USING COMPETITION LAW BEST PRACTICES TO

IDENTIFY COMPLIANCE RISKS IN GDPR AUDITS

25 June 2019
Kinstellar Team

Zsombor Orbán Oana Costache Adam Němec

Managing Associate, Budapest Senior Associate, Bucharest Senior Associate, Prague

D: +36 1 4284 422 D: +40 2 1307 1513 D: +420 2 2162 2153
zsombor.orban@kinstellar.com Oana-Carmen.Costache@kinstellar.com adam.nemec@kinstellar.com

Lukáš Mrázik Vladimír Šimkovic

Associate, Bratislava Associate, Bratislava

D: +421 2 5929 1165 D: +421 2 5929 1151
lukas.mrazik@kinstellar.com vladimir.simkovic@kinstellar.com
Agenda 3

1 Introduction

2 Data protection risk factors and fines

3 Lessons learnt from Competition Law

 4

Introduction

1
Context

1 2 3
GDPR reshaped One year into its Many GDPR aspects
the role of data applicability, sector and practices are
protection regulations are being inspired by
adopted, supervisory competition law
authorities are
Emerges into a top tier reorganising and are
legal field. closing the first Competition law may be
cases under the a useful source
GDPR for preparing for
enforcement actions as
(1) there are a number
of similarities in the
Not all DPAs publish
regulations and
their enforcement
(2) data protection
actions and companies
matters can often have
look for guidance on
a competition law
how to structure their
perspective
priorities.
Key facts
Our Story

Leading independent fully integrated

law firm in Emerging Europe and
Central Asia Nur-Sultan (Kazakhstan)

Almaty (Kazakhstan)

11 Sofia (Bulgaria)
Tashkent (Uzbekistan)
Belgrade (Serbia)
offices Bucharest (Romania)
Budapest (Hungary)
Istanbul (Turkey)
Bratislava (Slovakia) Kyiv (Ukraine)
200+ Prague (the Czech Republic)
lawyers

8,000+
clients

Our offices Regional experience

Data protection risk factors and fines

2
GDPR reception in CEE
Kinstellar GDPR audit findings
GOVERNANCE
 GDPR as a one-off exercise /
no framework established
 Lack of resources and data
protection roles added to “day
job”
 Failure to identify personal
data processing activities
INTERNAL PRACTICES NOTICE & CONSENT SUPPLIER MANAGEMENT
 Insufficient procedures  Vague privacy notices  Missing data processing
(personal data breaches  Over reliance on consent agreements
or DPIAs) increasing risk of withdrawal  Use of vague / template
 Access controls limited of consent wording
to formal organisational
measures with limited IT
controls
 Insufficient data deletion /
retention practices
Supervisory authorities
in numbers
Enforcement Actions
Authorities focus on handling complaints and face significant workload resulting in delays.

ROMANIA HUNGARY BULGARIA

INVESTIGATIONS INVESTIGATIONS INVESTIGATIONS

981 (485 ex officio, 496 upon 827 0
complaint)
EXAMINATIONS EXAMINATIONS EXAMINATIONS
Not applicable 172 162

SLOVAKIA CZECH REPUBLIC

INVESTIGATIONS INVESTIGATIONS
46 37
EXAMINATIONS EXAMINATIONS
102 (17 ex officio, 85 upon 31
complaint)
Fines
Authorities shied away from imposing large or many fines (so far).

HUNGARY ROMANIA BULGARIA

HIGHEST FINE HIGHEST FINE HIGHEST FINE

€90,000 N/A €50,000
TOTAL NUMBER OF FINES TOTAL NUMBER OF FINES TOTAL NUMBER OF FINES
9 fines 0 fines (+ 57 corrective measures and 23 warnings) 2 fines (+ 30 sanctions)

SLOVAKIA CZECH REPUBLIC

HIGHEST FINE HIGHEST FINE

€1,000 €10,000
TOTAL NUMBER OF FINES TOTAL NUMBER OF FINES
2 fines 9 fines
Data Breaches
Breach reporting rarely results in examinations or fines. Most breaches originate from employees.

