Key Benefits and Corresponding Obligations arising from the General Data Protection Regulation (GDPR).
03 October 2017
The European Commission, with a view to further safeguard and protect European citizens’ privacy and personal data in relation to transactions that take place within the European Union (“EU”), has adopted on the 27 April 2016 the General Data Protection Regulation (“GDPR”). The GDPR is expected to take effect from 25 May 2018 and will become directly applicable to all EU Member States, thus replacing the Data Protection Directive of 1995 (Directive 95/46/EC) and becoming binding and directly enforceable in all member states. The purpose of the present publication is to briefly present an overview on the key changes that the new GPRD is about to bring and describe the most significant rights the GDPR provides to EU citizens and the corresponding obligations to organizations which control or process personal data.
To begin with, one of the most remarkable changes the GDPR is about to bring is the increase of the scope of application of its data protection provisions. This is due to the fact that the GDPR not only applies to EU companies processing personal data of European citizens, but it also applies to all companies processing EU citizens’ personal data, irrespective of whether the processing occurs within the EU or outside of it. To put it differently, the GDPR can be applicable to a company not established within the EU territory for the processing of personal data of “data subjects” residing in the EU.
The GDPR has a large scale of application and to this end there is a wide interpretation of its terms. The GDPR is applicable both to the “controller” of data (meaning the organisation gathering data from EU data subjects) as well as the data “processor” (meaning the organisation processing the data on the account of data controller) thus including internet cloud providers. Moreover, the term “personal data” is given a quite wide interpretation. According to the Regulation, “personal data” constitutes every information that can be used to identify a natural person, including names, addresses, ID numbers, location data and online identifiers such as an IP address, etc. Personal data also encompass genetic data, health and biometric data, racial data, political beliefs, sexual preferences, etc. The wide definition of what constitutes personal data clearly enlarges the scope of GDPR application.
Another significant change the new regulation brings is the imposition of exceptionally strict penalties on organisations that are in breach of data protection provisions. According to article 83(5) infringements of data subjects’ rights under GDPR can result in fines up to 20 million euros or 4% of the “total worldwide annual turnover”, whichever is larger.
Furthermore, the conditions for obtaining consent from data subjects for purposes of processing their personal data have also become stricter. The GDPR provides that companies are not permitted to use lengthy incomprehensible terms and conditions when seeking to obtain the consent of data subjects. On the contrary, the language used in such cases must be plain, explicit and comprehensible. Moreover, the specific purposes of data processing shall be disclosed to the data subject. It is noteworthy that the Regulation provides that individuals shall be able to withdraw their consent with the same easiness that gave it.
In addition, the GDPR makes reference to “data protection by design and by default”. This actually means that data protection shall be taken into consideration from the beginning of the systems’ design rather than being included as an additional element at a later stage. This would encompass for example pseudonymising of personal data at the earliest possible stage.
What is more, the new Regulation makes compulsory the appointment of Data Protection Officers (“DPO”) in cases where companies process and/or keep a large scale of data or special personal data; frequently monitor data subjects; or where organisations are public authorities. The DPO shall be a professional with deep knowledge on data protection law and his role shall be to supervise and ensure compliance of company’s processing methods with the GDPR. The DPO shall be objective when performing his functions and must cooperate with the relevant supervisory authority.
Furthermore article 35 provides that companies processing or storing personal data shall conduct risk assessments in order to become aware of the risks that such processing can involve in relation the rights of data subjects. Companies are also expected to take measures with the view to mitigate these risks.
Most significant rights and corresponding obligations under the GDPR
One of the most important rights the GDPR grants to EU data subjects is the right to receive “breach notifications”. According to the GDPR whenever a breach occurs in relation to a data subject’s personal data which is likely to “result in a risk for the rights and freedoms of individuals”, the breach must be disclosed to the data subjects within 72 hours and “without undue delay” from the time the company became aware of the breach. The company shall also notify the relevant national supervisory authority (Data Protection Authority or “DPA”) of the breach within the same time period.
Moreover, a particularly important right granted by the new Regulation is the “right to access”. This basically means that data subjects are entitled to request and acquire information as to whether their personal data are under processing, in which place and for what purposes. Data subjects are also entitled to be provided with a free copy of their personal data in electronic format by the data controller.
Another significant right provided by the GDPR is the right to “data erasure” or “right to be forgotten”. The right to be forgotten enables data subjects to have their personal data deleted by the controller upon their request, meaning the cessation of any further processing of their personal data. This right can be exercised by data subjects provided that certain conditions are satisfied.
Additionally, the new Regulation provides the right of “data portability”. This basically implies that data subjects are entitled to receive personal data relating to them in electronic format and transfer these data from one electronic system to another without being obstructed by the controller.
A provision of vital importance which contributes significantly to the protection of EU citizens privacy and personal data is Article 5. According to the aforementioned provision, any processing of personal data must be conducted in a fair, lawful and transparent manner taking into consideration the data subject’s rights. Moreover, Article 5 provides that the processing of data shall serve the purposes for which the personal data were collected and not any other incompatible purposes. Personal data can be stored in a form which enables data subjects’ identification “for no longer than is necessary for the purposes for which the personal data are processed”. Last but not least, personal data must be safeguarded against any damage, loss or unauthorised access by using proper “technical and organisational measures”.
The adoption of the GDPR undoubtedly constitutes a significant step forward in the area of personal data protection within the EU. The new Regulation aspires to achieve a greater degree of harmonisation of data protection laws and measures across the EU ensuring by this way, that all EU citizens enjoy equal and adequate degree of protection in relation to their privacy and personal data. The GDPR is certainly a very promising legislative instrument that is about to bring innovation in the field of personal data law, however, it sets, at the same time, a stricter and more burdensome regulatory framework for organizations to comply. It is of crucial importance for each organization or business to take the necessary steps in order to comply with the new requirements under the GDPR due to the extremely strict penalties and excessive fines that may be imposed for non-compliance, including fines up to 20 million euros or 4% of the “total worldwide annual turnover”, whichever is larger.
For further information on the GDPR and guidance as to how an organization can respond to the new, demanding, legal requirements, in compliance with the GDPR, feel free to contact us.
This publication is for information purposes only and does not constitute legal advice.