Background Screeners, DPOs and Transfers of Data from the EU to the US

Montserrat Miller
Arnall Golden Gregory LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Companies that transfer personal data from the European Union (“EU”) to the United States should be working toward their compliance with the EU’s General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679) which will go into effect May 2018.  Oh, but how silly, that’s, like, over a year away!  Why should you care?  If you transfer personal data from the EU to the US there’s a lot to know about the GDPR and it takes time.  I’m going to focus on the Data Protection Officer (“DPO”) requirement today.

Organizations that process personal data related to EU nationals may be either a “controller” or “processor,” or both.  Let’s say you are a background screening company and you’ve been hired to conduct a background investigation or check on an individual who lives, or previously lived and worked, in the EU. You’ll very likely need to transfer data to the United States from the EU and the bottom line is that whenever an organization transfers personal data related to EU nationals to the United States, you need to consider the GDPR in order to ensure compliance.  You also need to consider whether you have a legitimate cross-border onward mechanism, but that’s for another blog posting.

Let’s talk about the DPO.  Article 37(1) of the GDPR requires the designation of a DPO by a controller or processor (i) where the processing is carried out by a public authority or body; (ii) where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or (iii) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data (as defined in Article 9) and (or) personal data relating to criminal convictions and offenses (as described in Article 10).

Special categories of data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data and information related to a person’s sex life or sexual orientation.

The DPO can be an internal employee or can be hired as an outside consultant, if you will.  The role and tasks of the DPO are described in Articles 38 and 39 of the GDPR.

And, in case you are wondering the cost of non-compliance?  It’s steep.  A violation of the obligation of a controller or processor related to the designation of a DPO can subject a company to administrative fines of up to 10 million Euros or up to 2% of the “total worldwide annual turnover of the preceding financial year.” (Article 83(4)(a)).

For recent guidelines from the Article 29 Data Protection Working Party on the role of the DPO, click here.

So, if you find your company in this situation and are doing a Google search of GDPR at this time, the privacy team here at AGG can help.  Just shoot me an email at montserrat.miller@agg.com.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Arnall Golden Gregory LLP | Attorney Advertising

Written by:

Arnall Golden Gregory LLP
Arnall Golden Gregory LLP
Contact
more
less

Arnall Golden Gregory LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide