The European parliament, Commission and Council have reached an agreement on the General Data Protection Regulation (GDPR) text. This replaces the Data Protection Directive from 1995 and aims at protecting the EU citizen’s personal data in the current digital world whilst harmonizing the legislation for the processing of personal data across the whole EU.
An agreement on the General Data Protection Regulation (GDPR) text was finally reached on the 15th of December 2015 – three years after its proposal in 2012 - by the European parliament, Commission and Council. The GDPR replaces the Data Protection Directive from 1995 and aims at protecting the EU citizen’s personal data in the current digital world whilst harmonizing the legislation for the processing of personal data across the entire EU. The Regulation entered into force on 24th of May 2016, with an implementation period of 2 years ending on the 25th of May 2018.
With the release of the agreed upon text, it is clear that a number of obligations are completely new, and many have significantly changed compared to the Directive of 1995, such as:
When requesting consent from your client for the processing of their personal data, it should be done in an unambiguous manner, through a statement or a clear affirmative action. Acceptable indicators of an unambiguous consent are ticking a box, placing a signature or explicit affirmative action.
One of the most impactful new additions – for data processors – is the responsibility that falls jointly upon the data controller and the data processor: the implementation of organizational and technical measures for the protection of the processed personal data.
With the adoption of the GDPR, administrative fines can be imposed for non-compliance with the Regulation. Non-compliance with the obligations as a data controller or a data processor could result in a fine up to 10 mil. EURO or 2% of the annual global turnover (whichever is higher). Non-compliance with the basic principles for processing (such as consent), the data subject’s (client) rights or the approved data transfer mechanisms, could result in a fine up to 20 mil. EURO or 4% of annual global turnover (whichever is higher).
Before data processing, it will be obligatory to analyse its impact on personal data protection.
Companies will have to prove that security measures are part of the proposal for the personal data processing design. Privacy shall be considered by default.
Data breaches should be reported to the supervisory authority (in Slovakia this is the Office for Personal Data Protection of the Slovak Republic) within 72 hours after becoming aware of the breach.
There are new rules set for the data transfer outside the EU. The transfer is possible only if the third country is considered safe. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
It has been decided that each data controller or processor processing personal data “at large scale”, regardless whether the personal data is sensitive or not, needs to appoint a Data Protection Officer (DPO).
Clients will get new rights, such as the right to erasure or data transferability.
To fulfil the requirements of the GDPR Regulation, it is recommended to implement the following steps: