Compliance & Ethics. a publication of the society of corporate compliance and ethics MAY 2018

Similar documents
closer look at Rights & remedies

Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

16 March Purpose & Introduction

REGULATION (EU) 2016/679 General Data Protection Regulation

2. WHY IS COMBATING CORRUPTION SO IMPORTANT FOR COMPANIES AND INVESTORS?

EUROPEAN PARLIAMENT Committee on the Internal Market and Consumer Protection

Global Anti Bribery and Corruption Compliance Program Be transparent and keep it transparent

Working Document Setting Forth a Co-Operation Procedure for the approval of Binding Corporate Rules for controllers and processors under the GDPR

Art. I Right to Access to Personal Data

The legal framework and guidance on data protection under the. Cross-border ehealth Information Services (CBeHIS) T6.2 JAseHN draft v.2 (20.10.

Anti-bribery and Corruption Policy

AmCham EU Proposed Amendments on the General Data Protection Regulation

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

UK Bribery Act. Document Reference: EXT008

Adequacy Referential (updated)

Data protection and privacy aspects of cross-border access to electronic evidence

Orange group anti-corruption policy

Serco Limited Purchase Order Terms and Conditions (the "PO Terms")

CHANGING PRIVACY LANDSCAPE MARTIN ABRAMS

Information about the Processing of Personal Data (Article 13, 14 GDPR)

OBJECTS AND REASONS. Arrangement of Sections PART I. Preliminary PART II. Licensing Requirements for International Service Providers

GDPR. EU General Data Protection Regulation. ebook Version 1.2

Director of Customer Care & Performance. 26 April The Board is asked to consider and approve the attached draft

The Act on Processing of Personal Data

Fragomen Privacy Notice

(1) General information

ANTI-BRIBERY & CORRUPTION

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

POLICY AGAINST BRIBERY AND CORRUPTION. Introductory Guidance. This policy has been introduced in response to the Bribery Act 2010 ( the Act )

Anti-Bribery Policy. Policies, Guidance & Procedures. The Collett School, St Luke s School Forest House Education Centre

Law Enforcement processing (Part 3 of the DPA 2018)

Anti-Bribery & Anti-Corruption Policy

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

Data Protection Bill [HL]

Little Rascals Pre-school Anti-Bribery Policy

It is the responsibility of all Fletcher Personnel to understand and comply with this Policy, including any reporting requirements set out below.

NORTHERN IRELAND PRACTICE AND EDUCATION COUNCIL FOR NURSING AND MIDWIFERY

Data Protection Bill [HL]

5418/16 AV/NT/vm DGD 2

General Data Protection Regulation

Anti-Bribery and Corruption Policy

GROUP ANTI-BRIBERY POLICY SUMMARY FOR THIRD PARTY SUPPLIERS

9091/17 VH/np 1 DGD 2C

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

To: All contacts in England, Wales, Scotland and Northern Ireland

The European Union General Data Protection Regulation (GDPR) Barmak Nassirian, Federal Director Thursday, February 22, 2018

A Modern European Data Protection Framework Safeguarding Privacy in a Connected World

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

LESSON 14: Involving the private sector in the corruption prevention strategy

THE BRIBERY ACT 2010 POLICY STATEMENT AND PROCEDURES

NORTHERN IRELAND SOCIAL CARE COUNCIL

ANTI-BRIBERY & CORRUPTION POLICY

HEALTH AND SAFETY CODE SECTION

Procurement. Anti Bribery Policy

Be transparent and keep it transparent

NETCARE LIMITED CORPORATE GOVERNANCE ANTI-CORRUPTION POLICY POLICY NUMBER COR12 CORPORATE GOVERNANCE PREPARED BY PREPARATION DATE JUNE 2014

Principles and Rules for Processing Personal Data

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

Data Protection Bill, House of Commons Second Reading Information Commissioner s briefing

Anti-bribery and corruption policy & guidelines. December 2011

SURVEY OF ANTI-CORRUPTION MEASURES IN THE PUBLIC SECTOR IN OECD COUNTRIES: GERMANY

UK Bribery Act: impact on companies and what to expect

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

Anti- Bribery Policy. Date of Approval: 4 th February 2014 Date for Next Scheduled Review: February 2017 Review Body:

