Secrets d'affaires et protec9on des données (entre droits et obliga9ons) - SUPPORT DE CONFERENCE
←
→
Transcription du contenu de la page
Si votre navigateur ne rend pas la page correctement, lisez s'il vous plaît le contenu de la page ci-dessous
SUPPORT DE CONFERENCE
Secrets d’affaires et protec9on des
données (entre droits et obliga9ons)
Lundi 4 juin
14.00 - 15.00
Protection des données:
entre obligations et droits
GDPR – SECRETS D’AFFAIRES - NIS
Philippe LAURENT
Voir également l’article “L’intérêt des secrets bien gardés” publié dans le Classe Export Magazine n°18, disponible à l’adresse :
https://www.awex-export.be/fr/medias/classe-export-magazine-18-novembre-2017
independent
full service
business law firm
located in Brussels
4 juin 2018
POURQUOI PROTEGER VOS DONNEES & INFORMATIONS?
• Réputation
• Argument commercial (“sérieux”)
• Compétitivité
• Condition de protection de PI (brevet,
dessin/modèle, secrets d’affaires…)
• Obligations contractuelles (NDA)
• Obligations légales
– responsabilité
– protection des données à caractère
personnel (GDPR)
– réglementations sectorielles (ex.: secret
professionnel, NIS)
GDPR
Traitement de données
à caractère personnel =
opération ou ensemble d’opérations
appliquée(s)
à toute(s) donnée(s)
se rapportant à des personnes physiques
identifiées ou identifiables
(= Personnes Concernées)Responsable =
Détermine les finalités et les moyens
du traitement
Sous-traitant =
Traite les données personnelles pour
le compte du responsable
(= “moyen”)ACTIONNAIRES MEMBRES PARTENAIRES
RH ENTREPRISE RP
FOURNISSEURS PROSPECTS CLIENTS
CONSOMMATEURS UTILISATEURS
VISITEURS FINAUX
INTERNAUTES BENEFICIAIRES
PERSONNES DE
CONTACTréseaux sociaux
cloud computing
e-marketing
IOT
e-health
big data smart city
Intelligence artificiellePourquoi me mettre en conformité?
Gustave Doré (Straatsburg, 6 januari 1832 – Parijs, 23 januari 1883 Parce que c’est la loi!
1382 civ. code Faute => Dommage Réparation (indemnité)
A cause des pénalités! • https://commons.wikimedia.org/wiki/File:Parking_ticket_in_Cambridge_( 2008-04-01).jpg
Amendes administratives
Because of the administrative Fines!
(up to 20M EUR /4% annual turnover)
jusque
20M EUR
/ 4% ch. affaires mondialA cause des
autres mesures
correctives!
https://pixabay.com/nl/startonderbreker-wiel-klauw-1258099/telles que
Because of the administrative Fines!
•suspension des traitements
(up to 20M EUR /4% annual turnover)
et des flux
•limitation
définitive/temporaire
• Interdiction totaleParce que vos clients le
demandent!Client = personne concernée,
Because of the administrative Fines!
(up to 20M EUR /4% annual turnover)
responsable de traitement, ou
tout autre client avisé
Vous = responsable / sous-traitantParce que la concurrence
vous observe!Activité illégale
=
Pratique déloyale du
commerce
(actions en cessation,
indemnisation,…)Parce que votre réputation est
en jeu!
Everywhere on the web (+10 pages results on google imates)
: author not foundBecause of the administrative Fines!
La mise en conformité et
(up to 20M EUR /4% annual turnover)
la gestion de données
sont une question de
confiance…Résumé : en cas d’infraction, d’où viennent les menaces?? • Autorité de supervision • Clients • Concurrents • Personnes concernées (! Actions collectives)
De la DIRECTIVE 95/46/EC => au RGPD Maintenant : Directive vie privée EU: Directive 95/46/EC BE: Loi du 8 décembre 1992 + A.R. + lois spécifiques RGPD : 25 MAI 2018 EU: Règlement 2016/679 (GDPR) BE: Lois spécifiques
Obligations du responsable : DIRECTIVE • Légalité du traitement • Déclaration auprès de la commission vie privée • Information aux personnes concernées • Respect des droits des personnes concernées (accès, rectification, objection) • Confidentialité et sécurité des traitements => Mesures / sous-traitant contrôlé • Transferts hors EU
Obligations du responsable : RGPD
• Légalité du traitement
• Déclaration auprès de la commission vie privée
Gouvernance & “Accountability” registre
• Information aux personnes concernées étendu
• Respect des droits des personnes concernées (accès,
rectification, objection) + limitation, portabilité, …
• Confidentialité et sécurité des traitements
=> Mesures / sous-traitant contrôlé contrat étendu
“Protection dès la conception” & “Protection par défaut”
DPD (DPO) Analyse d’impact
notification violation de données
• Transferts hors EU + obligations du sous-traitant!Principes généraux à respecter
(inchangés)
• Traitement licite, loyal & transparent Licéité
• Finalités déterminées, explicites & Finalité
légitimes + réutilisation compatible
Minimisation
• Données adéquates, pertinentes,
non-excessives (nécessité) Proportionnalité
• Données exactes et à jour Intégrité
• Durée non excessive Rétention minimale
• Protection adéquate SécuritéBases légales de traitement
(inchangées, sauf…)
• Obligation légale
• Exécution du contrat
---------------
• Intérêt légitime > intérêts p. concernée
=> analyse d’impact! “Risk-based approach”
• Consentement Étendu (déf. /formulaires /mineurs)
---------------
• Protection d’intérêts vitaux
• Intérêt publicSécurité
• Mesures organisationnelles et techniques appropriées par
rapport aux risques, en ce compris, e.a., selon les besoins:
– pseudonymisation et chiffrement des données;
– Assurer la confidentialité, l’integrité, la disponibilité et la resilience
