Summary
“The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.”[4]
The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018
The GDPR also brings a new set of “digital rights” for EU citizens in an age when the economic value of personal data is increasing in the digital economy.
Consent
Where consent is used as the lawful basis for processing, consent must be explicit for data collected and the purposes data are used for (Article 7; defined in Article 4). Consent for children[16] must be given by the child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.[17]
Responsibility and accountability
The notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer has to be provided.
Lawful Basis For Processing
Data can only be processed if there is at least one lawful basis to do so
Data Protection Officer
See also: European Commission Data Protection Officer
Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, or where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation.
The Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
“data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Examples of data processors include payroll companies, accountants and information service companies all of which could process personal data on behalf of someone else. It is possible for one company or person to be both a data controller and a data processor, in respect of distinct sets of personal data.
Pseudonymisation
The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information.
Data breaches
Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours after having become aware of the data breach (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33).
Sanctions
The following sanctions can be imposed:
a warning in writing in cases of first and non-intentional non-compliance,
regular periodic data protection audits,
a fine up to 10000000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, where there has been an infringement of the following provisions (Article 83, Paragraph 4[19]):
the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43,
the obligations of the certification body pursuant to Articles 42 and 43,
the obligations of the monitoring body pursuant to Article 41(4).
a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, where there has been an infringement of the following provisions: (Article 83, Paragraph 5 & 6[19]).
the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9,
the data subjects’ rights pursuant to Articles 12 to 22,
the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49,
any obligations pursuant to Member State law adopted under Chapter IX,
non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
Right of access
The Right of Access (Article 15) is a data subject right.[20] This gives citizens the right to get access to their personal data and information about how these personal data are being processed
Right to erasure
A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.[21][22] Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data
Data portability
Further information: Data portability
A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller.
Data protection by Design and by Default
Data protection by Design and by Default (Article 25) requires that data protection is designed into the development of business processes for products and services. This requires that privacy settings must be set at a high level by default and that technical and procedural measures should be taken care by the controller in order to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation. Controllers should also implement mechanisms to ensure that personal data are only processed when necessary for each specific purpose.
Records of processing activities
Records of processing activities must be maintained, that include purposes of the processing, categories involved and envisaged time limits. These records must be made available to the supervisory authority on request