The General Data Protection Regulation (GDPR) in the European Union (EU) celebrated its first birthday on 25 May 2019. The GDPR lays down rules relating to the protection of natural persons, with regard to the processing of personal data, and rules relating to the free movement of personal data. It adopts a stricter approach than its predecessor. This article begins by outlining the relevant provisions of the GDPR, in relation to arbitration, and proceeds to address issues that may arise during the different stages of an arbitral proceeding in relation to the lawful processing of personal data.

Arbitration is a dispute resolution mechanism whereby parties agree to submit a dispute to one or more arbitrators who issue a final and binding decision. Due to the often vast amounts of data – frequently personal data – that are the subject matter of arbitral disputes, users need to be vigilant of GDPR requirements. This is particularly the case where US-style discovery applies to the arbitral proceedings. It is worth mentioning that the administrative fines for non-compliance amount to €20m or 4 percent of the total worldwide annual turnover of the company, according to Article 83, paragraph five of the GDPR.

The relevant provisions of GDPR

The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person”. An “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, and so on. “Personal data” is thus any information which aids in identifying a natural person, such as emails, participation in a meeting and the signing of a contract, among others.

Jul-Sep 2019 issue

Freshfields Bruckhaus Deringer LLP