08 June, 2017

A Collective Effort - The Impact of the GDPR on Collective Management Societies

This article was kindly drafted by Axel Beelen, who writes the blog IP News (focusing on EU and Belgian IP developments). He can also be found on Twitter here. He is also a data protection specialist.

The rules surrounding personal data are about to change on 25 May 2018 when the new General Data Privacy Regulation (GDPR) will enter into force. Because collective management organisations (CMOs) process their members' personal data, they will have to be compliant with the GDPR next year. Fines can be very high in the case of non-compliance. Below you will find the key points introduced in the GDPR concerning CMOs.

Data-subjects’ rights enlarged and more defined

The processing of personal data is lawful only if, and to the extent that, it is permitted under the GDPR. If the data controller (here the CMO) does not have a lawful basis for a given data processing activity (and no exemption or derogation applies) then that activity is prima facie unlawful. A lawful basis would be the consent of the data subject to do so, contractual necessity, compliance with legal obligations, the vital interests of the data subject, necessary for public interest or the legitimate interests of the data controller.

The "legitimate interests" lawful basis, under Article 6, is the more difficult to understand. It requires the balancing of the legitimate interests of the CMO against the interests and fundamental rights of the data subject (the rightholder).

To be a member of a CMO, rightholders (for example, authors, publishers, artists and producers) enter into an agreement with the CMO. This contract will generally be the lawful basis for the future processing of the rightholder’s data.

Members must be informed before any processing

The GDPR requires that the members of the CMOs have to be clearly and fully informed about their set of rights, including new rights that have been introduced, before the collection and processing of their personal data. CMOs are strongly advised to adapt their privacy provisions, communications and information to meet the requirements of the GDPR.

CMOs will also need to ensure that they have effective systems in place to enable them to give effect to these rights without any costs to the rightsholders. In the case of non-compliance, fines can be very steep: €20 million or up to 4% of the total worldwide annual turnover of the CMO for the preceding financial year.

CMSs have gone through quite the change,
even before the GDPR (Source: Oatmeal)
The GDPR expands the existing set of rights provided in the 1995 Data Protection Directive, and creates several entirely new rights increasing the ability of members of CMOs to better control their personal data. CMOs must provide any requested information in relation to any of the rights of their members within one month of receiving such a request. Only where CMOs receive large numbers of requests, or especially complex requests, may the time limit be extended by a maximum of two further months. Internal policy enabling the CMO to quickly reply to a member request will need to be written.

Members’ rights under the new GDPR

In a nutshell, members have the following rights under Articles 12-22:

  • Right of access: members of CMOs (as data subjects) have the right to obtain information relating to (i) confirmation of whether, and where, CMOs are processing their personal data, (ii) the purposes of the processing, (iii) the categories of data being processed, (iv) the categories of recipients with whom the data may be shared, (v) the period for which the data will be stored, (vi) the existence of the rights of erasure, rectification and restriction of processing and to object to processing, (vii) the existence of the right to complain to the DPA, (viii) the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects. Additionally, members may request a copy of the personal data being processed by their CMO;
  • Right of rectification regarding any inaccurate personal data possessed by the CMO;
  • Right to erasure (the "right to be forgotten"): following the Google Spain ECJ ruling of 2014, the GDPR now allows data subjects to request that their personal data be erased if (e.g.) the data are no longer needed for their original purpose (and no new lawful purpose exists) or the data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing;
  • Right to restrict processing;]
  • Right of data portability: members will now have the right to receive a copy of their personal data in a commonly used machine-readable format, and request that these data are transmitted directly to another data controller (which could be another CMO). This new right has been the subject of Guidelines written by the Article 29 Working Party (Article 29 WP consists of representatives of the national supervisory authority in data protection);
  • Right to object to processing for the purposes of direct marketing (including profiling); and
  • Right to not be evaluated on the basis of automated processing: members have the right not to be subject to a decision based solely on automated processing which significantly affects them (including profiling). Such processing is permitted where (i) it is necessary for entering into or performing a contract with the data subject provided that appropriate safeguards are in place, (ii) it is authorised by law or (iii) the data subject has explicitly consented and appropriate safeguards are in place.
CMOs shall provide the data subject with all of this information at the time when personal data of the members are obtained.

A DPO to supervise the personal data activities

CMOs will have to appoint a Data Protection Officer (DPO) to supervise their personal data processing activities. CMOs will have to involve the DPO properly and in a timely manner in all issues which relate to the protection of personal data.

Each CMO will ensure that its DPO does not receive any instructions regarding the exercise of those tasks. The DPO cannot be dismissed or penalised by his CMO for performing his tasks. The DPO will directly report to the highest management level of his company. A DPO can be an employee of the CMO or an outside consultant.

The DPO may be contacted by the members with regard to all issues relating to processing of their personal data and to the exercise of their rights under the GDPR.

Conclusion

 For many collective management organisations, compliance with this new GDPR will be very challenging and expensive. They would be well advised to urgently carry out a legal assessment of the current status of their compliance in order to ascertain any gaps. CMOs will then need to implement adequate solutions and monitor their suitability. All of that before May 25th next year.

No comments:

Post a Comment