The EU legislation regarding Data Protection was modified in May 2016 and the Regulation 2016/679 regarding the protection of natural persons with regard to the processing of personal data and free movement of such data will be directly applicable in all EU countries starting with May 25th 2018.
Which are the main changes introduced by the EU Regulation?
The new regulation is broader in scope, covering cases in which personal data are processed by companies not established in the EU.
Regardless whether you are based in or outside the EU, this law affects you.
In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the EU, by a controller or a processor not established in EU, should be subject to the Regulation, where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.
In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the EU, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the EU.
Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the EU, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States, with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the EU, may make it apparent that the controller envisages offering goods or services to data subjects in the EU.
Clarifying the notion of “consent”
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.
New obligations for data processors
- The obligation to implement appropriate technical and organizational measures, such as Pseudonymisation, data protection both in determining the means of data processing, as well as during processing
- The obligation to keep track of the activities performing processing
- Obligation to notify any breach of personal data to relevant supervisor no later than 72 hours from the date the acknowledgment such a violation
- Obligation in certain circumstances of the appointment of a Data Protection Officer
The “Right to be forgotten”
A data subject should have the right to have personal data concerning him or her rectified and a “right to be forgotten” where the retention of such data infringes this Regulation or EU or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation.
That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child.
However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defense of legal claims.
Binding corporate rules
More over a group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the EU to organizations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
Significant tightening of sanctions:
- EUR 10 000 000 or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher
- EUR 20 000 or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Andreea Manolache | Senior Associate| Andreea.Manolache@accace.com