Data Protection Policy. Malta Gaming Authority

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

[company name] Anti-Bribery & Anti-Corruption Policy

How to obtain and record consent

Bribery and Corruption

EUROPEAN UNION. Brussels, 15 May 2014 (OR. en) 2012/0359 (COD) LEX 1553 PE-CONS 27/1/14 REV 1 ANTIDUMPING 8 COMER 28 WTO 39 CODEC 287

ANTI-BRIBERY POLICY 1 POLICY STATEMENT

Futures & Options Association Bribery Act Checklist

As approved by the Office of Communications for the purposes of Sections 120 and 121 of the Communications Act 2003 on 21 June 2016

ON THE LEVEL: BUSINESS AND GOVERNMENTS AGAINST CORRUPTION

ILM Customer Handbook (for ILM Centres and Providers)

AIDENVIRONMENT ANTI-CORRUPTION AND BRIBERY POLICY

2010 UK Bribery Act. A Briefing for NGOs

ANTI-BRIBERY POLICY Rev Date Purpose of Issue/Description of Change Equality Impact Assessment Completed

Anti-Bribery Policy. Perform Green. Perform Green Limited. Registered organisation number:

The ITV Management Board is ultimately responsible for overseeing compliance with this policy.

1.3 The required standards of integrity confer a level of personal responsibility upon individuals. This Policy thus applies to:

Health Information Privacy Code 1994

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

FUJITSU Cloud Service K5: Data Protection Addendum

Information leaflet about processing of personal data for Newsletter Recipients (hereinafter Data Subject)

Summers-Inman Anti-Bribery and Corruption Policy SUMMERS-INMAN ANTI-BRIBERY AND CORRUPTION POLICY. Revision -

Stocktaking report on business integrity and anti-bribery legislation, policies and practices in twenty african countries

Collection of Laws No. 93/2009 ACT. dated 26 March on auditors, and amending certain other legislation (the Auditors Act).

Appendix 1 Data Processing Agreement

ANTI-BRIBERY POLICY 1. INTRODUCTION

An Bille um Chosaint Sonraí, 2018 Data Protection Bill 2018

Comment to the Guidelines on Consent under Regulation 2016/679 by Article 29 Working Party

The UK Bribery Act 2010 How Will It Impact the Life Sciences Industry and How Does It Compare With the US Foreign Corrupt Practices Act?

COMBATING CORRUPTION IN SPORT

FORENSIC. Doing business under the UK Bribery Act. Survey kpmg.com/in

ANTI-BRIBERY AND ANTI-CORRUPTION POLICY. Guidelines for Compliance with the Canadian Corruption of Foreign Public Officials Act

Austria s Anti-corruption Laws and the International Standards in the Fight Against Corruption

Proclamation No 433/2005. The REVISED PROCLAMATION FOR THE ESTABLISHMENT OF THE FEDERAL ETHICS AND ANTI-CORRUPTION COMMISSION

CORRUPT CONDUCT AND PUBLIC INTEREST DISCLOSURE POLICY

Transcription:

Compliance & Ethics PROFESSIONAL corporatecompliance.org a publication of the society of corporate compliance and ethics MAY 2018 Meet Jamie Watts, CCEP-I Senior Compliance & Risk Advisor World Food Programme Dakar, Senegal see page 18 This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.

