Data Privacy & Transfer in Investigations

By On October 08, 2018

Data Privacy & Transfer in Investigations

  • Just Anti-Corruption
  • In-house
  • Investigator's Guides
  • Benchmarking
  • Insight
  • Events
  • Issues
  • The Short Cut
  • All Articles
  • Email
  • Shop
  • Subscribe
  • Search
  • Log in Log out?

Data Privacy & Transfer in Investigations

Last verified on Tuesday 25th September 2018

United Kingdom

Nigel Parker, Calum Burnett and Hugo Flaux
Allen & Overy LLP
  1. 1.

    What laws and regulations in your jurisdiction regulate the collection and processing of personal data?

  2. The EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in this jurisdiction (from 25 May 2018).

    Together with the GDPR (which is applicable directly to the UK), Data Protection Act 2018 (DPA) forms the data protec tion regime in the UK. Among other things, the DPA implements derogations and UK specific exemptions, as permitted by the GDPR.Throughout this guide, references to the GDPR shall refer to the GDPR as applied in the UK by article 22 of the DPA.

    The Information Commissioner’s Office (the ICO) is the regulator responsible for enforcing the GDPR and DPA.

    The ICO has strongly recommended, and the UK government has acknowledged, that the ability to freely transfer data between the UK and countries that remain in the EU should be a key consideration in negotiating Brexit. The UK will become a third country for the purposes of data transfers once it leaves the EU on 29 March 2019 and so will be required to have an “adequate” level of data protection (see question 16). Section 2 of the DPA effectively incorporates article 8 (Protection of personal data) of the Charter of Fundamental Rights of the European Union to provide reassurance that the UK and EU data protection reg imes are in tandem and to assist in obtaining a decision from the European Commission that the UK is an “adequate” jurisdiction.

  3. 2.

    What other laws and regulations may prevent data sharing in the context of an investigation?

  4. Banking confidentiality

    There is a common law duty of confidentiality between a "banking business" and its clients. This implied duty means that a bank may not divulge confidential information about its client unless the client in question has consented or an exemption applies.

    The meaning of a "banking business" relates to the business carried on by the entity instead of any regulated status. The three main factors that indicate a banking transaction are:

    • keeping current accounts for customers, in which credits and debits are entered;
    • accepting money from and collecting cheques for customers and placing them in credit; and
    • paying cheques drawn on the relevant account and debiting customers accordingly.

    The general duty of confidentiality can therefore apply to any business engaging in these activities, even if that institution does not consider itself to be a bank.

    The implied duty applies to any information about a client (both natural and legal persons) that the bank acquires in the course of providing services.

    Client consent to a transfer of confidential information should be informed but may be obtained via a website or standard terms and conditions.

    Exemptions to the common law duty of confidentiality have been found in certain limited circumstances:

    • there is a compelling public interest reason for the transfer;
    • there is compulsion by law;
    • transfer under compulsion by order of court; or
    • where disclosure is necessary in the in terests of the bank.
  5. 3.

    What can constitute personal data for the purposes of data protection laws?

  6. The GDPR defines personal data as any data relating to a living individual who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that living person.

    Data that are truly anonymised will not be "personal data" for the purposes of the GDPR, as they do not identify the individual.

  7. 4.

    Does personal data protection relate only to natural persons or also legal persons?

  8. Under the GDPR, personal data protection only extends to natural persons. It does not also cover legal persons.

  9. 5.

    To whom do data protection laws apply?

  10. The direct obligations under the GDPR apply primarily to data controllers. A data controller is defined in the GDPR as the person who (either alone or jointly with others) determines the purposes for which and the manner in which any personal data are processed.

    However, the GDPR also imposes certain direct obligations on data processors. A data processor is defined in the GDPR as the person who processes personal data on behalf of the data controller.

  11. 6.

    What acts or operations on personal data are regulated by data protection laws?

  12. The GDPR applies to "processing", which is defined broadly and includes any activity in relation to personal data (whether or not by automated means). A number of examples are provided in the GDPR, including the collection, use, disclosure and destruction or erasure of personal data.

  13. 7.

    What are the principal obligations on data controllers to ensure the proper processing of personal data?

