After long-term effort, many discussions and years of preparations, a General Data Protection Regulation 2016/679 (GDPR) which constitutes a new data protection framework in the EU has been finally adopted.
While the GDPR entered into force on 24 May 2016, it shall apply from 25 May 2018 and in the meantime companies and businesses shall prepare for compliance with its provisions because the current Directive shall be repealed with effect from 25 May 2018.
The GDPR focuses on reinforcing individuals’ rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards. These aims should be achieved by the following main changes in the EU data protection legislation adopted by the GDPR:
Due to the fact, that the new EU data protection legislation was adopted in the form of a regulation, not as a directive, it shall be directly applicable in all Member States without the need for implementing national legislation. Therefore, the data protection standards shall be identical in the whole EU.
Moreover, the GDPR shall apply also to data controllers and data processors domiciled outside the EU whose processing activities relate to the offering of goods and services, even if free of charge, or monitoring the behaviour of EU data subjects within the EU. On conditions set in the GDPR, data controllers and data processors domiciled outside the EU shall appoint a representative in the EU.
The GDPR introduces the concept of a so-called “One-Stop-Shop” meaning that businesses will only have to deal with one supervisory authority in the state where they have their main seat and not with supervisory authorities of other states in which they have established branches. The GDPR contains a regime of cooperation between a Lead Authority and Concerned Authorities in cases the subject matter relates only to an establishment in other Member State than the state of the seat of Lead Authority or substantially affects data subjects only in other Member State than the state of the seat of Lead Authority. The data subjects shall be entitled to address the complaint to any supervisory authority in their language.
In cases stipulated by the GDPR, data controllers as well as data processors shall appoint Data Protection Officer. Such cases include: (i) processing of data by a public authority, (ii) cases where the core activities of the data controller or data processor consist of processing operations which require regular and systematic monitoring of data subject on a large scale, (iii) cases where the core activities consist of processing of special categories of data on a large scale. In other words, small and medium enterprises are usually exempt from the obligation to appoint a data protection officer if data processing is not their core business activity. The Data Protection Officer may be employed by the entity or cooperate with the entity under a service contract. A group of undertakings may appoint a single Data Protection Officer on condition the Data Protection Officer will be accessible by all. The contact details of the data protection officer shall be published and communicated to the supervisory authority. The data controller and data processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks and is bound by secrecy.
The GDPR places numerous obligations on data controllers to demonstrate they comply with the new EU data protection standards. These obligations contain among others: (i) to maintain required documentation, (ii) to implement data protection by default and by design, (iii) to conduct a data protection impact assessment for risky processing. Data controllers will bear the burden of proof of compliance with the new EU data protection standards. They will no longer have to provide data protection authorities with general notifications on data processing. However, they shall conduct a data protection impact assessment where there is a likelihood of a risk and subsequently consult the data protection authority in advance in case the results of the assessment indicate high risk and no measures are adopted. The uncertainty of these new provisions (the assessment of what is considered as a high risk) and the potential of imposition of onerous fines may in practice prove as not really beneficial to data controllers.
A consent of a data subject with processing of his/her personal data shall be free, express, informed and clear and the data controller must be able to demonstrate that the consent was given. Moreover, a data subject may be able to withdraw the given consent at any time and he/she should be informed about such possibility by the data controller in advance. The GDPR introduces a parental consent which shall be required for processing the data of a child by information society services.
The GDPR governs the “right to be forgotten” meaning that when a data subject no longer wants his/her data to be processed, provided there are no legitimate grounds for retaining it and the purpose of processing of personal data finished, the data shall be deleted without undue delay. Except of that, data subjects may request information about their data being processed by a certain data controller. The data controllers shall provide such information in stipulated period and free of charge unless the request is manifestly unfounded or excessive. Moreover, data subjects will have a right of correction of wrong data.
The new right to data portability will allow individuals to move their data from one service provider to another and the service provider shall not be entitled to retain such data. The data portability concerns the processing performed by automatic means of processing. In other words data subjects shall have an option to change the service provided including the transfer of their data from one provider to another without necessity of their repeated entry.
The GDPR aims for stronger enforcement of the data protection rules by introducing strict sanctions. In certain cases data protection authorities will be able to fine companies for breach of EU data protection rules up to 4% of their global annual turnover.
Pursuant to the GDPR, data controllers are obliged to notify certain data breaches to the data protection authority. Such notification shall be undertaken without undue delay and if possible within 72 hours since they became aware of the breach. Moreover, in some cases they shall also notify affected data subjects.
The profiling meaning any form of automated processing of data comprising of using of such data in order to assess certain personal aspects related to natural person, in particular of analysis or forecasting of aspect of data subject related to the performance at work, property relations, health, personal preference, interest, behaviour, location or movement shall be stricter regulated by GDPR. The data subject shall have the right not be subject to any decision based solely on automated processing including the profiling. The data controller shall provide the data subject with information on existence of automated decision including the profiling and meaningful information on used procedure as well as envisaged consequences of such processing for the data subject.
Data processors will have for the first time direct obligations under the GDPR such as maintenance of written record of processing activities carried out on behalf of each controller or designation of a data protection officer.
Intra-group international data transfers may be legitimised by binding corporate rules of data controllers or data processors enforced by every member of the group of undertakings engaged in a joint economic activity.
The regulation of international transfers of personal data stays essentially the same under the GDPR. Transfers to third countries, territories or international organizations considered by the European Commission as having adequate level of data protection shall not require any specific authorisation. In the absence of such decision of the European Commission, the transfer shall be undertaken only on condition the data controller or data processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. The appropriate safeguards may or may not be subject to the authorisation from the competent supervisory authority depending on the nature of the safeguards. The GDPR stipulates also derogations for certain specific situations.
Generally speaking, the new GDPR constitutes fundamental and important change in the EU data protection framework and all data controllers and data processors should prepare for its application without undue delay and with due care.
For more information
Šiška & Partners s.r.o.
Karol Šiška, attorney