Since the Directive 95/46 on the processing of personal data, all processing of personal data done in the scope of alternative dispute resolution mechanisms (ADR) must respect the legal framework applicable to the processing of personal data. There is no exemption for this kind of processing. This means that all processing of personal data needs, among others, to respect the principles applicable (lawfulness, fairness and transparency, etc.), the rights of the data subjects and the rules applicable to the transfer of personal data to countries outside the European Economic Area (Third Countries). With the entry into force of the GDPR, all the mandatory duties of players participating in an ADR become even more critical. Indeed, the GDPR introduced the principle of “accountability” on the shoulders of controllers and imposes serious fines in case of infringement. In other words, arbitrators, mediators, experts, litigating parties, lawyers and other ADR’s players should carefully reassess their GDPR compliance and keep the risk of serious consequences in mind in case of non-compliance.
ADR and GDPR
Except when an exemption is provided by national law, the application of the GDPR to ADR is unquestionable. With no doubt, processing of personal data under ADR is also under the scrutiny of the territorially competent national Supervisory Authority. Indeed, the GDPR does not prohibit, as it does for national courts, Supervisory authorities from supervising arbitral courts and mediators. In consequence, except for rare exceptions provided by national law (for example, in Ireland in certain conditions, some data subject rights are excluded in the scope of ADR), the GDPR is fully applicable and Supervisory Authorities have full power to control the compliance of processing done in the scope of an ADR.
Mediation versus Arbitration
Because mediations are “interest driven”, usually the parties, their counsels and the mediator will not exchange or have access to pre-existing documents. Therefore, usually processing of personal data will be very limited in mediations (e.g. management of list of presence to mediation meetings). These kinds of processing won’t usually raise to complex issues in terms of compliance. In case of transfers to Third Countries, the limited number of personal data at stake will also allow to use one of the “Appropriate safeguards” and if not, the “Derogations for specific situations” provided by the GDPR.
This said, if a mediation implies the processing of an important amount of personal data, then what is set out below in the context of arbitration, also applies to this specific mediation.
Topics to keep in mind for Arbitration
Litigating parties, law-firms, lawyers, arbitrators, arbitration centres, experts and other possible players in ADR should have a holistic approach of data protection. This means, that in principle they should have integrated the processing of personal data for the sake of arbitration in their general data protection compliance. In other words, like for other possible processing (litigation, HR, marketing, accounting, etc.) these players should notably have a record of the processing activities that list, at the very least, the processing made, the purposes, the role (controller, joint controller, (sub)processor) and all other characteristics of the processing at stake (categories of data subject, categories of personal, categories of data recipients, transfer to third countries and safeguards used for these transfers, retention period, security measures applied to the processing). They must also fulfil all other duties they have in their role of controller, joint controller or processor for all and each usual/structural processing they are doing. This said, when doing so, they should be aware of specific issues raised by arbitration in general (e.g. possible transfers to Third Countries). Also, they must stay alert and adapt their processing and data protection documentation when they cross peculiar issues in a specific arbitration.
Before starting an arbitration, the parties involved and their lawyers should already have a clear view for themselves about the categories of data they will probably process, the possible flows of data with the other party(ies), arbitrator(s) and other third parties (e.g. experts), and about the possible transfers abroad.
As controllers (most of the players in an arbitration will act as controllers: this is especially true, respectively, for the litigating parties and their respective lawyers), the litigating parties and their lawyers will need to solve for themselves all issues that are related to them (for example, the conclusion of a processing agreement with a vendor that will provide dedicated IT resources). For all GDPR issues that may be considered as “common” the litigating parties and the arbitrator(s) should address all these issues at the initial conference and, when necessary, agree on the solution that they will follow.
Typically, after this initial conference parties agree on a protocol that details, at least, the mandatory agreements and tools they will need to elaborate to conduct the arbitration, for example:
- Joint controllers’ agreement that reflect their respective roles and responsibilities;
- Appropriate safeguards for the transfer of personal data in Third Countries (especially in case of e-discovery);
- Data flow rules;
- Data minimization rules;
- Confidentiality rules;
- Security measures;
- Retention period for the data processed by arbitrator(s);
- Possible indemnification in case of infringement by one of the players.
Processing of personal data in the scope of ADR has to be compliant with the GDPR. If not, the competent national Supervisory Authority may sanction the players in an ADR that are not compliant. Players in ADR need to take care of their general compliance to the GDPR and integrate the processing of personal data for the sake of ADR. For all GDPR issues that may be considered as “common”, the litigating parties and the arbitrator(s) should address all these issues at the initial conference and, when necessary, agree on the solution that they will follow. These solutions have to be documented in a common protocol.