  14. Fair and lawful processing information should be provided to the data subject at the time the personal data is obtained (unless an exemption applies). This must include in particular (article 13 of GDPR / section 44 of DPA):

    • the identity and contact details of the data controller;
    • th e contact details of the data protection officer, where applicable;
    • the purposes and legal basis for the processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipients of the personal data;
    • where applicable, the fact that the data controller intends to transfer personal data to a third country and the existence, or absence, of an adequacy by the European Commission (see question 16); and
    • any further information necessary to make that particular processing of data fair and transparent.

    The data controller should also inform the data subject of the period for which their personal data will be stored; the existence of the right to request access, rectification or erasure; the right to restrict the processing; the right to object to the processing; the right to data portability; the existence of automated decision making (including profiling); and the right to lodge a complaint with a supervis ory authority.

    The GDPR sets out a number of data protection principles that data controllers must comply with. The first principle is that personal data must be processed "lawfully, fairly and in a transparent manner". This means that data cannot be processed unless one of the fair processing conditions set out in article 6 of GDPR is met. These are that:

    • the data subject has given his consent to the processing for one or more specific purposes;
    • the processing is necessary for the performance of a contract to which the data subject is a party or for the taking of steps at the request of the data subject with a view to entering into a contract;
    • the processing is necessary for compliance with a legal obligation to which the data controller is subject;
    • the processing is necessary in order to protect the vital interests of the data subject or another natural person;
    • the processing is necessary for performing tasks in the public interest or in the exercise of official functions by the data controller (further clarification on this point is set out in section 8 of DPA); or
    • the processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third party, except where the processing is unwarranted by reason of prejudice to the interests and fundamental rights and freedoms of the data subject.

    In respect of sensitive personal data (or “special category data”), the processing must also comply with one of the stricter processing conditions set out in article 9 of GDPR and section 10 and Schedule 1, Part 1 of DPA. Sensitive personal data is defined as information relating to: racial or ethnic origin; political opinions; religious and philosophical beliefs; trade union membership; genetic data and biometric data for the purpose of uniquely identifying a natural person; data concerning health; and sex life and sexual orientation. In an investiga tions context, relevant conditions for the processing of sensitive personal data may include where:

    • the individual has given their explicit consent to the processing for one or more specified purposes; or
    • the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

    Under the other data protection principles in the GDPR, data controllers must also ensure that (and be able to demonstrate compliance with):

    • Principle 2: personal data should be obtained only for specified, explicit and legitimate purposes and should not be further processed in any manner incompatible with those purposes (“purpose limitation”).
    • Principle 3: personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”).
    • Principle 4: personal data should be accurate and, where n ecessary, kept up to date (“accuracy”).
    • Principle 5: personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”).
    • Principle 6: personal data should be processed in a manner that ensures appropriate security of that personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

    In addition, personal data may not be transferred to a country or territory outside the European Economic Area (EEA) unless the European Commission has decided that the third country or territory ensures an adequate level of protection or if the data controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

    DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

  15. 8.

    Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?

  16. While there are no specific steps required under the GDPR, it is advisable to check that non-locally generated data was transferred to, or within, the jurisdiction in compliance with relevant data protection laws and regulations. This may include:

    • ascertaining what data has been transferred to, or within, the jurisdiction and the natural and/or legal persons to which that data relates;
    • reviewing the fair and lawful processing information provided to data subject s;
    • ascertaining the lawful basis for the processing (see question 7); and/or
    • determining whether a contract was implemented for the transfer of that data (eg, a data processing agreement or data transfer agreement, as appropriate).
  17. 9.

    Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?

  18. Additional provisions of the GDPR apply where the data are processed by a data processor on behalf of the data controller. The primary factor considered is control of the data rather than its possession, so the data controller must ensure that the third-party data processor is complying with the requirements on the security of data set out in the GDPR. A written contract to this effect must be entered into between the data processor and data controller (article 28(3) of GDPR as modified by Schedule 6, Part 1, paragraph 24 of DPA). This contract must include a description of the data processing activities and require the data processor, among other things, to:

    • act only on the documented instructions of the data controller (including with regard to international transfers of data to a third country);
    • ensure that persons who process the data have committed to confidentiality or are under a statutory duty of confidentiality;
    • implement appropriate security measures in accordance with the GDPR;
    • engage a sub-processor only with the prior authorisation of the data controller;
    • assist the data controller in carrying out its obligations to respond to requests by data subjects to exercise their rights under GDPR; and
    • assist the data controller in ensuring its compliance with its data security obligations.

