The increased exchange of personal data, rapid technological development and globalization are the reasons for the adoption of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. These provisions will start to apply from 25 May 2018, replacing the current regulation (Directive 95/46 /EC).
The territorial scope of the new legislation will extend not only within the European Union, but also in third countries, to data controllers and natural persons processing personal data of European citizens.
One of the main changes introduced by the Regulation is the abolition of the current obligation to register the personal data controllers in the Commission for personal data protection. However, the CPDP will continue to be the sole data protection supervisor and, as such, will monitor compliance with the Regulation.
An important novelty is the figure of the so-called “data protection officer”. It may be an employee of the data controller or an external party, based on a service contract. Its role is to monitor the compliance with the provisions of the Regulation and the internal policies of the data controller/processor of personal data. Among the duties of the official is cooperation with the supervisory body – CPDP.
The need for the introduction of such position will only arise for certain categories of data controllers and processors. First of all, these will be the public authorities and bodies, with the exception of the courts in the exercise of their judicial functions. The list also includes data controllers / processors who perform operations requiring regular and systematic monitoring of data subjects as well as those processing personal data under Art. 9 and Art. 10 of the Regulation.
Key in the new regulation is the detailed specification of the so-called ” right to be forgotten”, which applies since 2014, by virtue of the judgment of the European Court of Justice in Case C-131/12 Google Spain. This right allows data subjects in accordance with Art.17 of the Regulation to request the controllers to delete and stop the diffusion of their data. It should be noted that this is not absolute and can be restricted when other rights and interests have priority.
In addition to being “forgotten”, each data subject will be able to request that his data is transferred from the electronic system of one controller to another, as long as this is technically feasible (Art. 20 “Data portability”).
In order to ensure the protection of personal data, the new EU act obliges controllers to apply appropriate technical and organizational measures to process the personal data of natural persons. Among those measures, particular interest is the “pseudonymisation” of personal data, which is essentially processed in such a way that it can no longer be linked to a particular data subject without the use of additional information.
In case of a personal data breach, the Regulation introduces an obligation for controllers to notify the supervising authority within 72 hours of its establishment unless it is unlikely to cause risks to the subjects. However, when the probability is high, the violation should also be reported to the natural persons in their capacity of data subjects.
The new obligation of the controllers to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data is also related to the security of personal data in cases where a particular type of processing can be at risk for the rights and freedoms of natural persons.
The Regulation creates a new obligation to maintain a record of processing activities for which the respective controller or processor of personal data is responsible. The register shall contain the information indicated in Art.30, item 1/item 2 of the Regulation. Upon request, the controller or the personal data processor and, where applicable, the representative of the controller or the personal data processor shall provide access to the register of the supervisory authority.
Detailed arrangements are given to the consent of natural persons to process their personal data. It has to be explicit, ie. the subjects clearly and unequivocally expressed their will about which data, for what purposes it will be processed, to which persons will the data be provided and for what period it will be processed.
In order to ensure effective compliance, the Regulation provides for substantial penalty payments and fines of up to € 10 million or up to 2% of the company’s annual turnover for the previous financial year – whichever is the higher.
author: Kristina Vezenkova