TO THE MEMBERS
Implementation of the EU General Data Protection Regulation 2016/679 – General Guidance to Members
Regulation (EU) 2016/679 containing the General Data Protection Regulation (the "GDPR” or “Regulations") will come into force on 25 May 2018 and such will have direct effect in the EU/EEA. Therefore there will be no need for domestic legislation in the UK to give effect to the GDPR. There is however also a UK Data Protection Bill currently going through Parliament, which will supplement the provisions of the GDPR. It is not yet known when this Bill will be enacted.
This general guidance intends only to provide a brief introduction to the GDPR, as relevant to the UK Club and its Members. The impact of the Regulation will most often be felt in claims relating to personal injury and illness or other cases involving data originating from natural persons, or individuals. Data originating from a legal entity that does not contain personal information, or information otherwise not related to natural persons is unaffected.
The broad intention of the Regulation is to replace Directive 95/46/EC and strengthen and harmonise EU/EEA procedures concerning the collection, storage, processing, access, use, transfer and erasure of personal data. By establishing responsibilities for "controllers" and "processors" of personal data, the Regulation aims to provide natural persons with the same level of legally enforceable rights throughout the EU/EEA, and a supervisory and enforcement framework to ensure compliance.
The aim of the GDPR is to protect natural persons in relation to the processing of data. The Regulation applies to those within the EU/EEA which may hold such data, but also to those outside the EU/EEA which may offer goods or services to natural persons within that area, or send personal data to organisations within the EU/EEA, or send personal data to recipients within the EU/EEA. Because the UK Club operates within the EU/EEA, the GDPR will apply to the Club. Similarly, the Regulation will apply to Members, and third-party service providers operating within the EU/EEA or offering goods or services to natural persons within that area, and to personal data held within the EU/EEA belonging to individuals who are outside the EU/EEA.
Penalties for infringement
The level of administrative fines under the new regime is substantially higher than under the old legislation. The amount of a fine will depend on a number of factors in each individual case, including, but not limited to, the nature and duration of the infringement, and any actions taken to mitigate damage suffered by the Data Subject. It is, however, worth noting that the penalties for infringements of the GDPR, in relation to certain provisions, can be up to €20 million or in the case of an undertaking, up to 4% of the worldwide annual turnover of the preceding financial year, whichever is higher.
Roles of the UK Club, Members, brokers, external service providers and claimants
The Club considers that it will be a controller for the purposes of the Regulations. The Club outsources day to day management of the UK Club to Thomas Miller, who will in some circumstances act as a joint controller. This will permit the Club to operate under the GDPR framework built by Thomas Miller and Thomas Miller will be able to perform administrative tasks that only a controller or joint controller are permitted to do. Thomas Miller will also be able to represent the UK Club when dealing with the Data Regulator.
Further, where the GDPR applies, Members, brokers and external service providers such as club correspondents, surveyors, and experts, will generally be controllers, since they are each independently likely to determine the purpose and means of the processing of the relevant data. If a processor determines “the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing” .
This would be relevant only where the matter in issue, for example a personal injury or an illness claim, contains personal data. In that case, the relevant individual(s) bringing the claim would be the data subject, benefiting from the rights provided in the GDPR.
Some relevant requirements of the GDPR.
Principles for processing personal data
The principles for processing personal data can be summarised as follows:
Processing of personal data is prohibited unless specific conditions apply, such as express consent or where processing is a necessary consequence of the establishment, exercise or defence of legal claims, or wherever courts are acting in their judicial capacity.
It is recommended however that all Members and their associated named assureds, brokers, agents, etc. consider including suitable GDPR wording included in contracts, employment contracts, collective bargaining agreements, ticket conditions, etc. to allow the processing of sensitive personal data on a permitted basis. This will be of particular importance when dealing with claims involving minors where more stringent GDPR conditions apply.
Specific, stricter requirements apply to sensitive personal data. This includes data such as race, ethnic background, religious and political affiliations, and health and medical information about a data subject.
Rights of the data subject
Below is a summary of some of the rights which the data subject has, including the right to request information.
Responsibilities of the controller, joint controller(s) and processor
The controller and joint controller
The controller and joint controller are required to implement appropriate measures for the processing of personal data in accordance with the Regulation . This includes establishing and implementing a 'data protection policy' and other specific requirements, such as:
In the case of the UK Club, it is envisaged that the Club will be the controller, and Thomas Miller will be a joint controller. Members and their assureds will be controllers of the personal data that they have received from their crew and claimants.
The processor must provide guarantees to the controller of appropriate technical and organisational measures so that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject . A separate contract or agreement complying with specific requirements should be concluded between the controller and the processor.
Both controller and processor are responsible for the following:
Duty to notify Supervisory Authority
The controller shall notify the appropriate Supervisory Authority of a personal data breach in accordance with the GDPR where the rights and freedoms of the data subject have been affected. The processor is obliged to notify if it becomes aware of a breach of the GDPR .
Data Protection Officer
In certain circumstances, including where personal data is processed on a large scale , there is a duty to appoint a Data Protection Officer (“DPO”) . The DPO has specific responsibilities, including the monitoring of compliance with the Regulation, to report and to give internal advice. The Club has appointed a DPO, Mr Jim Ashton.
Transfer of data to a third country
Unless there is a valid legal basis or permitted derogation under the GDPR for transferring data to a third country, in other words outside the EU/EEA, which may be the case where the transfer is necessary (such as in accordance with a legal obligation) to bring an insurance claim, for example a personal injury claim, then a transfer of data to a third country requires either the EU Commission to have decided that the relevant third country has established adequate levels of protection or that the controller or processor in the third country has established or will establish appropriate levels of security .
In some circumstances, the use of the EU Standard Model Clauses may be appropriate.
What does the Regulation mean for the UK Club and its Members, and what measures ought to be taken?
Some of the actions the UK Club has taken, or is in the process of taking, in response to the GDPR are as follows:
Further impact on Members
Members operating within the EU/EEA area and those outside the EU/EEA offering goods or services to individuals in that area, or who hold personal data within the EU/EEA relating to individuals outside the EU/EEA, may need to undertake a similar exercise. The UK Club recommends that affected Members undertake a review with a focus on the following areas:
This circular should not be construed as providing legal advice. Members should seek independent advice from a lawyer or their local Data Protection Authorities, when making changes in working routines with a view to ensuring compliance with the GDPR regulations.
Any questions or comments can be directed to the Club’s Head of Compliance, Paul Knight (Email: email@example.com Tel. +44 20 7204 2229) in the London office.
All Clubs in the International Group have issued a similar circular.
For more information: please contact Paul Knight
Email: firstname.lastname@example.org Tel. +44 20 7204 2229.