constante des systèmes et services;
– Possibilité de rétablir la disponibilité et l’accès aux données à temps en
cas d’incident physique ou technique;
– Procédure de test, évalutation et analyse de l’efficacité des mesures
• Approche basée sur le risque
• Considérer : adhérence à un code de conduite approuvé ou la
certification
• Garder le contrôle sur les employés & sous-traitants
(politiques de respect de la vie privée, contrôle des accès, …)NEW Privacy by design / Privacy by default • Protection dès la conception : intégrer les mesures de sauvegarde nécessaires au sein du traitement (au moment de la détermination des moyens) (pseudonymisation, minimisation des données,…) • Par défaut, traiter seulement les données nécessaires au regard de chaque finalité spécifique du traitement . Cela s'applique – à la quantité de données collectées, – à l'étendue de leur traitement – à leur durée de conservation et à leur accessibilité Par défaut, les données ne sont pas rendues accessibles à un nombre indéfini d’individus (ex. réseaux sociaux)
NEW Analyse d’impact
• Si risque élevé (e.a. nouvelle techno), + en tous cas si
– décision automatisée (+profiling) à effet significatif
– Traitement à grande échelle de données sensibles
– surveillance systématique à grande échelle d'une zone
accessible au public
– + vérifier liste de l’autorité de contrôle
• Avant le traitement : analyse d’impact
• Consultation préalable de l’autorité de contrôle si
l’analyse indique qu’il y aurait des risques élevés en cas
d’absence de mesures prises par le responsable pour
aténuer le risque.EXT. Sous-traitants • Faire appel à des sous-traitants qui fournissent les garanties suffisantes sur l’adoption et le respect de mesures techniques et organisationnelles appropriées • Traitement: que sous instructions du responsable • CONTRAT (!) : étendue, durée, nature, finalités du traitement, type de données, catégories de personnes concernées, obligations et droits du responsable… • CLAUSES (voir RGPD) • COMMISSION / Autorité de contrôle : adoption de clauses types (?)
TRADE SECRETS
TOWARDS EU HARMONISATION • International treaties (Paris, Trips,…) • Discrepancies between national laws • No general (horizontal) law in BE • Protection of know-how & trade secrets in employment agreements • Obligation of Professional Secrecy for specific professions(e.g. lawyers, public notaries) • Honest Trade Practices / unfair competition • Contract law (NDA) Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (Text with EEA relevance) => transposition 9 JUNE 2018
Definitions • ‘trade secret’ means information which meets all of the following requirements: (a) it is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question; (b) it has commercial value because it is secret; (c) it has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret;
Definitions • ‘trade secret holder’ means any natural or legal person lawfully controlling a trade secret; • ‘infringer’ means any natural or legal person who has unlawfully acquired, used or disclosed trade secrets; • ‘infringing goods’ means goods whose design [in fr "conception"], characteristics, functioning, manufacturing process or marketing significantly benefits from trade secrets unlawfully acquired, used or disclosed.
Lawful acquisition, use and disclosure • The acquisition of trade secrets shall be considered lawful when they are obtained by any of the following means: (a) independent discovery or creation; (b) observation, study, disassembly or test of a product or object that has been made available to the public or that it is lawfully in the possession of the acquirer of the information who is free from any legally valid duty to limit the acquisition of the trade secret; (c) exercise of the right of workers or workers' representatives to information and consultation in accordance with Union and national law or practices; (d) any other practice which, under the circumstances, is in conformity with honest commercial practices.
Lawful acquisition, use and disclosure • The acquisition, use and disclosure of trade secrets shall be considered lawful to the extent that such acquisition, use or disclosure is required or allowed by Union or national law.
Unlawful acquisition, use and disclosure • The acquisition of a trade secret without the consent of the trade secret holder shall be considered unlawful, whenever carried out by: (a) unauthorised access to, appropriation of, or copy of any documents, objects, materials, substances or electronic files, lawfully under the control of the trade secret holder, containing the trade secret or from which the trade secret can be deduced; (b) any other conduct which, under the circumstances, is considered contrary to honest commercial practices;
Unlawful acquisition, use and disclosure • The use or disclosure of a trade secret shall be considered unlawful whenever carried out, without the consent of the trade secret holder by a person who is found to meet any of the following conditions: (a) have acquired the trade secret unlawfully; (b) be in breach of a confidentiality agreement or any other duty not to disclose the trade secret; (c) be in breach of a contractual or any other duty to limit the use of the trade secret.
