The GDPR is an EU Regulation that became effective in all EU member states on 25 May 2018. It has been implemented and supplemented in the UK by the Data Protection Act 2018 and replaced and repealed the Data Protection Directive (95/46/EC)(Data Protection Directive) which was implemented in the UK by the Data Protection Act 1998(DPA1998).
WHY WAS THE GDPR BROUGHT IN?
There were quite a few reasons as to why the GDPR was introduced. These include:-
- to respond to new technological developments that have affected the ways that we collect and hold data and the way in which individuals and organisations communicate and share information (such as the internet, the cloud and use of social media);
- to put in place a harmonized framework for the protection of personal data (as the implementation of the data protection directive resulted many different approaches to the protection of personal data across members states) although in practice members states have flexibility in some areas.
- to apply to the processing of personal data by controller or processer in the EU regardless of whether the processing takes place in the EU (the GDPR also applies where personal data of data subjects in the EU is processed by a controller or processer not established in the EU where either goods or services are being offered to data subjects in the EU or the behaviour of data subjects is being monitored where that behaviour takes place in the EU).
WHAT DOES THE GDPR DO?
Substantially the GDPR extends the rights of data subjects with respect of their personal data including their rights to access, rectification, erasure, datable portability and several others. Perhaps one of the most important parts of the GDPR is the increased regulatory powers for data protection commissioners which have the power to impose fines of up to 4% of global turnover of the proceeding financial year or 20,000,000.00 Euros (whichever is the greatest) for the most serious violations and up to 2% of annual worldwide turnover of the proceedings financial year or 10,000,000.00 Euros (whichever is the greatest) for other violations.
The key principles of the GDPR is that there has been several principles which controllers and processors must comply with processing personal data. These form the core of the obligations on controllers and include the following.
- Lawfulness, Fairness and Transparency
- Purpose Limitation
- Data Minimisation
- Accuracy
- Storage Limitation
- Integrity and Confidentiality
- Accountability
WHAT WILL HAPPEN TO THE GDPR POST-BREXIT?
The GDPR will still be relevant to the UK entities following Brexit as the GDPR has been incorporated into UK Domestic Law following the Data Protection Act 2018.
HOW IS GDPR RELEVANT TO THE CONSTRUCTION INDUSTRY?
In relation to construction, the GDPR is applicable and relevant to the fast paced dispute resolution mechanisms available to the construction industry. Of concern is the GDPR and dispute resolution process with regard to the disclosure of documents. What happens if a party to litigation is ordered to disclose documents that are subject to GDPR data protection constants? In the context of the English Court litigation, any contradiction is addressed by provision in the GDPR recognising that processing of data is lawful where it is necessary to comply with the legal obligation – which should include a Court Order to disclose documents. However, the position is less clear in relation to other dispute resolution methods. It is possible that one of the GDPR’s other lawful grounds such as legitimate interests may be relevant but this has yet to be tested. Even if using personal data is permitted, the GDPR may operate to minimise the extent to which that is allowed.
ADJUDICATION IN CONSTRUCTION
Whilst at the present time we are not aware of any official guidance on status of Adjudication in the GDPR regime, the Adjudication shares certain characteristics with Arbitration, it also has a statutory background whereby it is implied into many construction contracts. As such, there may be scope for argument that using personal data in Adjudication is necessary to comply with the legal obligation under Article 6(1)(C) of the GDPR with again with legitimate interest as an alternative.
WHAT ABOUT STANDARD CONSTRUCTION CONTRACTS?
The only publisher of the standard full building contracts or professional appointments to address the GDPR in their contracts is the NEC which published a practicing note back in April 2018. The NEC does not propose amending any contractual core or optional clauses. Instead, it suggests “data management” wording that can be added to the contractual scope. Aside from the NEC at the current time there are no building contracts for professional appointments that have made a specific amendments addressing the GDPR. However, many contracts are now incorporating amendments as incidental to their contracts such as the JCT.
The changes that the GDPR and the Data Protection Act 2018 have made to the construction industry at the present time have been evidenced and will become more prolific as time goes by. It is anticipated moving forward that contracts will need to be checked, approved and amended to ensure that they are compliant with the GDPR and Data Protection Act 2018. If you are in any doubt as to whether or not your construction contract adheres to GDPR legislation, please contact our GDPR expert, Charlotte Woolven-Brown for more information on 01277 221010 or email charlotte@sanderswitherspoon.co.uk.