    Where a data processor engages a sub-processor, the c ontract between them must reflect the same data protection obligations as set out in the contract between the data controller and the data processor.

    These provisions of the GDPR apply to data processors within the same corporate group in the same way as to other third-party data processors.

    The GDPR also imposes certain direct obligations on data processors. These include an obligation to: (i) maintain a written record of processing activities carried out on behalf of each data controller; (ii) designate a data protection officer where required; (iii) appoint a representative (when not established in the EU) in certain circumstances; and (iv) notify the data controller without undue delay on becoming aware of a personal data breach.

  19. 10.

    Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can cons ent be given by a data subject?

  20. The consent of the data subject is one legal basis for processing of personal data under the GDPR. Data subject consent is therefore not mandatory for the processing of personal data, but consent must be obtained if none of the other grounds for lawful processing apply.

    There is no prescribed form for the consent, but it should be freely given, specific, informed and unambiguous. In addition, to the extent relied upon as a basis for international transfers, consent must also be explicit (see question 16). Consent can also be withdrawn at any time and must be as easy to withdraw as to give.

    Consent can be obtained through a website or other electronic means.

    In the case of sensitive personal data, consent must also be explicit. A data controller may therefore wish to obtain consent by means of an additional formality in order to demonstrate “explicit” consent (eg, a wet ink signature or a tick box).

  21. 11.

    If not mandatory, should consent still be considered when planning and carrying out an investigation?

  22. Consent should be considered as an enabling action when planning an investigation. However, obtaining consent to the processing of personal data can be practically challenging, and proceeding with processing of personal data in reliance on these grounds is not always appropriate. One reason is that consent must be capable of being withdrawn at any time (a right which it is not possible to contract out of).

  23. 12.

    Is it possible for data subjects to give their consent to such processing in advance?

  24. Whether consent given through general terms and conditions or account opening information is sufficient for the purposes of the GDPR depends in part on the balance of power between the data controller and data subject. Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. Consent included within an employment contract is unlikely to be valid for this reason.

    Written requests for consent must be clearly distinguishable from other matters, be intelligible, be easily accessible and use clear and plain language. This means that consent should not be hidden among other terms and conditions. This is the case where the consent is sought in written form or electronically. In any event, there is a risk that a generic consent provided through general terms and conditions is not specific and informed, and so not validly given by the data subject.

    W hen assessing whether consent is freely given, utmost account shall be taken of whether the performance of a contract (including the provision of a service) is conditional on consent to the processing of personal data that is not necessary for performance of that contract.

    The data controller should also consider the requirement for consent to the processing for sensitive personal data to be explicit (see question 7).

  25. 13.

    What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

  26. A data subject has a right to request information regarding whether their personal data is being processed, known as a data subject access request (DSAR). The information that can be requested includes a description of the data, the purpose for which it is being processed and to whom it may be disclosed. The data controller must also provide a copy of the personal data to the data subject.

    Following decisions of the English Court of Appeal under the Data Protection Act 1998, the motive behind a DSAR (eg, if it is made for an improper purpose, such as seeking privileged documents to assist in its litigation strategy) does not affect a data controller’s duty to respond to it. Provided the DSAR is not an abuse of the court’s process or does not result in a conflict of interest, the court will not use the purpose of a DSAR as a reason to limit the exercise of its discretion to compel an organisation to respond.

    A data controller is not required to provide personal data in response to a “manifestly unfounded or excessive” request from a data subject (article 12(5) of GDPR). If relying on this exemption, a data controller should retain evidence to demonstrate why it considers the req uest to be unfounded or excessive. If a data controller refuses to act on a request, they must also inform the data subject of the reason why and tell the data subject that they can complain to their relevant supervisory authority and enforce their right through judicial remedy.

    Data subjects have the right to request rectification of any personal data relating to them that is inaccurate, and completion of any incomplete data, including by way of a supplementary statement. There is an obligation on a data controller to keep personal data accurate under the GDPR (see question 7).

