Julien MOUSNIER

What Julien MOUSNIER has said (7)

• “Yes, thank you very much and sorry if I had missed one question before. So here with the GDPR, that's really a very well-established piece of legislation where also our businesses have invested quite a lot in compliance over the years and where we have also a framework that's recognized and implemented with adequacy decisions with international partners. We have to progress very cautiously. Also, something that is very important is that we are really talking about fundamental rights, so that also is not excluding simplification, making life easier for business and avoiding some constraints for the citizen. But our line has really been to be very cautious. So the first bit that we propose now as part of the omnibus that we discussed clearly came out of implementation report and now the next step, of course, in collaboration with the colleagues, is also very much informed with this implementation dialogue and the feedback that we are receiving from the stakeholders. Here if you see the conclusions of this implementation dialogue of July that are public, you really see that one of the main conclusions from stakeholders is that this is a balanced legal framework which they feel has met its objective. Most of them have really cautioned about general reopening of the GDPR and you have some of the business stakeholders that have suggested targeted changes that could improve implementation. Likewise, what I just mentioned before, I think there is a consensus on ensuring better coherence on the implementation at national level. So here what I can tell you is that we are continuing the reflections on simplifications but they are really guided by this cautious approach and by this feedback that we are receiving from the stakeholders. Thank you.”
  GDPR · Privacy & digital economy
• “Thank you very much Mister Chair. Good afternoon to all and thanks a lot to Marie Helene for having set the scene so clearly. I will go a bit more into the detail on the amendments in this omnibus that are relating to the General Data Protection Regulation. They are threefolds. First the amendment of article thirty five of the GDPR on derogation from the GDPR recordkeeping obligations. Second the amendments of article forty of the GDPR on the codes of conduct and third the amendment of article forty two GDPR on the certification schemes and data protection seals and marks. Of these proposed amendments the one concerning the recordkeeping would have a direct effect on SMEs SMCs and organization with less than seven hundred fifty employees so I will focus on that one. Just a quick recap on what are the rules under the current article thirty of the GDPR. All controllers and processors are obliged to keep records of their processing activities which must contain information for example on the purpose of the processing, the category of data subject and personal data affected and the categories of recipients of those data. However one exception which is in the fifth paragraph of article thirty applies. SMEs and organization with less than two hundred fifty employees do not currently have to keep”
  GDPR · Privacy & digital economy · Privacy & law enforcement
• “Okay, thanks a lot. Now maybe just a quick reaction on what you mentioned in terms of consistency in the national implementation. That is very true and there's something also that is very often coming out from the stakeholders. So here this is also part of the reflection on how to improve that. That's part of our discussion also, it is something that has been recognized by the European Data Board. They issued a statement in Helsinki. I'm not very lucky with this one, sorry. Yes, so the European Data Protection Board just issued a statement at their Helsinki conference, I think it was in June, where they also recognized the efforts that would need to be done in this context. So there are several ways to improve that without necessarily a massive shift and change in the organization of the GDPR, but this is something which is definitely part of the reflection and that came quite high up in our implementation dialogue. Thanks.”
  Privacy & digital economy · Privacy & law enforcement
• “Thank you very much and thank you for the intervention here. I mean of course there's a lot of legislation because it's an area that evolves very quickly but I fully agree with you that there is a moment when one has to be in a position to pause and reflect and look also at the coherence between the different instruments and what could be made to improve their implementation without compromising also on the citizens' right. So that is really a very important part of this exercise that we are doing now with simplification and we also organized in July an implementation dialogue with stakeholders precisely to see from the business and the civil society perspective what we could do to improve the situation and indeed one of the elements that often came was that there should be a better coherence in the implementation. So that's the next step of our reflection as far as the GDPR is concerned is to follow-up on this implementation dialogue.”
  GDPR · Privacy & digital economy
• “Thank you very much for those questions. So of course the objective is simplification and of course our objective would be not to add any further complexity. What we're trying to do is really make cuts to the bureaucracy where it makes sense. We are at the very outset of this exercise. When it comes to the GDPR, I'll give the floor to my colleague, so I'll comment on the other legislative files now. This all follows an analysis of the implementation of the regulation. We have spoken to stakeholders in civil society, we've spoken to companies, and we've tried to understand how we can go further whilst also staying focused on the objective that Mister Foss described. That's to say, when you touch one element of this legislation, then you can have a kind of cascade effect where everything else is affected. So we're going to be very careful about that. We'll have to have a close look at what the program would be and where the impact would ensue. But when it comes to competitiveness of European companies, then that is a central part of our thinking. As for assessing where there is a high risk, then I would refer you to Article Thirty-Five of the GDPR and that's how it has been interpreted by data protection authorities.”
