With the General Data Protection Regulation (GDPR) the European Commission aims to strengthen and unify data protection for individuals within the EU. Its impact is wide reaching and will have a significant impact on how personal data is handled, so it seems strange that seems it hasn’t received the attention of decision makers as it should. Thus, although many legal experts reviewed these topics extensively already, it may be still interesting to comment some of the key features of the new rules which will be implemented by the EU on the data protection. Our guest contributor Vincenzo Cutugno, an expert on the subject, gives us on overview.
On May 2016, the European Commission enacted a comprehensive reform of data protection rules (see here), at the end of a legislative process lasted more than four years (from January 2012):
- Regulation 2016/679 (General Data Protection Regulation or “GDPR”, see here), passed on 24 May 2016, which will take effect on 25 May 2018, after a two year interim period, replacing Directive 95/46/EC (Data Protection Directive); and
- Directive 2016/680 (see here), entered into force on 5 May 2016, which shall be transposed by each EU Member State into the respective internal law within 6 May 2018.
The first law concerns the protection of natural persons with regard to the processing of personal data and on the free movement of such data, while the second one governs the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
The GDPR establishes some clear and incisive principles concerning the protection of natural subjects in connection to the use of personal data, according to which data must be:
- processed in a lawful, fair and transparent manner;
- collected for specified, explicit and legitimate purposes (“purpose limitation”);
- adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed (“data minimization”);
- accurate and where necessary kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they were collected or further processed;
- the period for which the personal data are stored is limited to a strict minimum;
- transfers of personal data within or between Community institutions or bodies or to recipients in EU countries are subject to certain conditions.
The application of aforementioned principles will be ensured by the following measures:
- limitation of automatic processing of personal data;
- right to object recognized to the data subject;
- right of access by the data subject;
- right to receive the personal data, provided to a controller, and transmit such data to another controller (“data portability”);
- right to lodge complaints concerning possible infringements of the Regulation to the Supervisory Authority;
- easy and timely access to personal data.
What you need to know
- The territorial scope of the GDPR will be extended. Pursuant to the Regulation, a non-EU established organization will be subject to the GDPR, if such organisation process personal data about EU data subjects in connection with: (a) the “offering of goods or services” (payment is not required); or (b) “monitoring” their behavior within the EU.
- According to Article 37 of the GDPR, when: (a) the processing is carried out by a public authority or body; (b) the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences, data controllers and processors must designate a data protection officer (“DPO”). The DPO shall be appointed on the basis of its professional qualities and may be employed or under a service contract. It can be appointed by a group of undertakings.
In case of infringement, the GDPR imposes severe administrative fines which are meant to be “effective, proportionate and dissuasive“. Article 83 determines certain elements that should be regarded when deciding whether to impose an administrative fine and its amount, including: the nature, gravity and duration of the infringement; the intentional or negligent character; if any action was taken by the controller or processor to mitigate the damage; the degree of responsibility of the controller or processor; the categories of personal data affected; etc.
Fines are split into two broad categories:
- A) the highest fines are up to 20,000,000 Euros or in the case of an undertaking up to 4% of total worldwide turnover of the preceding year, whichever is higher apply to breach of:
- the basic principles for processing including conditions for consent;
- data subjects’ rights;
- international transfer restrictions;
- any obligations imposed by Member State law for special cases such as processing employee data; and
- certain orders of a supervisory authority;
- B) the lower category of fines are up to 10,000,000 Euros or in the case of an undertaking up to 2% of total worldwide turnover of the preceding year, whichever is the higher apply to breach of:
- obligations of controllers and processors, including security and data breach notification obligations;
- obligations of certification bodies;
- obligations of a monitoring body;
Fines can be imposed in combination with other sanctions.
What you need to do
- understand the rights of data subjects and legal requirements;
- check which data you hold and how you process it;
- review your current privacy notices and communications;
- apply the new rules to your organization;
- establish appropriate internal policies and procedures which ensure compliance;
- establish appropriate internal policies and procedure which detect, report and investigate any personal data breach;
- designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance;
- if your organisation operates internationally, you should ensure that you will comply with the new legal provisions.
This article was first published here. Vincenzo Cutugno is partner at Carone & Partners Law Firm and teaching assistant at the Bocconi University in Milan/Italy. He is an expert in Corporate Law, M&A and Privacy.