Experience / Use Cases

US-Cloud Act implications

Often overlooked when advising companies in regards to GDPR compliance are data protection implications of requests by law enforcement authorities that seek access to personal data in the possession of our clients. A predominant example has been the enactment of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) in the US introduced in March 2018. The CLOUD Act permits US law enforcement authorities to request data from US based service providers, even if such data is stored on European servers.

In a challenging project, we advised a European company whose parent company is established on US soil. Besides carving out the GDPR relevance of the CLOUD Act we also provided bespoke technical and organizational measures in regards to the management of the company but also the IT-Infrastructure in order to mitigate the risk of fines and criminal sanctions for our client in the area of conflict between EU and US legislation.

 

HR-Management

Several of our clients thrive to take decisions across the organization—from attracting the right talent to rewarding employees, benchmarking salaries and training staff.

From a data protection perspective there are several requirements to be addressed starting with assessing the processing operations, the applications involved, interfaces with corresponding applications such as time recording, ERP and BI-solutions, access rights and roles and questions related to cloud-services and transnational data transfers. Last but no least works councils demand their involvement and participation. We have supported several clients in implementing HR-Management Software such as Workday, SAP SuccessFactors, Cornerstone OnDemand or HRMS from Oracle. From mapping the application, assessing the processing operations according to 15 different jurisdictions and performing a DPIA till mediating different (data protection) positions between works councils and management.

 

Artificial Intelligence

Nowadays companies are turning to people analytics to improve their internal processes and attract the best talent in the market. By using people analytics in HR recruitment process companies gain an in-depth outlook of applicants, thus improving its personnel selection while making it fairer and more transparent. However, considered in the light of the GDPR, the use of these tools demands a stricter regime of protection. FIRST PRIVACY provides guidance in the implementation of people analytics at the workplace applying privacy by design and default principles.

 

Self-Driving-Cars

The interaction of self-learning algorithms and modern CCTV technology poses challenging questions for the privacy of individuals, such as the driver and other road users but also already in the development stages. FIRST PRIVACY provided guidance in several projects, advising on legislative deviations per country, proposing pragmatic solutions to information requirements and mitigating measures to overcome legislative hurdles.

 

Clinic Trials

FIRST PRIVACY has a long experience with pharma and medical device companies, chaperoning companies through the strict regulated legislative jungle of medical trials. Among other things, we support in performing required privacy impact assessments (PIA), create and negotiate data protection contracts between Sponsors, CRO and sites, advice on technical and organizational measures to be taken to secure data basis for trial data, review and adjust Informed Consent Forms as well as support with approval processed before data protection authorities. 

 

Data Breaches

A fast, hands on approach is needed in case of a data breach. FIRST PRIVACY steered several companies to complex data breaches, affected individuals in multiply jurisdiction. We evaluate the risk and advise the management as well as support with the notification to the authorities and communication to the affected individuals, if required. Due to our over 20 years of experience in the data protection sector, we have good relationships with the data protection authorities and monitor closely the threshold when notification obligations are triggered.