12 Jan EU data protection regulation (gdpr) – key changes
On 4th May 2016 the EU Parliament and the EU Council adopted new legislation on data protection which is widely known as the General Data Protection Regulation (GDPR – Regulation EU 2016/679- hereandafter ’The Regulation’ or ‘GDPR’). The provisions of the GDPR apply to the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and they repeal the Directive that has been in force since 1995 – Directive 95/46/EC, when the internet was still in its infancy. The importance of the Regulation cannot be underestimated, it is the biggest change within the EU for over 20 years in the scope regarding the protection and processing of personal data. The Regulation comes into force in Italy and in each Member State from 25th May 2018. However, the effects of the Regulation extend beyond the boundaries of the Member States of EU and will be felt worldwide. The scale of the GDPR
is confirmed by the fact that every company, no matter whether public or private, small or large, which processes personal data of an EU citizen will be obliged to adapt to the new law, regardless of where they reside.
In the modern digital world in which information is currently the most precious value, the changes proposed by GDPR should be considered as vital for the global economy. The main aim of the Regulation is to harmonize data protection legislation throughout the EU and therefore – facilitate cross-border trade. Entrepreneurs will not meet discrepancies in personal data protection law, because in each Member State country the provisions of GDPR will be applied. This application will allow them to use a unified consent form for the processing of personal data in all Member States of the EU in which they conduct businesses. Seems that the new Regulation presents the right approach to the protection of privacy with a more horizontal view, across all sectors and geographies, protecting the fundamental rights of natural persons to the protection of their personal data on the one side, and on the other side promoting free movement of data within the EU.
WHAT ARE THE KEY CHANGES?
Under the GDPR we can meet a number of changes that affect natural persons and entrepreneurs. Because of their large amount, let’s take a look at the most significant of them.
A REGULATION INSTEAD OF A DIRECTIVE
The authorities of the European Union decided to regulate the matter of protection
of personal data in a different way than before. Namely, the issue of protection and processing personal data has been regulated in the Regulation, and not as it has been so far in the Directive. Such a decision results from the fact that a Regulation is directly applicable in all Member States, whereas a Directive requires further national legislation to bring it into force in the different jurisdiction. It is also worth to pay attention to the length of the new privacy law. The Regulation consist of 99 articles, while the previous Directive has only 34. The length is due to the fact that new Regulation introduces new concepts that has not existed when the Directive was entered into force ( f.e. Binding Corporate Rules, obligation to report, security breaches). Moreover, new provisions introduce new definitions, clarify many issues in a more comprehensive manner and allow the EU bodies laying down standard formats for notifications, communications etc.
WIDE RANGE OF APPLICATION
GDPR applies to processing of personal data “in the context of the activities of an establishment” (Article 3(1)) of any organization within the EU. This means that it has a wide range of applications from the subsidiaries of the main company to its single representative. This concept has been confirmed in the recent jurisprudence of European Courts (Google Spain SL, Google Inc. v. AEPD, Mario Costeja Gonzalez (C-131/12). But the question is: do the provisions of GDPR also apply to companies that are located outside the EU? The answer is yes. Even if the company is not based in the EU, the GDPR regulations will apply to it if this company processes personal data of data subjects who are located within EU. In practice, the new privacy law also covers non-EU organizations that, are not established in EU. It means that big American technology companies such as Google or Facebook will have to respect the provisions contained in GDPR. Additionally, organizations outside EU who offering goods or services or monitoring tests must designate
a representative within the EU (Article 27).
INDIVIDUALS GOT BACK THE CONTROL OVER THEIR DATA
The regulation strengthens the protection of natural persons whose data is processed.
The Regulation provides them not only additional rights but also legal tools to enforce them. These tools should contribute to the increase of people’s awareness about what happens to their data and about the potential risks related to processing personal data. The GDPR explicitly grants natural persons, whose data is processed, in particular, the following rights:
1) The right to access data and information (Article 15). This right is in principle in line with the existing one, but additional data may be disclosed to the individuals. Controllers have been revoked the right to charge fees (few exceptions). A natural person who asks for data disclosure should receive it within a month of reporting the request (administrator can extend this period to up
to 3 months- exceptionally).
2) The right to demand rectification and completing the data (Article 16). The natural persons still keep the right to request inaccurate or incomplete personal data to be corrected or completed without undue delay.
3) The Right to erasure (‘right to be forgotten’) (Article 17). The adoption of this right
is connected with the famous judgment of the Europe’s highest court against Google (Judgment of the CJEU in Case C-131/12). In the judgment, it has been established that there were no legal basis for processing of data concerning the unpaid debt of the Spanish national. It is worth to mention that the right to be forgotten is not an absolute right. It only arises in quite a narrow set of circumstances notably where the controller has no legal ground for processing the information. The Natural persons using this law will now be able to make requests to search engines to remove their data from search results.
4) The Right to data portability (Article 20). This right is completely new and has no equivalent in the Directive. The data portability allows a natural person to make a request to the administrator
that process his data to send them to another administrator. This request can be used by the person if the processing takes place based on the consent expressed by that person or on the basis of an agreement concluded with him/her and if the processing takes place in an automated manner. The data subject also has the right to demand transferring his personal data from one administrator directly to another administrator, but only if it is technically possible.