SLOVAKIA CZECH REPUBLIC HUNGARY

NO. OF REPORTED BREACHES NO. OF REPORTED BREACHES NO. OF REPORTED BREACHES

87 433 423

SUBSEQUENT EXAMINATIONS SUBSEQUENT EXAMINATIONS SUBSEQUENT EXAMINATIONS

1 23 cca. 90% of the cases

ROMANIA BULGARIA

NO. OF REPORTED BREACHES NO. OF REPORTED BREACHES

398 58

SUBSEQUENT EXAMINATIONS SUBSEQUENT EXAMINATIONS

No information 18 (medium risk) + 7 (high risk)
Lessons learnt from Competition Law

3
Role of data
in competition law Facebook falsely claimed to be unable to establish
reliable automated matching between Facebook
proceedings: users' accounts and WhatsApp users' accounts

Facebook/
WhatsApp case
(2017 )
Fine of €110 million imposed on Facebook
Role of data
D a t a c o l l e c t e d o n F a c e b o o k ’s o t h e r s e r v i c e s s u c h a s
in competition law WhatsApp or Instagram and on third party websites using
Facebook Application Programming Interface (such as
proceedings: “like” or “share” buttons) are combined and assigned to a
user profile
Facebook
Bundeskartellamt Users’ consent with such extensive data collection and
combination was not considered given freely
case (2019)
F a c e b o o k ’s c o n d u c t c o u l d h a v e b e e n i n v e s t i g a t e d b o t h
under the GDPR as well as under competition law

No fine imposed, but Facebook must adapt

its terms of service and data processing
Methodology of calculation of fines
 GDPR: fines of up to EUR 20 million or up to 4% of
turnover in the preceding calendar year for undertakings
 Notion of “undertaking” under EU Competition law
̶ Carrying out of economic activity is decisive
̶ No need for a profit motive
 Which entities make up an undertaking?
̶ Single economic entity doctrine – one undertaking
can be made up of many legal entities
̶ Presumption of control over wholly-owned
subsidiaries
̶ Exercise of decisive influence by shareholders must
be analysed
̶ Minority shareholders can be found to exercise
decisive influence on an undertaking
̶ Possibility to calculate fines from turnover of entire
group supported by WP29 guidelines on setting of
administrative fines under GDPR
Competition “Dawn Raids” vs. GDPR audits

Unannounced inspections at the premises of a company

Difference in EU/national nature of procedure

Investigative powers very broad, but not unlimited

Broad obligation of companies to co-operate

Potential heavy sanctions for failure to comply

Inside a dawn raid – DOs and DON’Ts 19

START OF RAID DURING THE RAID LEGAL PRIVILEGE

 Check credentials of investigators  Expect requests for copying and
 Who to contact? explanations
 Can they wait?  Arrange for shadowing
 Co-operation obligation broad but
not unlimited
 Procedural rights of audited
company
 EU-specific concept of privileged
documents
̶ Documents produced by
external counsel
̶ Documents produced
exclusively for the purpose of
seeking external legal advice
̶ Internal notes summarising
the content produced by
external lawyers
 Will not apply to business secrets
or advice of internal lawyers
Repurposing competition documents and procedures

Procedures Trainings Other

1 a) Dawn raid protocol
2 a) Induction trainings
3 a) Ensuring legal
b) Incident b) Regular trainings (e- privilege
management learning) b) Regular supervision
c) Delegation of tasks c) Training of end of procedures
to business teams customer service (internal audits)
points (!) c) Competition
d) Q&A’s association practices
– fine mitigation
d) Inspiration for sector
codes
Time for Questions & Answers

www.kinstellar.com
Thank you!

Emerging Europe and Central Asia’s Leading Independent Law Firm

With offices in 11 jurisdictions and over 250 local and international lawyers, we deliver consistent, joined-up legal advice and assistance across diverse regional markets – together with the know-how
and experience to champion your interests while minimising exposure to risk.

ALMATY | KAZAKHSTAN BUCHAREST | ROMANIA KYIV | UKRAINE SOFIA | BULGARIA

BELGRADE | SERBIA BUDAPEST | HUNGARY NUR-SULTAN | KAZAKHSTAN TASHKENT | UZBEKISTAN
BRATISLAVA | SLOVAKIA ISTANBUL | TURKEY PRAGUE | CZECH REPUBLIC