Belgium has issued a new protocol to facilitate the approval process for transfers of personal data outside the EU. Italy issued new regulations governing direct marketing, and the Slovak Republic has introduced a new data protection act—a busy few months!
Belgium’s new protocol on data transfers was issued on the 25th of June by the Ministry of Justice and the data protection authority (the “Privacy Commission”) and relates to transfers based on the EU standard contractual clauses as well as ad hoc contracts to transfer data. Prior to the new protocol, a data controller could indicate that transfers were based on the EU standard clauses when notifying the Privacy Commission. For any other contracts related to transfers of data, Belgium had required that they be approved by royal decree, which required that the approval be signed by the King following advice from the Privacy Commission. The new protocol requires that both the EU standard clauses and other contracts covering transfers of data be submitted to the Privacy Commission for approval and confirmation that they conform to the template adopted by the European Commission. Other transfer contracts will still require a royal decree, but they will no longer require review by the Council of State or publication in the Official Journal, which should simplify the adoption process. While the aim of the protocol to simplify the approval process, disappointing is the new requirement to submit transfers based on the EU standard clauses to the Privacy Commission for verification.
The Italian Data Protection Authority issued new Guidelines on Marketing and Spam (Guidelines), which were published in the Gazette and have the force of law. The Guidelines cover marketing via email, SMS (text messaging) and address the use of social networks or other information in the public domain, what the Garante refers to as “social spam.” The key change is that email addresses now in public domain are in scope and the broadened definition of “spam” covers any unsolicited marketing messages sent via automated means, regardless of the volume of messages sent. The number of messages only becomes relevant in relation to the amount of the sanctions. The Guidelines still permit marketing messages to existing customers when the offering is similar products/services previously acquired by the customer, so long as the customer has been informed and has not opted out. The Guidelines also cover the sending of marketing messages to business email accounts. Where there is no prior relationship, companies intending to send marketing communications must obtain the prior consent of individuals, and such consent cannot be obtained by sending a first promotional message that asks for consent. Individual prior consent is required where email addresses are gathered through publicly available sources such as registers, social media or other websites. In addition, consent cannot be obtained via a “pre-ticked” box or by leading an individual to believe that his or her ability to obtain products or services is conditioned on consenting to receive marketing communications. Companies will demonstrate or document that they have obtained the necessary consent, including where the consent covers marketing by third parties. Lastly the Guidelines also cover activities by marketing affiliates or promoters, such as asking person with a large Twitter following to tweet about a product or service. This form of viral marketing now falls within the meaning of spam, such that under the Guidelines, the marketing promoter must obtain the consent of those individuals who receive the marketing message. The Guidelines also contain a new sanctions regime with penalties ranging from €6,000 to €300,000, or in some cases four times that where the fine would not act as a deterrent because of the economic conditions of the offender.
The Slovak Republic has enacted a New Data Protection Act No. 122/2013 Coll (NDPA), aimed at better implementing the EU Data Protection Directive. Slovakia’s NDPA became effective on 1 July 2013 and replaces Act No. 428/2002 Coll. on Protection of Personal Data (as amended). The reform brings many important changes, including on cross-border transfers and the requirements to appoint a data protection officer (DPO) or register databases. Compliance with the new rules, which must be achieved after a transitional period, will be facilitated through higher compulsory fines. Under the new Act it is no longer necessary to receive authorization for using data transfer agreements which include EU standard contractual clauses, and controllers will not need to submit their binding corporate rules (BCRs) to the DPA if they have been authorised in another EU Member State. Transfers based on EU-U.S. Safe Harbour are also exempt from DPA approval, although the NDPA prescribes a minimum content for contracts governing the safe-harboured transfers. Under the Act a DPO must be appointed where there are 20 or more “entitled persons” processing data processing. DPOs must be appointed within 60 days and the DPA notified of the appointment within 30 days. All DPOs need to pass an exam, and need to be appointed through a written authorization with a minimum content dictated by the Act. Compliance with the new DPO framework must be achieved within the one-year transitional period. Lastly, penalties for non-compliance have been increased to €300,000, which can be doubled to €600,000 for a repeated offence within two years.