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, O.J. L 281, 23.11.1995. (3) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), O.J. L 119, 04.05.2016. (4) Directive 95/46/EC, art. 18.2. (5) http://ec.europa.eu/justice/data-protection/article-29/documentation/ other-document/files/2015/20150617_appendix_core_issues_plenary_ en.pdf. (6) Data Protection Law 08.12.1992, M.B., 18.03.1993, art. 17bis. (7) Regarding access to National Register (art. 10 Law 08.08.1983 on National Register and art. 4bis Royal Decree 05.09.1994), to Social Security Network (art. 4, § 5 Law 15.01.1990 on Social Security Network), exchange of information between Région wallonne and Communauté française (art. 12, § 3 Cooperation agreement 23.05.2013); regarding gestion of specific Central Register: Central Register for Debts Collective Gestion (art. 1675/21, § 3 Judiciary Code), Central Register for Solvency (art. 5/2, § 1st Law 08.08.1997 on bankruptcy), Central Register for dematerialised bailiffs acts (art. 32quater/2. § 7 Judiciary Code), eRegister of road transport companies (art. 17 Law 15.07.2013), Register for driving licenses (art. 22, § 1 Law 14.04.2011); Register fot vehicles (art. 28 Law 19.05.2010); DNA data bank (art. 7 Law 22.03.1999 and art. 34 Royal Decree 17.07.2013); regarding Federal services intergrator (art. 20-23 Royal Decree 17.03.2013); regarding
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 32
let national laws define what these terms comprehend. (12) This article does not deepen this point, as it focusses on private sector issues. Regarding the private sector, even if the WP 29 recommends appointing a DPO as a good practice, (13) it is not mandatory in every case. Under the GDPR, only private controllers and processors that – as a core activity and on a large scale – (1) monitor individuals systematically or that (2) process special categories of personal data or personal data relating to criminal convictions and offences have to designate a DPO. As these new concepts allow some room for interpretation, the WP 29 has issued guidelines to help companies apprehend them. (14) Its broad interpretation tends to maximize hypothesis of mandatory appointment of a DPO. (15) In the future, Union or Member State law may require the designation of a DPO in other situations as well. (16) Companies have to stay aware of the Belgian law that is announced. 4. Core activity (17) – The Committee on Industry, Research and Energy suggested to define “core activities” as activities where 50% of the annual
electronic communication sector (art. 126, § 3 Law 13.06.2015); regarding list of phone numbers refusing direct marketing (Royal Decree 12.05.2015); regarding Information and advice center about sects (law 02.06.1998 and Royal Decree 13.07.2006); regarding European Center for Missing Children (Law 11.12.1998), Intelligence agencies (art. 4 Royal Decree 12.10.2010) and police control organ (art. 44/7 Royal Decree 03.06.2002) and regarding hospitals (annexe A Royal Decree 23.10.1964). (8) CPVP, Recommendation n° 04/2017, 24.05.2017, available at https:// www.privacycommission.be/sites/privacycommission/files/documents/ recommandation_04_2017.pdf, p. 8, n° 17. (9) X. Lemarteleur, “Règlement UE sur la protection des données personnelles, entre réformisme et conservatisme”, Revue internationale de la compliance et de l’éthique des affaires, n° 40, 6 octobre 2016, p. 40. (10) GDPR, art. 83(4), regarding infringements of the provisions 8, 11, 25-39, 41(4), 42 and 43. (11) A 250-employees threshold was mentioned in the initial project. (12) GDPR, art. 37(1), except for courts acting in their judicial capacity. A Belgian law in preparation will frame this obligation (press communicate 13.05.2017, Privacy Secretary of State). We can thus expect it to define what is a public entity or body. the Belgian Privacy Commission did not adress this issue in its Recommendation n° 04/2017. (13) WP 29, Guidelines on Data Protection Officers, “WP243.rev01”, p. 4 available at http://ec.europa.eu/newsroom/document.cfm?doc_id=44100. (14) WP 29, Guidelines on Data Protection Officers, “WP243.rev01”, op. cit. (15) T. LeonarD, D. Chaumont, O. Guerguinov, “Les trois premiers guides d’implémentation du GDPR publiés par le G29”, in Data protection & privacy – Le GDPR dans la pratique / De GDPR in de praktijk, Limal, Anthemis, 2017, p. 182, n° 13. (16) GDPR, art. 37(4). (17) In opposition with ancillary activities (GDPR, recital 97).
32 20/10/2017 09:55:56
turnover resulting from the sale of data or revenue is gained from the use of this data. (18) This suggestion, relayed by two amendments, (19) was not followed. There is thus no arithmetical threshold in the GDPR that defines “core activities”. Furthermore, those core activities go beyond the mere commercial use of data. Article 37 refers to core activities that “consist” of processing operations of special categories of data and personal data relating to criminal convictions and offences, or operations which require regular and systematic monitoring. The WP 29 interprets this “consist” as meaning “rely on”. (20) The question is thus “does the activity of the company rely on the processing?”. For example, camera surveillance is a core activity of a private security company, because this processing is necessary to achieve the controller’s goals. In the same way, even if the core activity of a hospital is to provide health care, a hospital could not provide healthcare safely and effectively without processing patients’ health records. Therefore, processing those medical data should be considered a core activity following the WP 29, even if the core activities of a hospital do not consist in processing operations. Thankfully, the WP 29 reckons that payroll and standard IT support activities are ancillary activities, that do not call for the designation of a DPO. (21) 5. Large scale – Unfortunately, the GDPR does not provide for a specific amount of data or data subjects to apprehend this “large scale” notion, also used regarding impact assessment. (22) Recital 91 only points a “considerable amount of personal data at regional, national or supranational level”. Are considered on a large scale by the WP 29: processing of patient data by a hospital, processing of travel data using a city’s
public transport system, processing of customer data by an insurance company or a bank, behavioural advertising by a search engine or processing of content, traffic, and location data by telephone or internet service providers. (23) On the other extreme of the spectrum, an individual physician or lawyer is not to be considered as processing on a large scale. While being conscious of the huge grey zone in between, at this stage (24) the WP 29 does not provide much precision on how to apprehend all those situations but recommends to consider the following factors when determining whether or not the processing is carried out on a large scale: the number of data subjects concerned (specific number or a proportion of the relevant population), the volume of data, the range of different data items being processed, the geographical extent of the processing activity. (25) Strangely, the WP 29 states that the duration or permanence of the data processing activity can have an impact on whether or not the processing occurs on a large scale. 6. Monitoring of the behaviour of data subjects – This concept (26) includes all forms of tracking and profiling to take decisions concerning data subjects or to predict their personal preferences, behaviours and attitudes. Behavioural advertising on the Internet falls obviously within this scope, but the WP 29 emphasizes that the notion of monitoring is not restricted to the online environment. (27) 7. Regular and systematic monitoring – Once again, no definition is to be found in the GDPR. The WP 29 interprets “regular” as ongoing or occurring at particular intervals for a particular period, or recurring or repeated at fixed times, or constantly or periodically taking place. It reads “systematic” as meaning occurring according to a system, or
(18) ITRE Opinion, 26.02.2013, p. 106 and 125. (19) Amendments 2179 and 2180, http://www.europarl.europa.eu/ cmsdata/59688/att_20130508ATT65819‑9210698309667325686.pdf. (20) T. Leonard, D. Chaumont, O. Guerguinov, op. cit., p. 181, n° 10. (21) WP243.rev01, p. 7. (22) The WP 29 reckons that this implies that some elements might be specific to that context and do not necessarily apply to the designation of DPOs in the exact same way, WP243.rev01, p. 7. (23) The WP 29 also gives the example of the processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services, WP243.rev01, p. 8. (24) The WP 29 plans to publish examples of the relevant thresholds for the designation of a DPO, WP243.rev01, p. 7. (25) WP243.rev01, p. 8. (26) The WP 29 bases this reasoning upon recital 24, which focuses on the extra-territorial application of the GDPR (as “monitoring of EU citi-
pre-arranged, organized, methodical, or taking place as part of a general plan for data collection, or carried out as part of a strategy. (28) While the processing shall be scrutinized with this regularity criteria in mind, the systematic factor seems imbedded in a monitoring operation. (29) The WP 29 states that can constitute a regular and systematic monitoring of data subjects: operating an electronic communication network, providing electronic communication services, email retargeting, data-driven marketing activities, profiling and scoring for purposes of risk assessment, (30) location tracking, (31) loyalty programs, behavioural advertising, monitoring of wellness, fitness and health data via wearable devices, closed circuit tele vision, connected devices as smart meters, smart cars, home automation, etc. (32) 8. Special categories of data (33) – As in Directive 95/46, special categories of data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, data concerning health or data concerning a natural person's sexual life or sexual orientation. The GDPR also aims specifically at the processing of genetic data and biometric data. 9. Data relating to criminal convictions and offences – Article 10 provides for a specific protection regarding data relating to criminal convictions and offences or related security measures. In opposition to the Directive 95/46 that leaves the possibility for Member States to extend this special status to data relating to administrative sanctions or judgements in civil cases, (34) the GDPR remains silent. (35) These should thus be treated as regular personal data, unless future Belgian law provides for a specific protection.
zens behaviour” (art. 3(2)(b)) justify application of the GDPR), even if a wording difference (“monitoring behaviour” (art. 3(2)(b)) / “regular and systematic monitoring of data subjects” (art. 37(1)(b)) could be seen as constituting a different notion; WP243.rev01, p. 8. (27) WP243.rev01, p. 8. (28) WP243.rev01, p. 9. (29) For a similar assessment: T. Leonard, D. Chaumont, O. Guerguinov, op. cit., n° 12. (30) E.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering, WP243.rev01, p. 9. (31) For instance, by a mobile app, WP243.rev01, p. 9. (32) WP243.rev01, p. 9. (33) GDPR, art. 9. (34) As Belgium has done with Data Protection Law, art. 8. (35) Directive 95/46, art. 8.5.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 33
33
20/10/2017 09:55:56
10. Record of decision process – At the light of those explanations, companies shall determine whether or not they are (1) monitoring individuals regularly and systematically or (2) processing special categories of personal data, and if so, if this processing is part of their core activity and happens on a large scale. If they fulfill these criteria, they shall designate a DPO. Companies estimating that their processings do not fit these criteria shall keep records of the decision process they followed to achieve this statement, in order to be able to demonstrate that the relevant factors have properly been taken into account, according to the accountability principle. When in doubt, controllers and processors may want to designate a DPO to avoid any risk of administrative fine, due to their dissuasive amount. They could also seek advice of the competent national data protection authority, to avoid uncertainty. Companies shall also bear in mind that, in the future, a new activity might fall within these mandatory cases and thus imply the appointment of a DPO. 11. Designation on a voluntary basis – Even if the GDPR does not require the appointment of a DPO, the WP 29 encourages this voluntary effort. (36) Unfortunaltely, the GDPR does not provide for any incentive, (37) except that no fee will be charged by national authorities when dealing with a DPO. (38) This does not really sound convincing, bearing in mind the cost of a DPO. Controllers may even ask themselves if they will not be treated with less benevolence if a DPO is in charge. Any organisation willing to spontaneously appoint a DPO shall keep in mind that this implies the same obligations as for a mandatory DPO, with regard to the extent of his/her mission, his/her protection, etc. (39)
An intermediate solution could be to appoint a person (employee or consultant) in charge of privacy issues, but not as a DPO as such. In this case, the controller shall ensure that there is no confusion regarding his/her title, status, position and tasks and that the service contract with the external consultant specify that the mission is not one of DPO. (40) 12. What about the processors? – For the record, a processor is defined as “the person or body, which processes data on behalf of the controller”. (41) As said above, the obligation to appoint a DPO applies to both controllers and processors that, as a core activity and on a large scale, monitor individuals systematically or that process special categories of personal data. One may wonder if a controller who has to appoint a DPO must choose only a processor who has himself designated a DPO. The WP 29 states that it may be a good practice, but even if the controller fulfills the criteria for mandatory designation, its processor is not necessarily required to appoint a DPO. (42) If both controller and processor have designated a DPO, those two shall cooperate. The WP 29 also makes clear that the DPO designated by a processor will also oversee activities carried out by the processor when acting as a data controller in its own right, for instance when processing workforce data. (43)
III
Who to appoint?
13. Professional qualities and expertise – The DPO “shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39”. (44)
(36) WP243.rev01, p. 4. (37) In opposition with certification and codes of conduct, that help demonstrate compliance for example (art. 32.3); D. De Bot, “De DPO of functionaris voor gegevensbescherming in de AVG – gevolgen voor de Belgische praktijk”, in Data protection & privacy – Le GDPR dans la pratique / De GDPR in de praktijk, Limal, Anthemis, 2017, p. 94. (38) GDPR, art. 57(3). (39) WP243.rev01, p. 5. (40) WP243.rev01, p. 6. (41) GDPR, art. 4(8). (42) Examples given by WP 29 (WP243.rev01, p. 9): A small family business active in the distribution of household appliances in a single town uses the services of a processor whose core activity is to provide website analytics services and assistance with targeted advertising and marketing. The activities of the family business and its customers do not generate processing of data on a ‘large scale’, considering the small number of customers and the relatively limited activities. However, the activities of the processor, having many customers like this small
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 34
The WP 29 provides that DPO must have (1) expertise in national and European data protection laws and practices as an in-depth understanding of the GDPR, (2) knowledge of the business sector and of the organisation of the controller, as well as (3) a good understanding of the processing operations carried out, the information systems, data security, data protection needs of the controller and (4) the ability to promote a data protection culture within the organisation. The wording used by the WP 29 reflects a focus on the legal skills (expertise) rather than on technological skills (good understanding). (45) In the case of a public authority/body, the WP 29 also recommends the DPO to have a comprehensive knowledge of the administrative rules and procedures. (46) 14. Level of expertise – The required level of expertise in data protection laws is not strictly defined. No specific training is required. The necessary level of knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed. (47) The WP 29 recommends to commensurate this exigence with the complexity and amount of data the organisation processes, and to take special care if sensible data are processed or if the organisation systematically transfers personal data outside the EU. (48) The WP 29 invites the supervisory authorities to promote adequate and regular training for DPO’s, as the French CNIL already does for the current “Correspondants Information et Libertés”. The Belgian Privacy Commission has not yet made known a similar program. Its reorganisation in the next months to become the Data Protection Authority (49) would be the opportunity to provide
enterprise, taken together, are carrying out large-scale processing. The processor must therefore designate a DPO under Article 37(1)(b). At the same time, the family business itself is not under an obligation to designate a DPO; A medium-size tile manufacturing company subcontracts its occupational health services to an external processor, which has a large number of similar clients. The processor shall designate a DPO under Article 37(1)(c) provided that the processing is on a large scale. However, the manufacturer is not necessarily under an obligation to designate a DPO. (43) WP243.rev01, p. 10. (44) GDPR, art. 37(5). (45) C. Torres, B. Lapraye, “Le portrait d’un DPO”, in Le Data Protection Officer, Bruxelles, Bruylant, 2017, pp. 21-22, nos 102-107. (46) WP243.rev01, p. 11. (47) GDPR, recital 97. (48) WP243.rev01, p. 11. (49) Data Protection Authority Draft Law, www.lachambre.be, file 54/2648.
34 20/10/2017 09:55:56
for this type of service to company, ensuring an effective data protection. As said herunder, (50) controller/processor must provide the DPO with necessary resources. Regarding an internal DPO, this implies time to follow continuous training, as well as assuming formation fees. 15. No prior approval – In opposition to the current “Security Counsellor for the Information System”, the appointment of the DPO is not subject to prior approval of the future Data Protection Authority. (51) (52) The adequacy of the profile will thus only lay in the hands of the controller/processor. 16. Designation of a single DPO for several organisations – A group of undertakings/public organisms may designate a single DPO, provided that he/she is “easily accessible from each establishment”, (53) as the DPO acts as a contact point with respect to data subjects, (54) the supervisory authority (55) but also within the organisation. (56) The same idea of “remote accessibility” allows to designate an external DPO, for example a lawyer. A lot of organisations will probably be tempted to concentrate this positions into one person, as a matter of rationalisation. This “effective accessibility” is thus a crucial issue. 17. Geographical accessibility – Even if a physical presence within the premises of the controller/processor is not required, the WP 29 recommends the DPO to be located within the EU even if the controller or the processor is not established in the EU. (57) Unfortunately, the WP 29 gives no clue if the DPO can fulfil the function of representative provided for by Article 27 at the same time. 18. Concrete accessibility – The contact details of the DPO (a postal address, a dedicated telephone number, and/or a dedicated e-mail address, eventually a dedicated hotline, a dedicated contact form on the organisation’s website) must be available and communicated
to employees, to data subjects (along with other information) (58) and to the relevant supervisory authorities. (59) It is important to stress that, while informing data subjects and employees of the name (and not only contact details) of the DPO is qualified as a good practice, communication of the name of the DPO to the supervisory authority is pointed as essential by the WP 29. The French CNIL has already made known that a designation form would be available on its website. (60) The future Belgian Data Protection Authority insists that this communication is not to be regarded as a request for approval of DPO’s identity. (61) Name and contact details of the DPO must also be mentioned in the register of processing operations (62) and when notifying a data breach to the national authority and data subjects. (63) The GDPR states that contact details alone must also be provided to the national control authority when asking for a prior consultation. (64) To ensure accessibility, those contact means must of course effectively be answered by the DPO, but what if he/she is on holiday? We discuss hereunder a concrete solution to this issue. 19. Language accessibility – The WP 29 stresses the fact that communication between the DPO and the data subjects/control authority must take place in the language(s) used by the supervisory authorities and the data subjects concerned. While we do not see this as an excessive exigence when appointing a single DPO for a group of undertakings established in different states, (65) it becomes tricky when data subjects from all EU can exercise their rights before a DPO established in one Member State. Can a data subject who bought a product via a website in English require to be addressed to in Finnish when dealing with the DPO of the vendor? It would mean that every DPO should master all 24 official languages of the EU. Furthermore, data