by Illya Antonenko The GDPR s Article 6 and the future of anti-bribery due diligence The General Data Protection Regulation (GDPR), a new EU privacy legislation, will have a significant impact on anti-bribery due diligence. The legitimate interests of the controller are the most appropriate basis for processing personal data of EU residents as part of anti-bribery due diligence. An authorization by the third party under review will not be sufficient. The Foreign Corrupt Practices Act cannot be used to establish the legal obligation basis for processing personal data under the GDPR. There is a risk that the GDPR will put up significant obstacles to processing criminal background information of EU residents. Illya Antonenko (iantonenko@traceinternational.org) is Privacy Counsel at TRACE International, Inc. in Annapolis, MD. Compliance and ethics professionals know that anti-bribery due diligence of third parties involves processing large amounts of personal data about individuals associated with the third party. In May, the European Union s (EU) General Data Protection Regulation (GDPR) will have a significant impact on anti-bribery due diligence processes of US companies as long as there is a chance that the individuals under review reside in the European Union. Companies established Antonenko in the European Union must comply with GDPR requirements with respect to personal information of individuals regardless of where they reside. Much has been written about the GDPR and its complex, burdensome requirements. In this piece we will focus only on one such requirement. As one of the initial GDPR thresholds for processing personal data of EU residents, the controller must determine which of the six lawful bases under the GDPR s Article 6 applies to such processing. If none of the six bases apply, such personal data processing would be deemed unlawful under the GDPR. The six bases are: (1) an express consent of data subjects, (2) performance of a contract with the data subject or a request of the data subject before such contract is executed, (3) a legal obligation imposed by an EU or EU member state law, (4) vital interests of the data subject or another individual, (5) a public interest task or processing under official authority, and (6) legitimate interests of the controller or a third party. 1 We have outlined below the general considerations in support of our choice of using legitimate interests of the controller as the Article 6 basis for processing of personal data in the context of anti-bribery due diligence and rejecting each of the other five bases. In our analysis, we have been guided by 40 corporatecompliance.org +1 952.933.4977 or 888.277.4977

the Article 29 Data Protection Working Party s Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, 36 (WP 217). Express consent of data subjects GDPR s Articles 4(11) and 7 make it clear that consent or authorization made by a representative of the third party on behalf of all data subjects would not be adequate under the GDPR. Obtaining the express consent of each individual data subject associated with a third party under review is not suitable or even feasible in the context of anti-bribery due diligence, because each of the potentially large number of data subjects would in effect be able to disrupt or significantly delay business relationships and business operations of at least two companies. This may occur even if a data subject does not have any objections to the processing of his or her data but fails to provide a timely response to a consent request through inaction or oversight. Even though a data subject s right to object in the context of the legitimate interests basis may lead to a similar result, a data subject s right to object is not absolute and may be overridden by a showing of compelling legitimate grounds for such processing, while a failure to provide consent and consent withdrawal do not have a similar mechanism. 2 The GDPR right of data subjects to withdraw their consent at any time and the right to data portability, which arises when processing is based on consent, would also be inappropriate for anti-bribery due diligence. A data subject s right to object is not absolute and may be overridden by a showing of compelling legitimate grounds. Moreover, anti-bribery due diligence by its nature seeks to prevent or detect unlawful acts. If data subjects engage in such acts, giving them the opportunity to preclude the due diligence review would prejudice the purposes of prevention or detection of unlawful acts. Finally, for consent to be valid under the GDPR, it must be freely given, among other things. In circumstances where the failure by a data subject to give consent to anti-bribery due diligence may result in a loss of business, it is unlikely that the European data protection authorities would see such consent as freely given. Performance of contract or request of data subject before contract For this basis to apply, the data subject must be a party to the relevant contract, which would rarely be the case in the context of anti-bribery due diligence review. Even due diligence reviews of individuals or sole proprietorships typically involve processing of personal data of a number of data subjects beside the third party (e.g., basic personal information of business and financial references). Legal obligation In order to rely on the basis set forth in Article 6(1)(c), the legal obligation must: (1) be pursuant to the European Union or EU member state national law (e.g., the U.S. Foreign Corrupt Practices Act will not be sufficient because it is a foreign law in the EU), (2) be sufficiently clear as to the processing of personal data it requires 3 (the text of the +1 952.933.4977 or 888.277.4977 corporatecompliance.org 41