    Data subjects have the right to obtain from the data controller the erasure of their personal data without undue delay if one of the specified grounds applies. This includes where the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or where the data subject has withdrawn consent (and there is no other legal ground for the processing).

    Data subjects have a limited right to object to the processing of their own data and a right to obtain a restriction of processing from the data controller in certain circumstances.

    TRANSFER FOR LEGAL REVIEW AND ANALYSIS

  27. 14.

    How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?

  28. ICO guidance suggests that law firms are generally characterised as data controllers in their own right. This is on the grounds that responsibility also lies with the law firm itself as it determines what information to obtain and process in order to perform its work and because it is answerable itself for the content. The ICO cites the fact that lawyers control the detailed content of their advice and also have their own professional responsibilities (in areas such a s record keeping and confidentiality of communications) as suggestive of lawyers being data controllers in their own right.

    A legal process outsourcing firm is likely to be considered as a third-party data processor in relation to the processing of personal data relating to its clients. This means that the conditions set out at question 9 must be complied with when contracting with a legal process outsourcing firm for the review of documents containing personal data.

  29. 15.

    Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

  30. Financial institutions in the UK must also comply with, amongst other things, the Principles and the Fundamental Rules set out by the F inancial Conduct Authority (the FCA). These high-level principles require some financial institutions to take various measures to protect client data. They are applied on a case-by-case basis. One view is that, by adhering to the common law duty of confidentiality set out at question 2, a financial institution will be sufficiently compliant with the FCA Principles and Fundamental Rules.

  31. 16.

    What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

  32. The GDPR distinguishes between transfers to other jurisdictions within the EEA and transfers of data to jurisdictions outside the EEA.

    Within the EEA

    A transfer of personal data from this jurisdiction to a data processor in another EEA member state must c omply with the same requirements as if the transfer was made within the jurisdiction (see question 7).

    Outside the EEA

    Personal data subject to the GDPR cannot be transferred to a country or territory outside the EEA, unless that third country or territory provides an adequate level of protection for personal data.

    The European Commission has determined that certain non-EEA countries and recipients ensure an adequate level of protection for personal data and so a transfer can be made to such countries in compliance with the rules that provide restrictions on transfers outside the EEA. Currently, these countries are Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. As noted in question 1, the UK will be a third country for the purposes of GDPR once it leaves the EU and is therefore likely to seek an adequacy decision (or another status to avoid designation as a “t hird country” for data protection purposes) from the European Commission.

    The data controller as transferor could ensure an adequate level of protection through:

    • entering into standard contractual clauses approved by the European Commission for both controller-to-processor and controller-to-controller transfers; or
    • for transfers within the same group, adoption of binding corporate rules.

    For transfers of personal data to eligible and appropriately certified recipients in the United States, the controller may also rely on the Privacy Shield mechanism..

    Data can be transferred to a jurisdiction not otherwise considered adequate if one of the following exceptions, among others, applies:

    • the data subject has consented to the transfer (as noted above, this consent should be explicit as well as freely given, specific, informed and unambiguous);
    • the transfer is necessary for the performance of a contract between the dat a subject and data controller or the implementation of pre-contractual measures taken at the data subject’s request;
    • the transfer is necessary for the conclusion of a contract between the data controller and a person other than the data subject, which is entered into in the data subject’s interests;
    • the transfer is necessary for important reasons of public interest;
    • the transfer is necessary for the establishment, exercise or defence of legal claims; or
    • the transfer is necessary to protect the vital interests of the data subject.

    Where none of the above derogations is available, a transfer to a third country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the data controller (which are not overridden by the interests or rights and freedoms of the data subject), and the data controller has assessed all the circumst ances surrounding the transfer and has, on the basis of that assessment, provided suitable safeguards with regard to protection of personal data. This ground for processing may only be relied upon where no other legal basis is available. The data controller shall inform the supervisory authority of the transfer and, in addition to providing the information referred to in articles 13 and 14 (as modified by sections 15 and 16 of DPA), shall inform the data subject of the transfer and on the compelling legitimate interests pursued.

    TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

  33. 17.

    Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

  34. The transfer of personal data to regulators and enforcement authorities within the jurisdiction must comply with the GDPR in the same way as any other processing (see question 7). While there is no specific exemption to the data transfer rules in the GDPR for transfer to a regulator or enforcement authority within the jurisdiction, there are a number of possible exemptions and conditions that may be used for a transfer to regulators and enforcement authorities in the jurisdiction. These include where the disclosure is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

  35. 18.

    Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

  36. The provisions applying to cross-border data transfer generally (see question 16) also ap ply to the transfer of data to regulators and law enforcement authorities out of the jurisdiction. Any transfer to an overseas regulator would have to comply with the GDPR in the same way as any other processing.

    Any disclosure of personal data to an overseas regulator or law enforcement authority would engage the first principle and the prohibition on cross-border transfers. In particular:

    • The first principle provides that processing of personal data must be fair, lawful and transparent. Any transfer of personal data to an overseas regulator or law enforcement authority may breach this principle on the basis that this is not a purpose about which the data subjects will have been sufficiently informed, or would expect, and may also lack lawful grounds depending on the circumstances of the disclosure.
    • The prohibition on cross-border transfers provides that personal data should not be transferred to a country outside the EEA that does not provide an adequat e level of protection, unless an exemption applies.

    There is no clear exemption or derogation from either the first principle or the prohibition on cross-border transfers that will routinely cover requests for data by a foreign regulator or law enforcement authority.

    The data controller may obtain consent from each affected data subject to provide a lawful basis for the disclosure and transfer. However, as noted above, this can be problematic to obtain and can also be withdrawn at any time. Rather than relying on consent, the transfer may be possible if in the data controller’s legitimate interests and one of the exemptions (including to the prohibition on cross-border transfers set out in question 16) apply.

    On the face of it, the GDPR also requires that, without prejudice to any other grounds for cross-border transfers (for which, see question 16), any transfer or disclosure of personal data in response to a request from a court, tribunal or administra tive authority of a non-EEA country must be based on an international agreement, such as a mutual legal assistance treaty (MLAT), between the requesting state and the EU or an EU member state. This means that, in the absence of another legitimate basis for a cross-border transfer under the GDPR, data controllers based in the EU should not transfer data to a third country for the purposes of law enforcement unless an MLAT or similar is in place with that third country under which the transfer would be made.

  37. 19.

    What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

  38. The recipient of such a request may consider taking the following steps, amongst others:

    • Consider if there is a legal obligation to respond to the request and, if so, to what extent.
    • Seek further information in writing from the requesting regulator to evaluate the purpose of the request.
    • If possible, negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation.
    • In accordance with principles of data minimisation and anonymisation, limit the scope of any data disclosed and transferred to that necessary for the purpose.
    • Consider obtaining data subject consent and/or giving notice as it may be possible, in some cases, to obtain a valid consent from individuals to undertake a particular disclosure and transfer.
    • Put in place a data processing agreement if data will be transferred to an affiliate or third party (acting as a data processor) as an interim measure.
    • Consider transfer via domestic authority as, in some cases, it may be possible to request that the requesting regulator request data via a domestic regulator of the data controll er.
    • Consider transfer via an MLAT as, in some cases, it may be possible to request that the requesting court or regulator requests data via an MLAT or other international agreement.
  39. 20.

    What are the sanctions and penalties for non-compliance with data protection laws?

  40. There is a tiered approach to penalties for breaches of the GDPR. This permits data protection authorities to impose fines for some infringements of up to the higher of 4 per cent of annual worldwide turnover and €20 million (eg, for breach of requirements relating to cross-border transfers or the principles for processing, such as conditions for consent). Other specified infringements attract a fine of up to the higher of 2 per cent of annual worldwide turnover and €10 million.

    The GDPR contains a list of points to consider when imposing fines, such as the nature, gravity and duration of the infringement.

    The ICO is responsible for enforcing the GDPR, but in certain circumstances enforcement will be conducted through the courts.

    There are a number of criminal offences under the DPA (eg the re-identification of personal data that has been ‘de-identified’ or making a false statement in response to an information notice). A failure to comply with the provisions on cross-border transfer is not in itself a criminal offence, but the ICO may issue an enforcement notice ordering a remedy (and failure to comply is a criminal offence). The maximum penalty for criminal offences under the DPA is an unlimited fine.