(50) See § 0. (51) Data Protection Authority Draft Law, www.lachambre.be, file 54/2648. (52) CPVP, Recommendation n° 04/2017, p. 16, n° 45. (53) GDPR, art. 37(2). (54) GDPR, art. 38(4). (55) GDPR, art. 39(1)(e). (56) GDPR, art. 39(1)(a). (57) WP243.rev01, p. 11. (58) GDPR, art. 13(1) (b) and 14(1) (b). (59) GDPR, art. 37(7). (60) https://www.cnil.fr/fr/devenir-delegue-la-protection-des-donnees. (61) CPVP, Recommendation n° 04/2017, p. 10, n° 25. (62) GDPR, art. 30(1)(a) and 30(2)(a). The future Belgian Data Protection Authority made clear that this mention does not exempt for the no-
subjects inside the EU might speak a language that is not one of these 24 official ones. Besides, the GDPR is sometimes going to apply to situations where the data subjects live outside the EU, and consequently might speak a language that is not one of the 24 EU official ones. If would be excessive to require the communication between the DPO and such data subjects to occur in whatever language such data subjects would prefer to. Even if the future Belgian Data Protection Authority specifies that the DPO can seek the help of translators, (66) we think that this language exigence may not be realistic in every hypothesis, especially when the request is made in a language that was not used in the activity of the controller. Furthermore, the GDPR only provides for the data subject to be informed about their rights in plain language. (67) It is silent about which language must be used. In our view, if someone agrees to buy a product through a foreign language, we do not see any basement in the GDPR for this person to require receiving privacy information in his/her language. Consequently, it would be unrational for the controller/processor to have to answer the request in other languages that the ones used for the information notice. 20. No excessive workload – The controller/processor has to provide the DPO with necessary resources. The organisation must ensure that a single DPO, with the help of a team if necessary, is able to perform his/her tasks efficiently despite being designated for several controllers or processors. Therefore, the decision to appoint a common DPO cannot be made before a cartography of the needs of the different undertakings/public organisms has been completed, in order to define the workload of the future DPO(s). The same exigence applies to a single part-time DPO confronted with complex and/or sensitive processing
tification to the data protection authorities (CPVP, Recommendation n° 06/2017 regarding the register of processing operations, p. 12). (63) GDPR, art. 33(3)(b) and 30(2). (64) GDPR, art. 36(3)(d). (65) About this issue: K. Rosier, “Délégué à la protection des données: une nouvelle fonction, un métier en devenir”, in Vers un droit européen de la protection des données, Bruxelles, Larcier, 2017, p. 148. (66) https://www.privacycommission.be/en/node/19867. The future Belgian Data Protection Authority also specifies that the register of processings does not have to be written in one of Belgium’s official languages. If it is written in another language, the future Data Protection Authority will be able to ask for a translation, at the costs of the controller/processor (CPVP, Recommendation n° 06/2017, p. 19). (67) GDPR, art. 12.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 35
35
20/10/2017 09:55:56
operations. (68) The WP 29 advises to establish a percentage of time for the DPO function where it is not performed on a full-time basis. (69) Otherwise, conflicting priorities could result in the DPO’s duties being neglected. 21. Risk based approach – That being said, as the DPO function is per definition a never-ending effort towards compliance, how much time is enough? Fortunately, the GDPR as well as the WP 29 stress that the DPO must adopt a risk based approach (70) and focus his/her efforts on issues that present higher data protection risks. Even if it does not mean that the DPO can neglect data processing operations that have comparatively lower level of risks, it implies that the DPO is not supposed to accomplish perfect compliance at once and that a reasonable amount of time devoted to this task is enough. In Belgium, the Flemish Control Commission for Data Transmission between Administrations states that the Security Counsellor for the Information System must dedicate, as a minimum, 4 hours a week per organisation. (71) 22. Internal/external DPO – An organisation can decide to appoint an internal DPO or to conclude a service contract with a third party to exercise the DPO function. (72) This choice has an impact on the contractual relations between the controller/processor and the DPO, (73) but none on the tasks to perform, nor on the data subjects or the control authority. 23. Team – The question arises quickly regarding an external DPO: is it possible to appoint an organisation as DPO (for instance a Law firm) or does it have to be a physical person (a specific lawyer)? The WP 29 states explicitly that an organisation can be designated as DPO The WP 29 (74) even suggests that the combined skills and
strengths of a team may serve more efficiently the controller/processor. A team may also provide for a solution to language issues in a multilingual country or for a DPO appointed by undertakings established in several countries. Furthermore, putting in place a DPO department can solve the accessibility issue when the DPO is not on duty, or unavailable to answer the requests. The WP 29 recommends having a clear allocation of tasks within the DPO team and to assign (75) a single individual as lead contact and person “in charge” for each client. In the same way, the WP 29 and the future Belgian Data Protection Authority (76) state that an internal DPO can rely on a team to exercise his/ her missions. (77) 24. Multiple DPO’s? – On the other end of the possibilities, could more than one DPO be appointed by a single controller/processor, for example for different areas of business (B2C/B2B, sales operation/renting for a realtor, etc.)? This point has not yet been addressed by the WP 29. In the expectation of some clarification, we are inclined to think that the answer is negative. First, the wording of the GDPR systematically refers to a DPO. Then, the contact function of the DPO would be complicated for the public and the control authority, (78) if it is not clear which DPO is in charge. Furthermore, the DPO is supposed to have a global vision of all the data processings of the organisation, which would be jeopardised by a task division. We thus recommend instituting a team with a single person in charge rather than multiple DPO’s. 25. Avoiding conflict of interests – The GDPR allows the DPO to “fulfil other tasks and duties”, (79) but conflict of interests can arise both with internal and external DPO’s due to
(68) This decision lies in the hand of the controller/processor, while the workload of the Security Counsellor is subject to approval by the competent Comitee of Privacy Commission, CPVP, Recommendation n° 04/2017, p. 15, n° 42. (69) WP243.rev01, p. 14. (70) GDPR, art. 39(2). (71) Vlaamse Toezichtcommissie voor het elektronische bestuurlijke gegevensverkeer http://vtc.corve.be/faq.php#12b. If the City and Public Center for Social Welfare use the same infrastructure, a 6 hours a week common Consultant for information Security is admitted. (72) GDPR, art. 37(6). The Frenchspeaking Brussels Bar Association made clear that a lawyer can exercise the function of DPO, provided that he/she warns beforehand the Head of the Bar Association (Codeon, art. 2.100.b). (73) See chapter 0. (74) WP243.rev01, p. 12. (75) For example, in the service contract, WP243.rev01, p. 12. (76) CPVP, Recommendation n° 04/2017, p. 16, § 47. (77) For a similar assessment: D. De Bot, op. cit., p. 103, n° 5.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 36
these other tasks and duties and should be avoided. Internal DPO – Almost every employee processes personal data to fulfil his/her function. There is only a conflict of interests if the internal DPO holds a position within the organisation that leads him/her to determine the purposes and the means of the processing of personal data. (80) In this case, the employee would be judge and party at the same time. The WP 29 advises to consider this point case by case, regarding the specific organisational structure in each organisation. The WP 29 states nonetheless that “as a rule of thumb”, conflicting positions may include senior management positions such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments. (81) Before appointing a DPO, the WP 29 recommends, as a good practice, to identify the positions which would be incompatible with the function of DPO, to ensure that the vacancy notice is sufficiently precise and detailed in order to avoid a conflict of interests and to draw up internal rules in order to avoid conflicts. (82) The future Belgian Data Protection Authority suggests to document the decision making of who to appoint as DPO. (83) This prohibition of conflict of interests is not a mere petition of principle. The Bayerische Landesamt für Datenschutzaufsicht already fined a German company for having appointed its IT manager as DPO. (84) With all this in mind, avoiding conflicting interests may be difficult inside a small organisation. Chief privacy officers or other privacy professionals already in place today in some companies may not always meet the GDPR criteria. If the organisational structure does not
(78) The WP 29 states that “The objective of these requirements is to ensure that data subjects (both inside and outside of the organisation) and the supervisory authorities can easily and directly contact the DPO without having to contact another part of the organisation”, WP243.rev01, p. 12. (79) GDPR, art. 38(6). (80) K. Rosier, op. cit., p. 155. It is interesting to note that, regarding DNA Data bank, the “DPO” expressly cannot exercise his/her duty when he has a personal interest or when kin are concerned (art. 7 Law 22.03.1999 and art. 34 Royal Decree 17.07.2013). (81) WP243.rev01, p. 16. Current French legislation prohibits controller ot his legal representative to become the “Correspondant informatique et Libertés”, Decree 2005‑1039 of 20.10.2005 enfocing Law n° 78‑17 of 06.01.1978, art. 46. (82) WP243.rev01, p. 16. (83) CPVP, Recommendation n° 04/2017, 24.05.2017, p. 10, n° 26. (84) Bayerische Landesamt für Datenschutzaufsicht, 20.10.2016, press release: https://www.lda.bayern.de/media/pm2016_08.pdf.