5) The Right to object (Article 21). The regulation still retains the right to object the processing
of data in direct marketing at any time. Novelty is the right to object to data, which are processed in the public interest or in connection with a legitimate administrator’s interest. In such case the objection will be possible, unless the administrator proves superior the basis of data processing in relation to the individual’s interests. The right of objection will also be valid when profiling data
The aforementioned rights do not constitute a closed catalog, under the GDPR there are much more of them. These rights are designed to facilitate individuals and companies that act on their behalf claiming damages for breaches of the personal data law.
INTERNAL PROGRAM COMPLIANCE
As a result of the entry into force the new data protection law, it is recommended for entrepreneurs to review their ‘compliance programs’ in order to respect the legislation contained in the GDPR. The compliance program should, above all, include:
1) appointing a data protection officer (DPO);
2) keeping the internal data processing register;
3) introduction of appropriate data security system and procedures related to data protection;
4) conducting an assessment of the effects of processing personal data;
5) consideration of data protection in the design phase and default protection data.
Under the new regulations, some organizations will be required to designate an officer for personal data. His main task will be to fulfill compliance obligations and also he will cooperate with the body of supervision. The appointment of a Data Protection Officer will, as a rule, be optional, but The regulation determines when its designation will be mandatory. According to Article 37 the following organizations are obliged to appoint a DPO:
1) public authorities;
2) controllers or processors whose core activities consist of processing operations which by virtue of their nature, scope or purposes require regular and systemic monitoring of data subjects on
a large scale;
3) controllers or processors whose core activities consist of processing sensitive personal data on
a large scale;
4) if it is required by the national law.
For some companies this means significant administrative burdens and costs. The appointed inspector should have “expert knowledge” according to the Article 37(5)), which means that he has the required qualifications in the field of protection personal data. Also DPO should be properly and timely engaged in all matters relating to data protection in the enterprise. Under the GDPR it is also possible to appoint one inspector of personal data by a group of entrepreneurs, if each of the entrepreneurs will be able to easily contact him.
The Regulation removes the requirement to register personal data files and replaces them
with the obligation to keep an internal register of processing operation of personal data, however this requirement applies only to the certain companies. The obligation to maintain an internal register includes entrepreneurs employing more than 250 employees, if the processing of data poses a threat to the rights and freedoms of persons, is not sporadic or includes sensitive data. The register should take into account the purpose of data processing and the categories of recipients whose personal data have been disclosed and information about the transfer to third countries. In addition, administrators and processors have been required to provide access to the register whenever requested by the supervisory authority.
Under the GDPR, the widely discussed issue was the introduction of very high revenue based administrative fines for violation of its provisions. These penalties may be imposed by
a supervisory authority in the event of non-compliance with the GDPR. Such a wide discussion finds its justification. The sanctions available to DPAs under the GDPR are significantly greater than under the previous Directive. The penalties were divided into two broad categories. Higher fines are foreseen for a serious violation of the GDPR and the second category refers to violations of lesser importance. The new Regulation (Article 83(5)) allows DPAs to issue fines for serious infringements up to a maximum of the greater of €20 million or , if this is a higher amount, 4% of the total worldwide annual turnover of the company (previously, the Directive predicted less than €1 million per violation, and the average fines amounted to several tens of thousands €). Such severe penalties refer to violations of: the basic principles for processing including conditions for consent, data subjects’ rights, international transfer restrictions, any obligations imposed
by Member State law for special cases such as processing employee data, certain orders
of a supervisory authority. Lower penalties are provided for less serious infringements (Article 83 (4)) such as: obligations of controllers and processors including security and data breach notification obligations, obligations of certification bodies, obligations of a monitoring body.
The lower category of fines can be up to €10 million or in the case of an undertaking up to 2% of total worldwide turnover of the preceding year. It is easily noticeable, that such tough penalties for violations, will certainly motivate all organizations that process personal data to implement
in compliance with the GDPR’s requirements.
Organizations should be well-prepared for the upcoming changes. In particular, they should review their data processing activities (perform a personal data Audit is required) and establish necessary policies and processes to meet all privacy requirements (e.g., security, complaints handling, data accuracy, breach reporting, etc.). In some cases it will even mean to redesign the existing systems which process personal data, purchasing new systems, and/or renegotiating contracts with third party data processors. Entrepreneurs should remember that the process
of adapting activities to the requirements of GDPR is a long-term process. In order to be ready before 25th May 2018, it is recommended for companies to start preparation for implementation
as soon as possible. Steps that every entrepreneur who processes personal data should take are,
in particular, :
1) organize training for employees, who have contact with personal data ( especially, employees
of compliance, marketing, sales, legal and HR departments);
2) prepare a map of GDPR implementation
3) and then implement individual solutions of organizational and technical nature to their structure.
In the nearest future, we will see in a concrete way how this new regulatory framework will be maintained in each country, in particular by companies and individuals. As Giovanni Buttarelli (European Data Protection Supervisor) pointed out, introduction of new requirements, f.e. DPO, “can create very interesting and useful job on the markets”. On the other hand, new regulations also include additional costs and burdens for companies. Finally, according to the Censis study which was conducted in 2013, for 96.2% of Italians privacy is as an “inviolable law”, and 93% of them are concerned that their privacy in the Internet will be attacked. This study confirms the importance of personal data protection for the individuals in the contemporary digital world.
Avv. Giuseppe Colucci