The European Data Protection Supervisor (EDPS) recently issued an opinion on the European Commission’s proposal for a Regulation on the European Union Geographical Indicators (GI) for wine, spirit drinks, agricultural products and quality schemes for agricultural products. As part of this review, the EDPS developed a list of data protection measures to process personal data in the context of the applications seeking GI registration. This article will provide an overview of the twofold objectives of the GI Regulations and the data protection recommendations of the EDPS in this context. We use lessons learned from the opinion to outline a set of recommendations that may benefit any organisation’s procurement team through a data protection perspective when assessing new systems or programmes.
Background on the European Commission’s proposal on a GI Regulation:
A geographical indicator is a sign used for goods that have a specific geographical origin and possess qualities, reputation or characteristics that are essentially attributable to that place of origin. Geographical indicators are recognised as intellectual property and play an important role in trade negotiations between the EU and other countries. The EDPS on consideration of the proposal found its objectives to be twofold:
- To ensure the effective protection of Intellectual Property Rights including GI’s (IPR) in the European Union (EU); and
- To encourage the filing of GI registrations across the EU to bring about economic development of the rural and agricultural sectors
The proposal also contemplates a twofold scrutiny of the GI applications firstly by the national authorities with the EU Member States and, subsequently, a pan European sweep carried out by the European Commission with the help of the European Union Intellectual Property Office (EUIPO).
Data Protection recommendations by EDPS:
While considering the proposal through a data protection perspective, the EDPS provide the following observations:
- While Article 3 of the proposal identifies the need to assign the European Commission and the state authorities the role of Controllers, it does not make reference to the potential role of the EUIPO. Therefore, the EDPS recommends that the data protection situation between the role of EUIPO when assisting the European Commission in assessing GI applications must be identified as a Joint Controllership.
The EDPS further recognises the need to codify the relationship between joint controllers through an agreement. It also highlights that a joint controllership exists when two or more entities determine the purposes and means of processing for a project as stated by Article 26 of the GDPR.
- The EDPS recommends that “Public Interest” must be the lawful basis for the potential processing of personal data by the European Commission and the EUIPO. This would allow both the organisation to execute their duties such as, scrutinising applications, considering oppositions and issuing official comments or decisions in certain cases.
- A clarification within the proposal regarding categories of personal data that would be processed by way of the application is also recommended by the EDPS. Additionally, as the proposal contemplates certain disclosures involving personal data, the categories of data being disclosed also to be made clear at the outset.
- Lastly, as the proposal contemplates a wide retention period of 10 years for personal data processed, in this regard the EDPS strongly recommends this period to be reconsidered, or, reinforced with a clear justification. The recommendation is based on the fundamental principles of purpose limitation and storage limitation.
The EDPS while listing suggestions to improve the proposal of GI Regulation through a data protection perspective has relied on certain fundamentals of data protection law. These fundamentals can help any organisation’s procurement team to strengthen and improve data protection compliance. As such, we have prepared an end to end list of recommendations that will assist an organisation’s procurement team. Our recommendations are based on, and overlap with, many of the EDPS fundamentals such as, clarity on nature of agreement, lawful basis, kind of data being processed, and its retention. While EDPS focuses on what the fundamentals should be, we use an operational approach to suggest how to ensure these fundamentals are effectively addressed:
- We recommend that a data protection by design and default approach should be adopted prior to commencing the steps to procure a service provider. Therefore it is essential for any organisation to chalk out the exact processing activity they wish to undertake and, accordingly, make data protection as the priority and the starting point of the new project, including the identification of the data protection roles i.e. controller, joint controller, or processor.
- Subsequently, the a lawful basis should be identified by the organisation in the early steps of the project. A lawful basis is one of the most critical part of any processing activity and it is closely connected to the basic necessity of the processing activity.
- The potential development of a Data Protection Impact Assessment with regards to the identification of the risks arising from the context is also recommended. A DPIA must consider all principles of the GDPR, including storage limitation. Once the risks are known, we recommend organisations to survey the market place for an appropriate third party service provider that could help on the developing of the DPIA as well as mitigate the risks.
- Select a group (more than one) of prospective processors or third party service providers. We recommend that more than one service provider is considered so as to assess best candidate considering the risks involved. Their appropriateness could be tested through a due diligence process with a strong data protection perspective included in the assessment. In furtherance of the same, a detailed due diligence questionnaire may be forwarded to the service provider. The questionnaire may seek information such as the ISO certifications, previous data incidents or breaches, technical and organisational measures and the international data transfers. The due diligence questionnaire is a good tool to demonstrate accountability as per Article 5(2) of the GDPR.
- After the selection of a service provider, the organisation must set the lines of the relationship by way of a data processing (controller to processor) OR joint controllership agreement (controller to controller). In particular,
- The agreement should be drafted for the particular processing activity, by including clauses mentioned with Article 28 of the GDPR in case the relationship is fixed as Controller- Processor.
- It is highly recommended that the DPO or the data protection team participates in the process of drafting the agreement.
- Lastly, we recommend to set a process to guarantee the review of the agreement in place, with involvement of the DPO or the data protection team of the organisation, to ensure it is in line with the latest developments.
- Additionally, we recommend that the processing activities are also updated in the Record of Processing Activities maintained by the organisation.
Through this article we have considered the data protection improvements suggested by the EDPS to the proposal of the GI Regulation, based on fundamental aspects of data protection law that all organisations must consider. By following our list the organisation can ensure data protection compliance from the inception stage of a project to the implementation stage of the project.
If you wish to talk more about the issues discussed in this article or any other matter concerning Data Protection, please visit the Trilateral Data Governance page and do not hesitate to contact a member of Trilateral Research’s DPO team who will be happy to assist you in full.