36 20/10/2017 09:55:56
allow to find someone fit for the job, it seems more cautious to appoint an external DPO, due to future GDPR fines. Once the DPO has been appointed, the WP 29 encourages organisations to declare that he/she has no conflict of interests with regard to his/her function as a DPO, as a way of raising awareness, and to dispense a general explanation about conflicts of interests. (85) Security Counsellor for the Information System – Specific Belgian legislations already ask in some hypothesis for the appointment of a Security Counsellor for the Information System. (86) The future Belgian Data Protection Authority has issued some guidance on the compatibility of the function of Security Counsellor with the function of DPO, (87) but has deliberately chosen not to provide a clear answer. The Belgian Authority advises the controller/processor to examine compatibility on a case by case basis. We tend to think that existing Security Counsellors, who already supervise the existing security measures, may not be the best judges of their compliance with the GDPR. (88) External DPO – If an external DPO is free from conflict of interests within the organisation that appointed him/her, there are multiple possibilities where other types of conflicts can arise. An external DPO can of course represent different clients who happen later to contract together, and maybe enter into conflict. If the DPO is a lawyer, his/her deontology prevents him/her to
intervene for both clients once a conflict arises. (89) One can also imagine that a DPO would be asked to represent the controller/processor before the courts in cases involving data protection issues. In this hypothesis, the DPO would not be the best suited, because of not having the necessary distance, to effectively defend the controller/processor’s interests. (90) The French Lawyers’ Internal Regulation provides since January 2017 that a lawyer shall refuse to represent in administrative or judiciary proceedings any controller/processor by which he/she is or was appointed as DPO. (91) The same prohibition applies to Frenchspeaking Brussels lawyers since June 2017. (92) The CCBE also suggests to Bars and Law Societies to recommend their members not to assume the responsibility of DPO for an external client if they have acted as a lawyer in matters which might fall within the DPO’s responsibility or will act, during their term as DPO, as a lawyer in matters they were or are involved in as DPO. (93) It is unfortunate that the other Belgian Bar Associations do not yet have issued guidelines on this matter, despite the fact that the French and German Speaking Association has revised its provision about conflict of interests. (94) The GDPR also provides that members of a supervisory authority must refrain from any action incompatible with their duties and should not, during their term of office, engage in any incompatible occupation, whether gainful or not. (95)
(85) WP243.rev01, p. 16. (86) See footnote 7. (87) https://www.privacycommission.be/fr/quelle-est-la-diff%C3% A9rence-entre-une-conseiller-en-s%C3%A9curit%C3%A9-de-linformationet-un-d%C3%A9l%C3%A9gu%C3%A9-%C3%A0-la, p. 9; The question is not the same in France, where the CNIL states that “correspondants informatique et Libertés” are vowed to become DPO (http://www.cil.cnrs. fr/CIL/spip.php?article2909). (88) For a deeper analyse about this point, see D. De Bot, op. cit., pp. 100‑102. (89) The Frenchspeaking Brussels Bar Association prevents it explicitely (Codeon, art. 2.100.e). (90) The French CNIL underlines this possibility of conflict of interests (https://www.cnil.fr/fr/devenir-delegue-la-protection-des-donnees). (91) Décision du 26 janvier 2017 portant réforme du règlement intérieur national (RIN) de la profession d'avocat, J.O.R.F., n° 0088 du 13 avril 2017, texte n° 33. (92) Codeon, art. 2.100.d. and art. 2.100.e even states that “Il ne peut non plus, une fois son mandat expiré, intervenir pour ou contre le responsable du traitement, à moins qu'il n'existe aucun conflit d'intérêt avec son précédent mandat ni aucune suspicion d'atteinte à son secret professionnel. En cas de doute, il n'intervient pas”. Despite the wording, we do not see any reason this prohibition should only apply in relation with controllers and not processors. (93) CCBE Guidance on the main new compliance measures for lawyers regarding the General Data Protection Regulation (GDPR), 19.05.2017, http://www.ccbe.eu/fileadmin/speciality_distribution/public/documents/
It means that they cannot be DPO at the same time. The ground principles of lawyers’ deontology would in any case prevent such a situation. (96) On the contrary, if the DPO is not bound by a professional deontology, nothing protects the controller/processor against a conflict of interest in the person of the DPO. It is only after having been prejudiced by this conflict of interests, that the controller/processor could try to demonstrate that his loss is due to this conflicting position of the DPO. This proof would naturally be hard to achieve, because it implies the demonstration that the DPO would have acted differently if he/she was not in the same conflicting position. Where a lawyer acts as a DPO, the infringement of a deontological duty could more easily constitute a breach of contract. (97) 26. Secrecy/confidentiality – The DPO is bound by secrecy or confidentiality concerning the performance of his/her tasks, in accordance with Union or Member State law. (98) Of course, this obligation cannot justify not to answer the request of a data subject. (99) Because the WP 29 explains that employees may be reluctant to complain to the DPO if the confidentiality of their communications is not guaranteed, (100) we assume that the WP 29 also aims at confidentiality of their communications with the DPO from their employer. The WP 29 states that the obligation of secrecy/confidentiality does not
IT_LAW/ITL_Position_papers/EN_ITL_20170519_CCBE-Guidance-onmain-new-compliance-measures-for-lawyers-regarding-GDPR.pdf. (94) Règlement de l’Ordre des barreaux francophones et germanophone du 20 mars 2017 insérant un chapitre 5 au titre 5 du code de déontologie de l’avocat, M.B., 17.05.2017, art. 5.43 : “L’avocat ne peut être le conseil d’un client s’il existe un conflit entre les intérêts de son client et ses propres intérêts ou ceux de ses proches, de même que si l’avocat a déjà connu de l’affaire comme fonctionnaire, juge, arbitre ou médiateur ou dans des fonctions d’organe à l’occasion de tout autre mode alternatif de prévention ou de résolution des conflits, ou dans toute autre fonction comparable ou encore dans toute situation où l’avocat peut raisonnablement penser que l’existence d’intérêts divergents peut affecter son indépendance de jugement ou sa loyauté envers les clients ou institutions concernés”. (95) GDPR, art. 52(3). (96) Deontological Code of Avocats.be, avalaible at http://avocats.be/ sites/default/files/01.05.2017%20Code%20d%C3%A9ontologie%20version %20fran%C3%A7aise%20en%20vigueur%20au%2001.05.2017%20.pdf, Art. 1.2.c. (97) See for instance Liège, 14.10.1994, J.L.M.B., 1995, p. 302 (regarding the deontology of an architect). (98) GDPR, art. 38(5). This professional secrecy already exists regarding DNA data bank (art. 7 Law 22.03.1999 and art. 34 Royal Decree 17.07.2013) and regarding European Center for Missing Children (Law 11.12.1998). (99) K. Rosier, op. cit., p. 161. (100) WP243.rev01, p. 12.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 37
37
20/10/2017 09:55:56
prevent the DPO from contacting and seeking advice from the supervisory authority. (101) This precision raises an important issue. Has the DPO the possibility or duty to notify non-compliance to the supervisory authority, even if that can lead to proceedings against the controller/processor? We do not think that the mission of the DPO goes this far (102) and see no ground in the GDPR to found such a duty. (103) It is interesting to note that the Security Counsellor for the Information System only has to report a wrongdoing to the person in charge of the daily management. (104) In any case, a report obligation would be inconciliable with the legal privilege of a lawyer acting as DPO. The French Bar association has clearly stated that in no case a lawyer-DPO can report against his/her client and that when a lawyerDPO is facing a dead end, he/she has to put an end to his/her mission. (105) While being less explicit, the CCBE seems to have the same point of view: it recommends lawyers acting as DPO to avoid being in the situation where their obligation to report to the authority conflicts with their obligation to secrecy. (106) Except the Frenchspeaking Brussels Bar, Belgian Bar Associations do not have ruled this point yet. Nevertheless, the legal professional privilege provided for by Penal Code, art. 458 would prevent a Belgian lawyer to report to the future Belgian Data Protection Authority a wrongdoing noted in his/her function as DPO. The Frenchspeaking Brussels Bar Association emphasises the fact that a lawyer who acts as DPO remains subject to all Bar deontological duties (107) and has to stay independent. If not, the
lawyer acting as DPO has to put an end to his/her mission. (108) The future Belgian Data Protection Authority estimates that this secrecy/ confidentiality obligation is not the same one as provided for by article 458 of Belgian Penal Code. (109) Nevertheless, nothing would prevent Belgian law to add the function of DPO to the enumeration contained in article 458 Penal Code. That would protect controllers/ processors having appointed an external DPO who is not a lawyer against unwanted report. Meanwhile, a confidentiality provision must be inserted in the work or service contract of the DPO. Should the DPO function imply a duty to report, then the DPO-mission should not be seen as a part of the lawyer activity, just as the gestion of a building coownership or a curator mission are not part of the lawyer activity and are not subject to legal privilege even if they are performed by a lawyer. A confidentiality provision should then be inserted in the service contract of the lawyer acting as DPO.
