Hereby, we would like to kindly notify you about the adopted the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR” as the abbreviation from General Data Protection Regulation), by which are introduced new safety requirements and obligations with which the companies must comply no later than May 25, 2018.
Privacy in the digital age
GDPR is an essential step to strengthen natural persons’ fundamental rights in the digital age as Personal Data relate to any natural personal and constitutes of information which can be used to identify the person, directly or indirectly (such as name, place and date of birth, telephone number, email address) and are used on daily basis (companies handle with Personal Data of employees, clients, persons of statutory body).
The most important changes established by GDPR are mainly:
- Expanded scope as GDPR applies to (i) all companies as data controllers and processors established in the EU and (ii) companies that handle with Personal Data of EU citizens.
- Consent of a natural person to process Personal Data must be freely given and for specific purposes and the person shall be informed of the right to withdraw the consent.
- At the same time the natural persons have new rights as: the right to be forgotten (to require the company to erase all Personal Data), the right to data portability (to require the company to port Personal Data to another company) and the right to object to profiling (not to be subject to a decision based solely on automated processing).
- Data Protection Officer must be appointed (in addition to other situations) if the company (i) conducts large scale systematic monitoring or (ii) processes large amounts of sensitive Personal Data.
- Fines are higher as the fines can be up to EUR 20,000,000 or to 4% of total annual worldwide turnover.
Operations with personal data
To prepare for GDPR, the company will need at the earliest to have a clear understanding of the operations executed by the company as: what Personal Data it processes, where the data across the group are processed, where the data is transferred from and to or how the data is secured.