This webinar discusses data access claims under competition law and data privacy requirements. With reference to three case studies, the webinar explores if, and how, third parties can obtain access to personal data collected by a company based on competition law. By discussing three unique scenarios, our speakers provide clear insight into how companies can effectively manage data access requests, and how best to approach making such a request.
Competition authorities can grant access to personal data under competition law
In some cases, competition law can constitute a legal obligation under the GDPR for companies to share personal data. In cases where an organisation has a dominant market position, and where a refusal to share personal data would impact effective market competition, the competition authority may order the company to grant access to personal data. Our speakers outline that this data sharing to third parties may not require the consent of the data subjects.
Best practices for managing data access requests and claims
In discussion of best practices, our speakers note the importance of consultation with the relevant supervisory authorities when managing data access requests. For instance, if an organisation is facing a data access claim, the involvement of data protection authorities in administrative or court proceedings may offer support to defend the non-disclosure of personal data. Alternatively, data protection authorities can advise on measures to protect personal data in making a request. For instance, if a third party is making a request, it is advisable that they include measures to notify and to offer opt in to data subjects.
The importance of considering requests on a case by case basis
The outcome of a data access request from the competition authority will depend on the type of personal data in question. By looking through three unique case studies, our speakers discuss that competition and data protection authorities need to consider requests in the context of sector-specific concerns and GDPR compliance. For example, our speakers discuss sharing personal data with advertisers. With reference to the ICO Update report into adtech and real time bidding of 20 June 2019, consent is considered the only lawful basis for sharing personal data with advertisers.
Implications of imposed data sharing decisions
Our speakers make reference to two key considerations with regard to imposed data sharing decisions from a competition authority. Firstly, if a competition authority rules that a company should disclose personal data, the company can charge a reasonable fee for sharing such data. Secondly, in the case of an imposed data sharing decision, the company does not need to verify whether the recipient of the data has a legal basis for processing.
HOW ONETRUST DATAGUIDANCE HELPS
OneTrust DataGuidanceTM is the industry’s most in-depth and up-to-date source of privacy and security research, powered by a contributor network of over 800 lawyers, 40 in-house legal researchers and 14 fulltime in-house translators. OneTrust DataGuidanceTM offers solutions for your research, planning, benchmarking and training.
OneTrust DataGuidance solutions are integrated directly into OneTrust products, enabling organisations to leverage OneTrust to drive compliance with hundreds of global privacy and security laws and frameworks. This approach provides the only solution that gives privacy departments the tools they need to efficiently monitor and manage the complex and changing world of privacy management.