IV
Mission of the DPO
27. Scope – The DPO, whether mandatory or voluntary, is designated for all the processing operations carried out by the controller or the processor. (110) 28. Mandatory tasks – The DPO shall at least be in charge of the tasks described herunder, (111) under penalty of administrative fine, even if his/ her appointment was not mandatory. Of course, nothing prevents the controller/processor from assigning other tasks to the DPO. (112)
(101) WP243.rev01, p. 18. (102) Unless he/she would consider his/her duty to speak up and ask to benefit from art. 10 ECHR protection as a whistleblower. About this topic, see F. Coton, J.-F. Henrotte, “Le lanceur d’alerte: une personne concernée par le traitement de ses données à caractère personnel, mais également par son avenir professionnel…”, R.D.T.I., 2015/4, n° 61, pp. 43-78. (103) D. De Bot, op. cit., p. 98. (104) Royal Decree 12.08.1993 regarding information security in social security institutions, M.B., 21.08.1993, art. 3. (105) Décision du 26 janvier 2017 portant réforme du règlement intérieur national (RIN) de la profession d'avocat, J.O.R.F., n° 0088 du 13 avril 2017, texte n° 33, art. 6.3.3 : “L'avocat délégué à la Protection des Données doit mettre un terme à sa mission s'il estime ne pas pouvoir l'exercer, après avoir préalablement informé et effectué les démarches nécessaires auprès de la personne responsable des traitements ; en aucun cas il ne peut dénoncer son client”. (106) Even though the CCBE declares maladroitly that being the contact person for the data protection authority involves obligations to report to the authority even if it is against the interest of the controller or processor, CCBE-Guidance-on-main-new-compliance-measures-for-lawyersregarding-GDPR.pdf. (107) Codeon, art. 2.100.a.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 38
There is no publicity regarding the tasks of the DPO, nor a fortiori the content of DPO’s contract. (113) The complete tasks must only be described when appliying for BCR-approval. (114) Nevertheless, the WP 29 recommends that the controller clearly outlines the precise tasks of the DPO and their scope, (115) in information provided to employees and to management. (116) The DPO mission implies three different axes: awareness raising and advice, control and acting as intermediary. As said above, it is no executive function as he/she is not supposed to make decision instead of the controller/processor. 29. Awareness raising – The DPO’s essential task is to foster a data protection culture within the organisation and to help to integrate as reflexes the principles of lawful data processing, security of processing, data subjects’ rights, data protection by design and by default, (117) as the human factor is essential to ensure concrete compliance. Following the risk-based approach, the DPO should primarly focus internal training activities on key group and on the higher-risk areas. Advice – To promote a privacy by design approach, the controller/processor must ensure that the DPO is involved, properly and from the earliest stage possible, in all issues which relate to the protection of personal data. (118) To achieve this, each level of the controller/ processor company should be aware of the existence and missions of the DPO. The WP 29 advises the organisation to ensure that the DPO and his/her mission are presented to senior and middle management and then invited to participate regularly to their meetings, and
(108) Codeon, art. 2.100.c. (109) CPVP, Recommendation n° 04/2017, p. 17, footnote 33. (110) WP243.rev01, p. 6. (111) GDPR, art. 39(1). (112) WP243.rev01, p. 17. For example: collaborating with a potential client’s DPO in order to demonstrate GDPR compliance, advice regarding privacy clauses in contracts with processors and third parties, privacy litigation management, … (A. MarC, “La sécurité et le DPO”, in Le Data Protection Officer, Bruxelles, Bruylant, 2017, p. 117, n° 579 and p. 121, n° 598). (113) But the national control authority could require to see this contract, based on her investigation powers. (114) GDPR, art. 47(2)(h). (115) In particular with respect to carrying out the DPIA. (116) WP243.rev01, p. 18. (117) WP243.rev01, p. 12. For concrete examples, see H. Legras, “Les missions du DPO”, and D. Entraygues, M. Grateau, A. MarC, “Les outils de conformité à metre en place”, in Le Data Protection Officer, Bruxelles, Bruylant, 2017, p. 34, nos 170-174 and pp. 50-51, nos 251-268. (118) GDPR, art. 38. The GDPR explicitly provides for the early involvement of the DPO in relation to data protection impact assessments. The DPO must as well be promptly consulted once a data breach or another incident has occurred.
38 20/10/2017 09:55:56
recommands his/her presence when decisions with data protection implications are taken. The WP 29 also encourages to develop internal data protection guidelines that establish when the DPO must be consulted. (119) Once consulted, the DPO must be listened to. His/her opinion must always be given due weight. In case of disagreement, the WP 29 recommends, as good practice and a way of proving accountability, to document the reasons for not following the DPO’s advice. (120) Advice about data protection impact assessment (DPIA) (121) – The DPO must provide advice where requested as regards the DPIA but has no duty to carry on the DPIA when necessary. (122) The WP 29 recommends the controller/processor to seek the advice of the DPO, on whether or not to carry out a DPIA, what methodology to follow, whether to carry out the DPIA inhouse or whether to outsource it, which safeguards to apply to mitigate any risks to the rights and interests of the data subjects, whether or not the DPIA has been correctly executed and whether its conclusions are in compliance with the GDPR, (123) which means whether or not to ask prior approval to the future Belgian Data Protection Authority. The latter stresses the fact that the DPO shall seek help from all concerned actors and should not realise a DPIA by himself/herself (124) even if he is entrusted to do so. 30. Monitoring compliance with the GDPR (125) – The DPO must assist the controller/processor to monitor internal compliance with the GDPR. (126) The future Belgian Data Protection Authority underlines the fact that the DPO role consists more in assistance than control. (127) DPO may collect information to identify processing activities, analyse and
check the compliance of processing activities, but it does not mean that the DPO has to assume the record of processing operations. Keeping the register is the responsibility of the controller/processor (128) and is no part of the minimum mission of the DPO, even if the Belgian Authority thinks the DPO must be involved in this collection process. (129) Of course, this record is the primary tool enabling the DPO to monitor compliance and nothing prevents the controller/processor from assigning this task to the DPO. (130) To monitor compliance, the DPO should also run regular audits. The WP 29 suggests to renew DPIA every three years (131) while the future Belgian Data Protection Authority advises to renew it every two years in its draft recommendation. (132) It seems a good opportunity to revise all the compliance points when appointing an external DPO. But if the DPO is an employee, it is maybe more appropriate to spread audit tasks across the year and to draft an annual report of his/her activities to the highest management level. 31. Acting as a contact point and cooperating with the supervisory authority – The DPO has to “act as a contact point” (133) for the supervisory authority and data subjects on issues relating to processing and to cooperate with the supervisory authority, (134) both in their language. (135) The “contact point” function takes namely place when prior consultation (136) and notification of data breach (137) are needed. Cooperation means to facilitate access by the supervisory authority to the documents and information for the performance of its tasks, (138) as well as for the exercise of its investigative, corrective, authorisation, and advisory powers. (139) If the DPO
(119) WP243.rev01, pp. 13‑14. (120) WP243.rev01, p. 17. (121) Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP248, available at http://ec.europa. eu/newsroom/document.cfm?doc_id=44137. (122) GDPR, art. 35(1). (123) WP243.rev01, p. 17. (124) CPVP, Draft of recommendation regarding DPIA, available at https://www.privacycommission.be/fr/node/19687, p. 16, nos 50‑51. (125) GDPR, art. 39(1)(b). (126) GDPR, recital 97. (127) CPVP, Recommendation n° 04/2017, p. 13, n° 34. (128) GDPR, art. 30(1) and (2). (129) CPVP, Recommendation n° 04/2017, p. 14, n° 36 and CPVP, Recommendation n° 06/2017, p. 18, n° 44. (130) WP243.rev01, p. 19. (131) WP248, p. 12. (132) CPVP, Draft of recommendation regarding DPIA, p. 19 and p. 22, n° 7, nos 50‑51. No specific frequency is recommended regarding the
is the one in charge, this does not mean that he has to handle the requests himself. (140) The DPO should only ensure that the request is duly and properly answered. Controller/processor could grant the DPO with a more proactive role, such as drafting of a response procedure to a data subject or the future Belgian Data Protection Authority training staff on how to handle such a request, or handling himself those requests, but this is not part of DPO basis mission and must be provided for in his/her contract. 32. No personal liability – As the current Security Counsellor for the Information System, the DPO is not personally liable in case of non-compliance with the GDPR. The GDPR makes it clear that it is the controller/processor who is required to demonstrate compliance. (141) This only offers futher protection for the internal DPO, because Belgian law provides for a quasi-exclusive liability of the employer when an employee commits a wrongdoing in the course of his/her job. (142) The situation is less clear for an external DPO. On the one hand, a wrong or unsufficent advise could give rise to contractual liability. On the other hand, penal liability cannot be excluded in our mind. The French CNIL states, regarding a CIL, that his/her penal liability can be held if he purposefully infringes French law penal provisions, or acts as an accomplice of the controller/processor. (143) The Belgian privacy law currently in drafting will probably maintain penal sanctions, which could entail the same liability for the future external DPO. Then, what should a DPO do in front of a controller/processor who does not want to comply with the GDPR, or at least with what the DPO considers as mandatory? As seen above, (144)
actualisation of the register of processings, always supposed to be up to date (CPVP, Recommendation n° 06/2017, p. 19, n° 50). (133) GDPR, art. 3(1)(e). (134) GDPR, art. 3(1)(d). (135) See § 0. (136) GDPR, art. 36. (137) GDPR, art. 33 and 34. (138) GDPR, art. 57. (139) GDPR, art. 58. (140) K. Rosier, op. cit., p. 154. (141) GDPR, art. 24(1). (142) Law 03.07.1978 on employement contract, art. 18. (143) CNIL, La responsabilité du CIL et la délégation de pouvoirs, p. 4, available at https://www.cnil.fr/sites/default/files/typo/ document/20101108_NE_LA%20RESPONSABILITE_DU_CIL_ET_LA_ DELEGATION_DE_POUVOIRS_VD.pdf; For an analysis in French law: A. Coquer, “La responsabilité”, in Le Data Protection Officier, Bruxelles, Bruylant, 2017, pp. 128‑129, nos 627‑638. (144) See § 0.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 39
39
20/10/2017 09:55:57
we do not think that the DPO has a duty to notify non-compliance to the supervisory authority. He/she should only put an end to his/her mission. Because the supervisory authority must know the name and contact details of the DPO, this latter should inform the authority of the termination of his/her mission. In our view, the DPO does not have to give any explanation, like an architect facing an urbanistical infringement. Nevertheless, the supervisory authority should at least check that a new DPO is appointed and could investigate this untimely leave, and by the way the controller/processor’s global compliance. 33. Resources to provide to the DPO – As said above, the DPO must have the necessary resources to be able to carry out his or her tasks. (145) It implies sufficient time for DPO to fulfill his/her tasks, (146) adequate staff where appropriate, financial resources, infrastructure (premises, facilities, equipment) and continuous training. (147) Furthermore, it requires active support of the DPO’s function by senior management. All relevant information must be passed on to the DPO in a timely manner in order to allow him/her to provide adequate advice. (148) In concrete terms, the controller/processor shall ensure official communication of the designation of the DPO to all staff, so that his/her existence and function are known within the organisation, and that the DPO receives support, input and information (at least from Human Resources, Legal, IT and Security departements). (149) 34. Independance – In order to enable the DPO sufficient degree of autonomy, he/she should not suffer from conflict of interest with possible other tasks and duties, as seen above. (150) To strengthen the autonomy of the
DPO, the GDPR states that the DPO shall directly report to the highest management level of the controller/processor. (151) The GDPR also provides that the DPO cannot receive instructions by the controller/processor regarding the exercise of the his/her tasks or undergo dismissal or penalty for the performance of his/her tasks. (152) This protection was already granted to privacy officers in some Belgian laws. (153) No instructions – The DPO shall not be instructed, for example, on how to take a certain view of an issue related to data protection law, what result should be achieved, how to investigate a complaint or whether to consult the supervisory authority. The DPO does not, however, have decision-making powers. If the controller/processor acts in a way that is incompatible with the GDPR and the DPO's advice, the DPO should be given the possibility to make his or her dissenting opinion clear to the highest management level and to those making the decisions. (154) In case of disagreement, a seen above, (155) the WP 29 recommends, as good practice and a way of proving accountability, to document the reasons for not following the DPO’s advice. If the DPO states that the controller/processor behaviour is incompatible with the GDPR, he/she should put an end to his/her mission. (156) No sanction for the performance of the DPO’s tasks (157) – The GDPR provides for protection against unfair dismissal of the internal DPO and unfair termination of service contract for activities as external DPO. For instance, the DPO cannot be dismissed for providing an advice that does not suit the controller/processor. The WP 29 states that this protection is granted against every form, direct or indirect, of penalty: absence or delay of promotion, prevention from career advancement,
(145) GDPR, art. 38(2). (146) See § 0. (147) WP243.rev01, p. 14. (148) See § 0. (149) WP243.rev01, p. 14. (150) See § 0. (151) This also ensures that senior management is aware of the DPO’s advice and recommendations. This protection was already granted by Law 13.06.2015 regarding electronic communication sector, art. 126 § 3: “Dans l'exercice de ses missions, le préposé à la protection des données à caractère personnel agit en toute indépendance, et a accès à toutes les données à caractère personnel transmises aux autorités ainsi qu'à tous les locaux pertinents du fournisseur ou de l'opérateur. Le préposé doit avoir la possibilité de communiquer directement avec la direction de l'opérateur ou du fournisseur”. (152) GDPR, art. 38(3) and recital 97.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 40
denial from benefits that other employees receive, transfer to another function or office… The WP 29 makes it clear that it is not necessary fot these penalties to be actually carried out to infringe the GDPR. A mere threat is prohibited if it is used to penalise the DPO on grounds related to his/her DPO activities. (158) Of course, a DPO can be dismissed legitimately for reasons other than for performing his or her tasks as a DPO. (159) But what about shortcomings in his/her DPO mission, such as wrong/unsufficent advice, lack of proactivity or breach of confidentiality? (160) The GDPR does not specify how and when a DPO can be dismissed or replaced, and does not provides who supports the burden of proof regarding the motives of the dismissal or sanction. The controller/processor should consequently be careful to avoid undue fines. The DPO should also take care to keep written records of all his/her activities. Respecting the accountability principle will thus help the DPO to prove his/ her own compliance with his/her mission. Nevertheless, when a DPO is not renewed during the test period of an employment contract or when an external DPO contract is not renewed, it will be less easy to prove a disguised sanction. Is the DPO relieved from his/her confidentiality duty when he is in conflict with the controller/processor about the grounds for dismissal or sanction? We tend to think so, as is a lawyer when conflicting with a former client about fees or liability. Consequences in case of undue dismissal/sanction – In case of undue dismissal or sanction, the GDPR provides for an administrative fine to be paid to the supervisory authority. No compensation is provided for the DPO who has to rely on Labour Law (161)
(153) Regarding electronic communication sector (art. 126, § 3 Law 13.06.2015) and DNA data bank (art. 7, § 3 Law 22.03.1999 and art. 34 Royal Decree 17.07.2013, § 3). (154) WP243.rev01, p. 15. (155) See § 0. (156) See § 0. (157) GDPR, art. 38(3). (158) WP243.rev01, pp. 15‑16. (159) For example, in case of theft, physical, psychological or sexual harassment or similar gross misconduct, WP243.rev01, p. 16. (160) It is interesting to note that article 22.III of French Law about informatics and liberties entails the French CNIL to ask a controller to designate another CIL if the current one fails to his duties. (161) In Belgian law: wrongful dismissal or patently unreasonable dismissal.
40 20/10/2017 09:55:57
or contract Law. (162) It is thus in the DPO’s interest to insert provisions in his/her contract regarding burden of proof and compensation.
V
Content of the contract
35. No specific mention – In opposition with a processor’s agreement, the GDPR does not specify any mention that the DPO’s work or service contract shall contain. Employers may think that there is no need to amend the work contract when designating an existing employee as DPO. But as seen above, there are many points of discussion and it is more careful to insert a few dispositions. 36. Tasks – First of all, the detailed outline of the mission should be precised, as we have seen that tasks can be added to the minimum function. (163) It is in both parties’ interest to avoid uncertainty about what lies in the hand of the DPO. Furthermore, if the controller/processor does not want to appoint a DPO but only to charge an employee/consultant with privacy compliance, the contract should make clear that the mission is not one of a DPO. (164) 37. Workload – Regarding labour Law, consent of the existing employee about the designation as DPO (as a change of the nature of the function) (165) must also be proven, as well as the hourly time to dedicate to DPO tasks. A transition period before May 2018 can also be arranged for (specific workload, assistance of external consultant, appointement as DPO in May 2018…). 38. Contacts – If an organisation is appointed as an external DPO, the physical person “in charge” must be specified in the contract. Regarding internal as well as external DPO’s, the contract should make clear the concrete way of reporting, as a daily reporting to the highest management level of the controller/processor may not be suited to every organisation. The contract may for example
provide which function is to be considered as the highest management level and that this person must only be reported to when a decision has to be made. (166) 39. Confidentiality – As seen above, (167) a confidentiality provision must be inserted in the work or service contract of the DPO according to Article 38 (5). 40. Duration of the contract – While the European Commission’s proposal suggested a 2 years term and Parliament opted for a 4 years term for an employee and a 2 years service contract, no specific duration was adopted at the end of the trilogue. As constancy is key to ensure independence, the WP 29 insists on the importance for a DPO to be stable. (168) As said above, the supervisory authority will be able to spot an untimely leave when informed of a change of the name and contact details of the DPO. (169) Regarding the extrernal DPO, the procedures for communicating the necessary information to the following provider should be mentioned. (170) 41. Liability – Regarding the external DPO, the boundaries of his/her contractual and extracontractual liability should be defined so as to avoid the legal uncertainties. 42. Provisions regarding termination of contract – The contract shall usefully provide how and when a DPO can be dismissed or replaced, who supports the burden of proof regarding the motives of the dismissal or sanction. To avoid being accused of undue sanction, the controller/ processor shall precise (171) what are the conditions to obtain a further promotion or, if applicable, how to calculate the variable part of the remuneration. (172) In case of a service contract, a lump sum can be provided for as compensation, to avoid demonstration of the actual prejudice. (173) 43. Is the external DPO a processor? – Nor the GDPR nor the WP 29
(162) In Belgian law: wrongful resolution (art. 1184 Civil Code) or unilateral termination (art. 1794 Civil Code). (163) See § 0. (164) See § 0. (165) Law 03.07.1978 on employment contract, art. 20, 1o and 25. (166) K. Rosier, op. cit., p. 159. (167) See § 27. (168) WP243.rev01, p. 16. (169) See § 0.
