Follow ACC Docket Online:  

ACC Europe Hosts GDPR Session in Copenhagen

Photo: ACC members in Europe visit ISS A/S’s headquarters in Copenhagen to learn about the impending European Union General Data Protection Regulation.


O n November 8, 2017, Morten Wind Lindegaard, global data privacy officer (DPO), and group vice president, welcomed ACC to ISS A/S’s headquarters in Søborg, a northern suburb within Greater Copenhagen. As expected with a company that specializes in hospitality, the service and facility were well suited for sharing ideas.

Many that were lucky enough to attend ACC Europe’s annual conference held in Lisbon, may have heard Lindegaard speak on the topic of practical implementation of the requirements under the new EU General Data Protection Regulation (GDPR).

Those in attendance in Copenhagen were similarly treated to a lively discussion, sharing best practices and practical information on how to properly implement the regulation. Lindegaard walked attendees through the work that is required to ensure compliance. This included defining roles and responsibilities, resources required to be successful, and how to handle data breaches.

In a more intimate setting, Lindegaard was able to delve into the nuts and bolts, including clear explanations and examples on data maps and ensuring the needed governance in case of a data breach.

There were also a few surprises, including identifying the types of sensitive information that might be collected in various countries or business units. This might include data on religious affiliation that might be collected in Germany or by catering staff making note of allergies and religious food preferences.

Lindegaard identified alternative channels for how sensitive information can end up being collected, including how vendors and third parties might find unexpected information.

Participants were able to ask questions and compare the risks related to the different types of data collected in different business areas. Those from the pharmaceutical industry that collected medical privacy information had a particular viewpoint.

Liability clauses and caps based on third-party risks and indemnity provisions were examined including how to limit exposure. Clarification was also made between the responsibilities of the data processor versus data controller.

Data breach and notification rules of various jurisdictions were discussed, including cross-jurisdictional issues and conflicts of law. Practical considerations were then highlighted including best practices to limit risks of a full-scale data breach. The do’s and don’ts of responding to request to delete information and risks of fines and other consequences were explained. This included information on the differences in handling data breaches that involved internal employees verses data breaches involving sensitive subject matter or details regarding minors.

It was evident that it is a daunting task to get a handle of the different types of data that a business collects in the ordinary course. However, the seminar attendees were motivated and inspired by all the work that Lindegaard had done for ISS and happy that he was willing to share his expertise so they could apply it to their own businesses.


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.