    Where any offence under the GDPR is committed by a body corporate with the consent or approval of an officer such as a director or other employee, that person will also be guilty of the offence and will be liable to punishment under DPA accordingly.

    The ICO may also:

    • serve information notices requiring organisations to provide the ICO with specified information within a certain time period;
    • issue undertakings committing an organisation to a particular course of action in order to improve its compliance;
    • serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
    • conduct consensual assessments (audits) to check organisations are complying;
    • prosecute those who commit offences under UK data protection laws;
    • serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice; and
    • report to the UK Parliament on issues of concern.

    A data subject who suffers material or non-material damage as a result of a breach of the GDPR by a data controller may bring a civil claim for compensation. The DPA extends this to include any other data protection legislation in the UK and clarifies that “non-material damage” includes distress. Any compensation to the data subject must be awarded by the courts.

    CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

  41. 21.

    What are the continuing obligations on the original data controller that apply in an investigation?

  42. A data controller’s obligations under the GDPR are continuing for as long as it remains a data controller. As a result, it should ensure compliance with the GDPR, where applicable, at all stages of the investigation.

    Practical steps that a data controller should follow include:

    • ensuring that any third-party processing data on behalf of the data controller signs a data processing agr eement and/or data transfer agreement, as applicable;
    • ensuring that all personal data processed is accurate and that the consent of data subjects remains valid; and
    • complying with the restrictions on the transfer of data to third parties set out at question 16 (whether within or outside of the EEA), including any transfer to a regulator or law enforcement authority.
  43. 22.

    What are the continuing obligations on any intervening data controller that apply in an investigation?

  44. The original and intervening data controllers should ensure that a written agreement is in place between them and follow the steps to address their continuing obligations set out at question 21.

    RELEVANT MATERIALS

  45. 23.

    Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

  46. EU General Data Protection Regulation (2016/679)

    https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

    UK Data Protection Act 2018

    http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

    ICO ‘Guide to the General Data Protection Regulation’

    https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

    ICO guidance on the difference between data controllers and data processors

    https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf.

Interested in contributing to this Know-how?

E-mail our Co-Publishing Manager

Related content

  • SFO director decides not to appeal ENRC decision

  • NCA wins first UWO case

GIR Know-how is published free-to-view to give practitioners quick answers to important questions in cross-border investigations and compare law and practice across jurisdictions. If your country isn’t featured or you have feedback to share, please email Edward Perugia to find out more.

Authors

Nigel Parker, Calum Burnett and Hugo Flaux
Allen & Overy LL P

Questions

  1. 1.

    What laws and regulations in your jurisdiction regulate the collection and processing of personal data?


  2. 2.

    What other laws and regulations may prevent data sharing in the context of an investigation?


  3. 3.

    What can constitute personal data for the purposes of data protection laws?


  4. 4.

    Does personal data protection relate only to natural persons or also legal persons?


  5. 5.

    To whom d o data protection laws apply?


  6. 6.

    What acts or operations on personal data are regulated by data protection laws?


  7. 7.

    What are the principal obligations on data controllers to ensure the proper processing of personal data?


  8. DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

  9. 8.

    Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?


  10. 9.

    Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?


  11. 10.

    Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?


  12. 11.

    If not mandatory, should consent still be considered when planning and carrying out an investigation?


  13. 12.

    Is it possible for data subjects to give their consent to such processing in advance?


  14. 13.

    What rights do data subjects have to access or verify their per sonal data, or to influence or resist the processing of their personal data, as part of an investigation?


  15. TRANSFER FOR LEGAL REVIEW AND ANALYSIS

  16. 14.

    How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?


  17. 15.

    Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?


  18. 16.

    What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?


    TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

  19. 17.

    Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?


  20. 18.

    Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?


  21. 19.

    What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?


  22. 20.

    What are the sanctions and penalties for non-compliance wi th data protection laws?


  23. CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

  24. 21.

    What are the continuing obligations on the original data controller that apply in an investigation?


  25. 22.

    What are the continuing obligations on any intervening data controller that apply in an investigation?


  26. RELEVANT MATERIALS

  27. 23.

    Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.


Source: Google News United Kingdom | Netizen 24 United Kingdom

Next
« Prev Post
Previous
Next Post »