  GDPR · Privacy & digital economy
• “, maybe I think there was an intervention relating to the rights, the protection of the rights and the initiative that's on the table today. So here really I want to reiterate that the proposal does not change other GDPR obligations or data subjects' rights. So here with what we have on the table, small operators falling in the scope of the extended derogation must continue to comply with all other GDPR obligations and they must remain accountable for their compliance. So even if they do not have to keep records of processing, they would have to apply other suitable tools to organize their compliance with the GDPR. Also very importantly, the proposal respects the GDPR risk-based approach in laying down that only processing activity which are likely to cause a low risk to data subjects' rights are exempted from the recordkeeping obligation. And here to finish, it's also worth noting that the European Data Protection Board and the European Data Protection Supervisor support the simplification and clarification of the recordkeeping obligation in their joint opinion and welcome the fact that the proposed modifications are targeted and limited in nature and do not affect the core principle and other obligations under the GDPR. Thank you.”
  GDPR · Privacy & digital economy
• “No problem at all I didn't realize I was that quick so I will go back to then the exception of paragraph five of article thirty with SMEs and organizations with less than two fifty employees do not currently have to keep records of certain processing activities. This exception applies as far as none of the following three conditions apply. The first is that the processing activity is not likely to result in a risk to data subjects' rights. The second is that the processing activity is only occasional or the third that the processing activity does not involve special categories of personal data or personal data on criminal conviction and offenses. So this was a brief recap of what we have now the GDPR recordkeeping which is twofold. First it aims to clarify and simplify the current derogation from the recordkeeping obligation by introducing one threshold for recordkeeping and second it extends scope of the current derogation so that in addition to SMEs and organization with less than two fifty employees it covers also small and mid caps and organization with less than seven fifty employees in accordance with the Commission's horizontal approach under this omnibus package that my colleague introduced to you. It is proposed that the clarification and simplification of the recordkeeping for the mentioned small operators is done by raising the thresholds for recordkeeping to high risk processing. This means that instead of the current three criteria there would be only one threshold and that should be the threshold of high risk. As a result SMEs SMCs and organizations with less than seven hundred fifty employees would be obliged to keep records only for those processing activities that are likely to result in a high risk to data subjects rights and freedom as they are defined in article thirty five of the GDPR. This would be the case for instance if the processing activity involves special categories of personal data or data on criminal offense on large scale. The notion of high risk is further clarified in the dedicated guidelines from the European Data Protection Board. In addition guidance on the type of processing activities that are likely to cause a high risk is provided on the list that national data protection authority are obliged to establish and make public in accordance with paragraph five of article thirty five of the GDPR. Here our proposal aims to respond to a specific request from SMEs which have considered that the scope of the current recordkeeping derogation is too narrow and it applies in practices only to very limited situations. So this has been a long standing request of SMEs as reflected in the Commission's two reports on the application of the GDPR. What is important to note is that the proposed amendment do not affect in any way the data controller and processor substantial obligation or data subjects rights under the GDPR. The data controllers and processor must continue to comply with other GDPR obligation and be also able to demonstrate their compliance and this is in accordance with the accountability principle under article five of the GDPR. The proposed amendment would also respect the GDPR risk based approach as the derogation would only apply to those processing activities that can be considered to pose a low risk to data subjects' rights. For instance the law when a craftsman processes the name and contact details of his customers. Similarly where a small operator processes health data of its employees for the purpose of sick leave management would not normally trigger the threshold of high risk. As a result the proposed targeted amendment of the GDPR recordkeeping obligation would not compromise the level of protection of individuals' right to data protection. The proposed would bring more clarity more legal certainties to SMEs SMCs and organization with less than seven fifty employees by laying out a single threshold for recordkeeping based on the notion of high risk in article thirty five of the GDPR. The proposal will also cut unnecessary red tape for smaller operator whenever their processing activities cannot be considered to cause a significant risk to data subjects' rights. Those entity would have more flexibility to choose the most appropriate way to organize their compliance with the GDPR. Thank you very much and I will leave it here.”
  GDPR · Privacy & digital economy