clarify if the external DPO is to be considered as a processor, what would imply liability for the processing operations and mandatory provisions in the service contract. If the external DPO also provides some sort of material service, as an IT platform to manage the register and other documents, this part of the mission alone justifies the qualification of processor. If not, the question is unclear. The DPO has access to personal data, but does not process data on behalf of the controller, (174) except in case of occasional control. Regarding independence of the DPO, the future Belgian Data Protection Authority states that the DPO cannot be the one who processes, otherwise there would be a conflict of interest. (175) This seems to imply that the Belgian Authority would not consider the DPO as a processor. However, the qualification of processor would imply a personal liability of the DPO. It may seem in contradiction with the sole liability of controller as stated by the WP 29. (176) Nevertheless, in our mind, liability of a DPO as a processor (for instance when causing a data breach by leaking his/her access code) is plausible outside the DPO’s tasks of advice, contact point and monitoring. We thus tend to think safer to include contractual clauses provided for by article 26 to avoid a fine or at least to avoid a necessary codicil when this issue will be addressed to by the WP 29.
VI
Conclusion
44. Less than a year is left before the GDPR turns into force. Organisations should consider as soon as possible if they must or want to appoint a DPO, and if so, if they want to outsource this function. Even if organisations may be reluctent to bear the costs of a DPO when this is not required, we are encline to think that his/her appointment will involve greater benefits than expenses, due to his/her global vision and
(170) L. Legris, “La désignation d’un DPO”, in Le Data Protection Officer, Bruxelles, Bruylant, 2017, p. 13, n° 63. (171) For example through the work regulations. (172) Ibid., p. 12, n° 57. (173) See § 0. (174) GDPR, art. 4(6). (175) CPVP, Recommendation n° 04/2017, p. 18, n° 48. (176) WP243.rev01, p. 4.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 41
41
20/10/2017 09:55:57
expertise. This actor is a corner stone for ensuring compliance to the GDPR. The profile of potential candidates (including current privacy officer or Security Counsellor) should be carefully checked for qualities, expertise and
absence of conflict of interest, due to potential fines (177) and protection against dismissal or untimely termination of the service contract. Organisations should also draft an adequate and complete DPO contract, to protect both parties.
The sooner the DPO is appointed, the sooner the organisation will efficiently use the time left before May 2018… Fanny Coton Jean-François Henrotte Lawyers
(177) GDPR, art. 83(4): Administrative fines up to 10.000.000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
8h45-21h00
BNP Paribas Fortis, Auditorium Chancellerie rue de la Chancellerie 1, 1000 Bruxelles
Le 9 novembre 2017 aura lieu la 28e édition de la Journée du juriste d’entreprise. Il s’agit de la plus importante journée de l'année pour les juristes d’entreprise avec plus de 200 participants. Celle-ci aura lieu rue de la Chancellerie 1 à 1000 Bruxelles. Dans cette invitation, vous trouverez le programme de la journée ainsi que quelques modalités pratiques. Programme Matin 8h45-9h15
Accueil des participants
9h15-9h30 Accueil – Saskia Mermans – Président (IJE) – Juriste d'entreprise, KBC Group – Ludo Deklerck – Directeur général (IJE) 9h30-9h45 Introduction – Marc Beyens – Président de la Journée – Juriste d'entreprise (ENGIE) 9h45-10h45 Droit de la concurrence L’action privée en droit de la concurrence La directive 2014/104/EU sur les dommages et intérêts en tant que levier pour une adaptation indispensable du droit national belge. – Anne Bérangère Sudraud – Juriste d'entreprise (ENGIE) – Denis Philippe – Avocat – Professeur (UCL) – Jacques Steenbergen – Président (Autorité belge de la Concurrence) Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 42
42 20/10/2017 09:55:57
10h45-11h15 Pause-café 11h15-12h15 Class Actions L’action en réparation collective : law in action. – Hakim Boularbah – Avocat – Professeur (ULB) Le rôle du juriste d'entreprise dans la préparation et la négociation des contentieux liés aux consommateurs. – Lorelien Hoet – Juriste d'entreprise (Proximus) La class action pour les PME : risques et opportunités. – Philippe Lambrecht – Secrétaire général (FEB), Professeur (UCL) 12h15-12h30 Q&A 12h30-14h00 Déjeuner Après-midi 14h00-15h00 Breakout sessions Grand Foyer La responsabilité des administrateurs entre le marteau et l’enclume. Une approche pragmatique. – Wilfried Kupers – Juriste d'entreprise (KBC Group) – Roel Nieuwdorp – Avocat Salle 2 Les clauses abusives et les instruments d’investissement, un exercice en équilibre. – Christel Jennes – Juriste d'entreprise (Belfius) – Ivan Peeters – Avocat (Stibbe) Salle 3 Recodification et intégration du droit des associations et fondations dans le code des sociétés et associations. Axes de la réforme et points d’attention lors de la rédaction des statuts. – Heidi Diet – Juriste d'entreprise (OLV Ziekenhuis – Aalst VZW) – Dirk Van Gerven – Avocat (Nautadutilh) Salle 4 Fiscalité innovative pour des revenus d'innovation. Tuyaux pour les non-fiscalistes. – Céline Eyers – Juriste d'entreprise (Ice-watch) – Robert Neyts – Avocat (LAGA) – Matthias Vierstraete – Avocat (LAGA) Salle 5 Privilège Juridique & Outils de Recherches Économiques : actualité des initiatives européennes. – Tom Boedts – Juriste d'entreprise (Febelfin) – Irina Michalowitz – ACC Consultant European Public Affairs/ Director IMConsult – Jonathan Marsh – Président (ECLA) – Juriste d’entreprise (Total) 15h00-15h30 Pause-café 15h30-16h30 La codification du droit de l'insolvabilité : les nouveautés pour les entreprises. – Henri (Rik) Colman – Senior Expert Department Regularisation & Recovery Credit Risk Management (ING) – Stan Brijs – Avocat (Nautadutilh) – Sophie Jacmain – Avocat (Nautadutilh) 16h30-18h00 Le projet de Code des sociétés et associations : morceaux choisis à destination des juristes d’entreprises. – Marieke Wyckaert – Avocat – Professeur (Jan Ronse Instituut voor Vennootschaps en financieel recht), (KULeuven) – Paul Alain Foriers – Avocat – Professeur (ULB)
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 43
43
20/10/2017 09:55:57
18h00-18h15 Q&A et conclusion – Marc Beyens – Président de la journée – Juriste d'entreprise (ENGIE) 18h15-19h00 Key Note – Koen Geens – Ministre de la Justice 19h00-21h00 Walking dinner Président de la journée d'étude Marc Beyens, juriste d'entreprise (Engie) Coordination du livre Christian Jammaers, juriste d'entreprise (AG Insurance) Informations pratiques La journée d'étude se tiendra le jeudi 9 novembre 2017 de 8h45 jusqu'à 21h00. • Lieu : BNP Paribas Fortis, Auditorium Chancellerie, rue de la Chancellerie 1 – 1000 Bruxelles. • Droit d'inscripotion : 300 € – membres de l'IJE, 450 € – non-membres, 50 € – étudiants (ce prix comprend la participation au colloque sans le livre), 150 € – magistrats. • Inscriptions : uniquement par le biais de notre site web www.ije.be. • Langues : néerlandais et français. Une traduction simultanée est prévue, sauf lors des break-out sessions. • Paiement : une facture vous sera envoyée après réception de votre inscription. • Attestation de participation : Avocats : OBFG : 6 points, OVB : 6 points. Magistrats : l’Institut de la formation judiciaire prendra en charge les frais d’inscription (150 € PP) des magistrats professionnels, stagiaires judiciaires et membres du personnel de l’ordre judiciaire. L'Institut de formation judiciaire ne prend pas en charge les inscriptions des personnes qui sont absentes. Il est toutefois permis de se faire remplacer par un collègue qui ajoutera son nom et sa fonction à celle de la personne remplacée. Personne de contact Sunita Mayaka : Tél. : +32 2 500 03 27 – e-mail : sunita.mayaka@ije.be.