Foreign Corrupt Practices Act and similar laws may not be sufficiently detailed about due diligence personal data processing requirements), (3) be directly applicable to the controller, and (4) the controller should not have an undue degree of discretion on how to comply with the legal obligation. Given such a high bar for the application of this basis for processing personal data, its use would require a case-by-case analysis for each due diligence review and lead to uncertain results. For this reason, this is not an appropriate basis for processing personal data as part of anti-bribery due diligence for non-eu entities. Vital interests This basis involves questions of life and death or, at least, threats that pose a risk of injury or other damage to the health of the data subject or another person. 4 For example, this basis would apply when a hospital processes personal data of an unconscious patient who is unable to give his consent to such processing or when healthcare officials process personal data while dealing with a health epidemic. Anti-bribery due diligence is important, but it does not involve questions of life or death. Public interest task or processing under official authority Recital 10 of the GDPR and Opinion WP 217 indicate that, to serve as the basis for processing personal data, public interest tasks typically need to derive from statutory laws or other legal regulations of the European Union or EU member states. 5 The Article 29 Working Party was explicit that tasks carried out in the public interest of a third [i.e., non-eu] country or in the exercise of an official authority vested by virtue of foreign [to the EU] law do not fall within the scope of this provision. Although this basis is relevant both to the public and private sector, the need for a case-by-case analysis and uncertainty of application hinder its usefulness for processing of personal data in the context of anti-bribery due diligence reviews by non-eu entities. Legitimate interests Based on our analysis, we have come to a conclusion that both the principal company and the third party undergoing anti-bribery due diligence have legitimate interests in complying with the anti-bribery legislation of their home countries and the countries where they operate to avoid criminal liability that may result in jail time for their officers and employees, significant fines, disruption to their business operations, and damage to their reputations. The importance of these legitimate interests is underscored by the fact that a potential violation of anti-bribery laws is considered one of the most serious corporate offenses, with recent enforcement actions resulting in penalties of tens and even hundreds of millions of dollars for companies and significant prison terms for individuals. Furthermore, the resulting loss in business and post-enforcement costs may equal or even exceed the criminal penalties under antibribery laws. More generally, anti-corruption due diligence also represents compelling interests beneficial to society at large because anticorruption due diligence plays a role in: (1) preventing corruption in the administration of government functions and in government procurements, (2) lowering the cost of bribery for taxpayers and society as a whole, (3) preserving equal access to the government, and (4) allowing law enforcement authorities to be more efficient in carrying out their duties. 6 42 corporatecompliance.org +1 952.933.4977 or 888.277.4977

Next steps The determination to rely on legitimate interests as the Article 6 basis for processing personal data should be followed by: (1) the analysis of the categories of personal data processed as part of due diligence and the necessity of such processing for pursuing the identified legitimate interests to demonstrate that there are no other alternative, less invasive methods to pursue the legitimate interests of the controller; (2) the assessment of the impact of personal data processing on data subjects and the balancing of the controller s legitimate interests in personal data processing against data subjects interests and fundamental rights that may potentially be impacted by anti-bribery due diligence (this step may require a formal data protection impact assessment under Article 35 of the GDPR); and (3) the implementation of a mechanism to make data subject notifications under Articles 13 and/or 14. Other important GDPR issues for anti-bribery due diligence Although we have focused on Article 6 of the GDPR, it should also be noted that personal data processing for anti-bribery due diligence purposes may also raise significant issues under Articles 9 and 10 of the GDPR when processing involves special categories of personal data (e.g., Politically Exposed Persons [PEP] data revealing political opinions) or criminal background information on individuals. A prohibition to inquire into individuals criminal backgrounds will effectively eviscerate the anti-bribery vetting process. In fact, the most troubling part of the GDPR for anti-bribery due diligence may be its Article 10, which provides that the processing of personal data relating to criminal convictions and offences shall be carried out only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. To the author s knowledge, there is currently no such law in the European Union that specifically authorizes the processing of personal criminal background information for purposes of anti-bribery due diligence and includes appropriate safeguards. A prohibition to inquire into individuals criminal backgrounds will effectively eviscerate the anti-bribery vetting process. If this legislative gap is left unresolved by May 2018, companies may face a dilemma between complying with their international anti-bribery due diligence obligations or with the GDPR, with each option presenting a risk of an enforcement action and significant fines. Please contact the author if you are interested in learning more about the GDPR Article 10 s potential obstacles to anti-bribery due diligence and a potential solution to these obstacles. 1. Intersoft Consulting: General Data Protection Regulation (GDPR). Available at http://bit.ly/2hzyjkg. 2. WP 217 at footnote 103. Available at http://bit.ly/2dckvkp. 3. WP 217 at 19. Available at http://bit.ly/2dckvkp. 4. WP 217 at 20; Recital 46 of the GDPR. Available at http://bit.ly/2dckvkp. 5. WP 217 at 21 22. Available at http://bit.ly/2dckvkp. 6. WP 217 at 35. Available at http://bit.ly/2dckvkp. +1 952.933.4977 or 888.277.4977 corporatecompliance.org 43

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback