After four years of preparation and debate, the General Data Protection Regulation was finally endorsed by the European Parliament on 14 April 2016. It will enter into force 20 days after its publication in the Official Journal of the EU and will be applied directly in all Member States two years after that date. Date of execution: May 25, 2018 – when organizations will face large fines in case of non-compliance. The EU Data Protection Regulation (GDPR) replaces Data Protection Directive 95/46 and was designed to harmonize data privacy laws in Europe to protect and give EU citizens the freedom to privacy and to reformulate the way where organizations in the region are addressing confidentiality data. The purpose of the General Data Protection Regulation is to protect all EU citizens from confidentiality and data breaches in a more and more data-based world, which is very different from the time the 1995 directive was established. Although the key principles data confidentiality still respects the previous directive, many changes have been proposed to regulatory policies; the key points of GDPR, as well as information on the impact it will have on business, can be found below:
- Increased territorial scope (extra-territorial application)
Clearly, the biggest change in privacy confidentiality relates to the extended competence of the GDPR as it applies to all companies processing the personal data of the targeted individuals living in the Union regardless of the location of the company. Previously, the territorial applicability of the directive was ambiguous and referred to data processes “in the context of a unit”. This topic has appeared in a number of high cases.
The GPDR makes the application very clear – it will apply to the processing of personal data by EU controllers and processors, whether processing takes place in the EU or not.
The GDPR will also apply to the processing of personal data of data subjects in the EU by an operator or processor not established in the EU where the activities relate to:providing goods or services to EU citizens (whether pay and monitoring of behavior within the EU.
Non-EU businesses processing EU citizens’ data will also have to appoint a representative in the EU.
Companies violating GDPR may be subject to a fine of up to 4% of their total annual turnover or EUR 20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious violations, for example, it does not have enough customer consent for data processing or violates the Principle of Design Privacy concept.
There is a differentiated approach to fines, for example, an enterprise may be fined 2% in order not to be registered in order (Article 28), without notifying the supervisor and the data subject about an infringement or not making an assessment of impact.
It is important to note that these rules apply to both controllers and processors – that is, “clouds” will not be exempted from applying GDPR.
- Exceptions – situations where GDPR is not applicable
GDPR does not apply to the processing of personal data:
- For activities not covered by EU legislation (eg national security activities);
- As regards the EU Common Foreign and Security Policy;
- By competent authorities for the purpose of preventing, investigating, detecting or prosecuting offenses and related matters;
- By the EU institutions, where Regulation 45/2001 / EC will apply instead of GDPR. This Regulation needs to be updated to ensure consistency with GDPR;
- By a natural person as part of a “purely personal or household person ex: Bodil Lindqvist (C-101/01).
Consent conditions have been strengthened, and companies will no longer be able to use legally legible terms and conditions, as the consent requirement must be provided in an intelligible and easily accessible form for the purpose of processing the data attached to that consent. Consent must be clear and distinct from other issues and be provided in an intelligible and easily accessible form using clear and clear language. It must be just as easy to withdraw your consent because it is to give it.
- Rights of the data subjects – notification of the violation
Under the GDPR, notification of the infringement will become mandatory in all Member States where a breach of the data could “lead to a risk to the rights and freedoms of individuals”. This must be done within 72 hours of the first finding of the violation. Data carriers will also have to notify their customers, controllers, “without undue delay” after they become aware of a data breach.
- Right of access
Part of the extended rights of the data subjects underlined by GDPR is the right of the data subjects to obtain from the data controller the confirmation that their personal data are processed or not, where and for what purpose. In addition, the operator provides a free copy of his personal data in an electronic format. This change is a dramatic change in data transparency and accountability of the data subjects.
- The right to be forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to delete the data operator’s personal data, to stop further data dissemination, and possibly stop third-party data processing.
The conditions for deletion, as set out in Article 17, include data that are no longer relevant for original processing purposes or persons withdrawing their consent. It should also be noted that this right requires controllers to compare subjects’ rights to the “public interest for data availability” when considering such requests.
- Data portability
GDPR introduces a portability of data – the right of a data subject to receive the personal data relating to it, which it has previously provided, is transmitted in a standard programming language and having the right to transmit that data to a controller.
- Design privacy
Design privacy as a concept has existed for years, but it is only part of a legal requirement with GDPR. At its core, design confidentiality requires data protection to be included at the onset of system design rather than an addition.
More precisely, “The controller must … develop appropriate technical and organizational measures in an effective manner .. to meet the requirements of this Regulation and to protect the rights of data subjects”. Article 23 requires controllers to own and process only the data strictly necessary for the performance of their tasks (data minimization) and the limitation of access to personal data to those who have to process.
- Consent of children
It is forbidden to process data from children under the age of 13:
- providing online services directly to a child, which involves processing the data, is legal if the child is at least 16 years of age;
- if the child is under the age of 16, such processing is legal only if and to the extent that that consent is granted or authorized by the parent or responsible person exercising the child.
- Data protection officers
At present, controllers are required to notify data processing activities to local data protection authorities, which for multinationals can be a bureaucratic nightmare, with most Member States having different notification requirements.
According to the GDPR, no notifications/registrations will have to be sent to each local DPA of the data processing activities, nor will there be a requirement for notification/approval of transfers on the basis of Contract Clause Model (MCC). Instead, there will be requirements for keeping internal registrations, as explained below, and the appointment of the DPO will be mandatory only for those operators and processors whose main activities consist of processing operations requiring regular and systematic monitoring of persons wide scale or categories of data or data on criminal convictions and offenses.
- They must be appointed on the basis of professional qualities and, in particular, the expertise of data protection legislation and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
Appropriate resources must be provided to carry out their tasks and to retain their knowledge
- They must report directly to the highest level of management
- It does not have to perform any other tasks that could lead to a conflict of interest.