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 44
44 20/10/2017 09:55:57
8u45-21u00
BNP Paribas Fortis, Auditorium Kanselarij Kanselarijstraat 1, 1000 Brussel
Op 9 november 2017 vindt de 28e editie van de Dag van de bedrijfsjurist plaats. De hoogdag voor bedrijfsjuristen met jaarlijks meer dan 200 deelnemers gaat dit jaar door in de Kanselarijstraat 1, 1000 Brussel. In deze uitnodiging vindt u het programma van de dag samen met enkele praktische zaken. Programma Voormiddag 8u45-9u15 Onthaal 9u15-9u30 Verwelkoming – Saskia Mermans – Voorzitter (IBJ) – Bedrijfsjurist (KBC Group) – Ludo Deklerck – Directeur Generaal (IBJ) 9u30-9u45 Inleiding – Marc Beyens – Voorzitter van de Dag – Bedrijfsjurist (ENGIE) 9u45-10u45 Mededingingsrecht De private handhaving in het mededingingsrecht. De schadevergoedingsrichtlijn 2014/104/EU als hefboom voor een broodnodige aanpassing van de Belgische wetgeving. – Anne Bérangère Sudraud – Bedrijfsjurist (ENGIE) – Denis Philippe – Advocaat – Professor (UCL) – Jacques Steenbergen – Voorzitter (Belgische Mededingingsautoriteit) 10u45-11u15 Koffiepauze 11u15-12u15 Class Actions De rechtsvordering tot collectief herstel: law in action. – Hakim Boularbah – Advocaat – Professor (ULB) De rol van de bedrijfsjurist bij de voorbereiding en de onderhandelingen van consumentengeschillen. – Lorelien Hoet – Bedrijfsjurist (Proximus) De class action voor KMO’s: risico’s en mogelijkheden. – Philippe Lambrecht – Secretaris-generaal (VBO) – Professor (UCL)
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 45
45
20/10/2017 09:55:58
12u15-12u30 Q&A 12u30-14u00 Lunch Namiddag 14u00-15u00 Breakout sessies Grand Foyer Aansprakelijkheid van bestuurders tussen hamer en aambeeld. Een pragmatische benadering. – Wilfried Kupers – Bedrijfsjurist (KBC Group) – Roel Nieuwdorp – Advocaat Zaal 2 Onrechtmatige bedingen en beleggingsinstrumenten – Een evenwichtsoefening. – Christel Jennes – Bedrijfsjurist (Belfius) – Ivan Peeters – Advocaat (Stibbe) Zaal 3 Hercodificatie en integratie van het verenigings- en stichtingenrecht in het wetboek van vennootschappen en verenigingen. Krachtlijnen van de hervorming en praktische aandachtspunten bij de uitwerking en/of aanpassing van statuten. – Heidi Diet – Bedrijfsjurist (OLV Ziekenhuis-Aalst VZW) – Dirk Van Gerven – Advocaat (Nautadutilh) Zaal 4 Innovatieve fiscaliteit voor innovatie inkomsten. Tips voor de niet-fiscalist. – Celine Eyers – Bedrijfsjurist (Ice-watch) – Robert Neyts – Advocaat (LAGA) – Matthias Vierstraete – Advocaat (LAGA) Zaal 5 Legal Privilege & Economische Search Tools: Huidige Europese initiatieven. – Tom Boedts – Bedrijfsjurist (Febelfin) – Irina Michalowitz – ACC Consultant European Public Affairs – Director IMConsult – Jonathan Marsh – Voorzitter (ECLA) 15u00-15u30 Koffiepauze 15u30-16u30 De codificatie van het insolventierecht: de nieuwigheden voor de ondernemingen. – Henri (Rik) Colman – Senior Expert Department Regularisation & Recovery Credit Risk Management (ING) – Stan Brijs – Advocaat (Nautadutilh) – Sophie Jacmain – Advocaat (Nautadutilh) 16u30-18u00 Een geselecteerde bloemlezing voor bedrijfsjuristen / Le projet de Code des sociétés et associations: morceaux choisis à destination des juristes d’entreprises. – Marieke Wyckaert – Advocaat – Professor Jan Ronse Instituut voor Vennootschaps en Financieel recht, (KULeuven) – Paul Alain Foriers – Advocaat – Professor (ULB) 18u00-18u15 Q&A + Conclusie – Marc Beyens – Voorzitter van de Dag – Bedrijfsjurist (ENGIE) 18u15-19u00 Key Note – Koen Geens – Minister van Justitie 19u00-21u00 Walking dinner
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 46
46 20/10/2017 09:55:58
Voorzitter van de studiedag Marc Beyens, bedrijfsjurist (Engie) Coördinatie van het boek Christian Jammaers, bedrijfsjurist (AG Insurance) Praktische inlichtingen De studiedag vindt plaats op donderdag 9 november 2017 van 8u45 tot 21u00. • Plaats: BNP Paribas Fortis, Auditorium Kanselarij, Kanselarijstraat 1 – 1000 Brussel. • Inschrijvingsgeld: € 300 – IBJ-leden, € 450 – niet-leden, € 50 – studenten (de prijs omvat de deelname aan de studiedag zonder boek), € 150 – magistraten. • Inschrijvingen: Uitsluitend via onze website www.ibj.be. • Talen: Nederlands en Frans. Er is een simultane vertaling voorzien behoudens in de breakout sessies. • Betaling: Na ontvangst van uw inschrijving zal u een factuur worden toegestuurd. • Aanwezigheidsattest: Advocaten: OVB: 6 punten, OBFG: 6 punten. Magistraten: Het Instituut voor Gerechtelijke Opleiding neemt de kosten ten laste (€150 PP) van de deelnemende magistraten, gerechtelijke stagiairs en personeelsleden van de rechterlijke orde. Voor hen die zich inschrijven doch niet effectief aanwezig zijn neemt het Instituut voor Gerechtelijke Opleiding de eventuele kosten niet ten laste. Vervanging door een collega is evenwel toegestaan, die dan met vermelding van naam en functie tekent naast de naam van de vervangen collega. Contactpersoon Sunita Mayaka: Tel.: +32 2 500 03 27 – e-mail: sunita.mayaka@ibj.be.
Des ouvrages de référence pour votre métier Code en poche
CODE DE DROIT PÉNAL DES AFFAIRES 2017 (fiscal, social, financier, bancaire, ...) À jour au 15 août 2017 Une compilation exhaustive des sanctions pénales et administratives applicables auxquelles sont confrontées les entreprises : du droit pénal général au droit pénal social, en passant par le droit pénal fiscal, bancaire, financier ou urbanistique. > Les Codes en poche Larcier 1068 p. • 75,00 € • 5e édition 2017
L'INTELLIGENCE ARTIFICIELLE ET LE DROIT Sous la coordination de : Alexandre de Streel, Hervé Jacquemin L’ouvrage examine de manière approfondie les questions juridiques posées par l’intelligence artificielle et les robots en droits belge et européen. > Collection du Crids 482 p. • 85,00 € • Édition 2017 Ouvrage disponible en version électronique sur www.stradalex.com
Informations et commandes : ELS Belgium s.a. Boulevard Baudouin 1er, 25 • B-1348 Louvain-la-Neuve – Belgique Tél. 0800/39 067 – Fax 0800/39 068 commande@larciergroup.com
www.larciergroup.com
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 47
47
20/10/2017 09:55:58
SOMMAIRE INHOUDSTAFEL ●
DOCTRINE / RECHTSLEER – Tom Lingard & Astrid Arnold, The implications of brexit for owners of uk intellectual property rights – Nathalie Ragheno, Data protection : la future nouvelle autorité de protection des données – Fanny Coton & Jean-François Henrotte, Everything you always wanted to know about DPO (but were afraid to ask)
●
AGENDA
●
Rédacteur en chef Hoofdredacteur
Philippe Marchandise
Secrétaires de rédaction Redactiesecretarissen
Hadrien Janne ● Natasha Seghers
Comité de rédaction Redactiecomité
Cédric Cheneviere ● Ludo Deklerck ● Eric Felten ● Ellen Van Nieuwenhuyze Vincent Leroy ● D enis-Bruno Floor ● Maurice Van Stiphout ● Maximilien Westrade
Comité scientifique Wetenschappelijk comité
Mireille Buydens ● Yves De Cordt ● Catherine Delforge ● Martine Delierneux ● Laurent du Jardin ● Koen Geens ● Huguette Geinger ● Frédéric Georges ● Paul Nihoul ● Martine Regout ● Christophe Verdure ● Francis Walschot
●
Éditeur responsable Paul-Étienne Pimont, ELS Belgium sa|nv, Espace Jacqmotte, Rue Haute / Hoogstraat Verantwoordelijke uitgever 139/6 B-1000 Bruxelles|Brussel Édité par Uitgegeven door Commandes Bestellingen
ELS Belgium sa|nv ● Espace Jacqmotte, Rue Haute / Hoogstraat 139/6 B-1000 Bruxelles|Brussel● Tel. 0800/39 067 (+32 2 548 07 13)● Fax 0800/39 068 (+32 2 548 07 14) abo@larciergroup.com
Prix d’abonnement 2017 120 € Abonnementsprijs 2017 Au numéro -Los nummer : 60 € Tous droits de reproduction, sous quelque forme que ce soit, réservés à l’éditeur pour tous les pays Alle reproductierechten, op welke wijze ook, aan de uitgever voorbehouden voor alle landen D/2017/0031/397 CJ-N.17/2 ISBN : 978-2-8079-0263-3
P913344 – Bureau de dépôt : Liège X Trimestriel (mars, juin, septembre, décembre) Éditeur responsable : Paul-Étienne Pimont, Espace Jacqmotte, Rue Haute, 139-Loft 6, 1000 Bruxelles
Cah. Jur., 2017/2 -
291626TIO_CJ17-2_cs6_pc.indd 48
48 20/10/2017 09:55:59