Unlawful acquisition, use and disclosure • The acquisition, use or disclosure of a trade secret shall also be considered unlawful whenever a person, at the time of acquisition, use or disclosure, knew or should, under the circumstances, have known that the trade secret was obtained directly or indirectly from another person who was using or disclosing the trade secret unlawfully within the meaning of paragraph 3. • The production, offering or placing on the market of infringing goods, or import, export or storage of infringing goods for those purposes, shall also be considered an unlawful use of a trade secret when the person carrying out such activities knew, or should, under the circumstances, have known that the trade secret was used unlawfully within the meaning of paragraph 3.
Exceptions
• Member States shall ensure that the application for the measures,
procedures and remedies provided for in this Directive is dismissed when
the alleged acquisition, use or disclosure of the trade secret was carried
out in any of the following cases:
(a) for exercising the right to freedom of expression and information as set
out in the Charter of Fundamental Rights of the European Union,
including respect for freedom and pluralism of the media;
(b) for revealing a misconduct, wrongdoing or illegal activity, provided that
the respondent acted for the purpose of protecting the general public
interest;
(c) the trade secret was disclosed by workers to their representatives as part
of the legitimate exercise of their representative functions in accordance
with Union or national law, provided that such disclosure was necessary
for that exercise;
(d) for the purpose of protecting a legitimate interest recognised by Union
or national law.Measures, procedures and remedies GENERAL CHARACTERISTICS : • fair and equitable; • not unnecessarily complicated or costly + timely • effective and dissuasive • proportionate • no barrier to trade • safeguards against abuses LIMITATION PERIOD : (national law - not exceeding 6 y.) LEGAL PROCEEDINGS : Preservation of confidentiality of trade secrets in the course of legal proceedings
Measures, procedures and remedies CIVIL REDRESS : • Provisional and Precautionary Measures (provisional cessation, prohibitions to use or disclose the TS, prohibition to produce, offer,… infriging goods, seizures,…) evidence : a TS exists / applicant holds the TS / TS “infringement” consider : value / the measures taken to protect the trade secret / conduct of the respondent / impact / legitimate interests / public interest/ and safeguard of fundamental rights.
Measures, procedures and remedies CIVIL REDRESS : • Injunctions and corrective measures (cessation, prohibition, destruction of document, recall/destruction of infringing goods,…) Same considerations : value, protection measures,… • Indemnities for dammages • Publication of the decision
NIS
DIRECTIVE (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union Transposition deadline: 10 May 2018. By 9 November 2018, for each sector and subsector referred to in Annex II, Member States shall identify the operators of essential services with an establishment on their territory.
NIS Directive (2016/1148) of 6 July 2016
• Any Member State adopts national strategy on the security of
network and information systems
• Cooperation Group : cooperation and the exchange of
information among Member States
• Each Member State has a computer security incident
response team (CSIRT)
• A Network between CSIRTs is created
• Security and notification requirements for
– operators of essential services (energy, transport,
banking, financial market infrastructures, health, drinking
water supply) and
– digital service providers (online market place, search
engine, cloud service)• Network and information system: - electronic communications network: transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed; - any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or - digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance.
• Operator of essential services: a public or private entity of a type referred to in Annex II (energy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution, digital infrastructures) which meets the criteria laid down in Article 5(2) ( a)service which is essential for the maintenance of critical societal and/or economic activities; b)the provision of that service depends on network and information systems; c) an incident would have significant disruptive effects on the provision of that service); • Digital service provider: any legal person that provides a digital service (service within the meaning of point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (17) which is of a type listed in Annex III) (online marketplace, online search engine, cloud computing services)
• Appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems. • Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed, [Digital Services] and shall take into account the following elements: – the security of systems and facilities; – incident handling; – business continuity management; – monitoring, auditing and testing; – compliance with international standards. • Appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision services, with a view to ensuring the continuity of those services.
• Obligation to notify, without undue delay, the competent authority or the CSIRT of incidents having a significant impact on the continuity of the services they provide. Notifications shall include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident.
Philippe LAURENT
philippe.laurent@mvvp.be
Avocat – Marx Van Ranst Vermeersch & Partners (MVVP)
DPO as a service
Propriété intellectuelle (droit d’auteur, marques, dessins et modèles, brevets, noms
commerciaux, noms de domaines, bases de données, confidentialité, secrets d’affaire,…) :
protection, gestion, stratégie, avis, clearing, contrats, licensing, contentieux.
Droit des TICs : E-commerce, droit de l’internet, cloud computing, outsourcing, software,
open source, services, SLAs, terms of use, responsabilités, garanties, supply chains
management,…
Droit commercial et de la distribution : contrats, litiges, e-commerce, distribution,
franchise, agence, pratiques du marché, protection des consommateurs, publicité, marketing,
promotion, jeux, aspects régulatoires, normes,…
Protection des données et de la vie privée : stratégie, avis, compliance,
contentieux, gestion des données sensibles et critiques, traitements complexes, «
whistleblowers », contrôle des employés, outsourcing, transferts hors EU, privacy policies,…Vous pouvez aussi lire
