The new General Regulation on Data Protection (EU) 2016/679 (“GDPR”)
(Published on BussinessNews.gr)
Directive 95/46/EC1, which is the main legal instrument for data protection in the European Union, has for 23 years ensured the effective protection of personal data and the smooth functioning of the Single Market. However, this act was introduced 23 years ago, in a very early technological environment. The rapid technological developments that followed created new challenges in the field of data protection. The quick development of the information society, globalization and the functioning of the Single Market itself have resulted in an unprecedented increase in the collection, exchange and cross-border flow of data from both private and public authorities.
While the existing rules still cover the Union’s basic objectives, they have not achieved the required degree of harmonization, with the result that the right to data protection is not guaranteed in an adequate, efficient and uniform manner. In this context, the need to adopt a single, uniform and more coherent framework for data protection has become clear.
As of January 2012, the European Commission proposed the reform of the rules on data protection by adopting a regulation to replace Directive 95/46/EC.
In May 2016, the final version of Regulation (EU) 2016/679 of the European Parliament and of the Council “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” was published in the Official Journal of the European Union.
This Regulation entered into force at the end of May of the same year, but shall apply from May 25, 2018. Consequently, and bearing in mind that the Regulation is directly applicable in the Member States of the European Union, all businesses, persons and organizations should apply the provisions of this Regulation from May 25, 2018 and comply therewith.
Before entering into the examination of the key changes brought about by the new Regulation, it is appropriate to briefly list some of the basic definitions, as detailed in the text of the Regulation:
- ‘Personal data’: Any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier, location data or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- ‘Processing’: Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, dissemination, retrieval, use, erasure, destruction etc.
- ‘Controller’: The natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data.
- ‘Processor’: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
ΙΙΙ. Key changes
As stated above, the aim of the new Regulation is to provide uniform and effective protection for EU citizens in a fast-growing technological and global environment. The new Regulation ensures a high level of harmonization (direct application in the Member States), while leaving room for maneuver in the Member States where and when it is deemed necessary.
Some of the major innovations – key changes introduced by the new Regulation are the following:
(i) Increased territorial scope
GPDR will apply to operators established in the EU, regardless of whether the processing takes place in the EU or not. The new Regulation also provides that even operators not established in the EU, are required to apply the Regulation, in case they offer goods or services in the EU market. Today, operators established in the EU have to meet different standards than companies located outside the EU but doing business in the Single Market. With the reform, companies based outside the EU should apply the same rules when they offer goods or services in the EU market (level playing field).
(ii) More rights for data subjects
The new Regulation enhances the existing rights of data subjects (e.g. right to information and access to data), while also enforcing new rights.
It is worth noting that specifically the right to erasure (“right to be forgotten“) is now enshrined in a clear, distinct and explicit way. Based on this right, the data subject may request the erasure of the data not being processed for a particular legitimate and stated purpose.
The Regulation goes hand in hand with a new right, the “right to data portability“. According to this, the data subject is entitled to receive or request the transfer of his data, in a machine-readable form, from one controller to another under certain conditions.
(iii) Establishment of new obligations
The Regulation imposes a series of new obligations on both controllers and processors. In particular:
- Implementation of appropriate technical and organizational measures: The controller shall demonstrate –whenever asked so by the competent supervisory authority- that he has implemented appropriate technical and organizational measures for data protection (e.g. pseudonymisation, data minimization, integration of the necessary safeguards into the processing and so on).
- Data protection by design: The controller has the obligation to protect data from the time of the determination of the goods and services, creating friendly and appropriate conditions for data protection by design.
- Data protection by default: The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
- Enhanced conditions of consent: If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
- Breach notification: In the case of a personal data breach, the controller shall without undue delay -not later than 72 hours- after having become aware of it, notify the personal data breach to the competent supervisory authority, as well as to the data subject (when the personal data breach exposes the latter to high risk).
- Assignment of processing to a processor: Processing by a processor must be governed by a contract or other legal act, with the specific content provided in the Regulation.
- Records of processing activities: Each controller and processor shall maintain –in written or electronic form- a detailed record of processing activities under its responsibility. It is noted that the obligation for record keeping shall not apply to enterprises or organizations employing fewer than 250 persons, unless the processing carried out is likely to result in a risk to the rights and freedoms of data subject, the processing is not occasional or the processing includes special categories of data or data relating to criminal convictions.
- Data Protection Impact Assessment: Under the new Regulation regime, there is no longer a general obligation for notification – permission from the competent supervisory authority for data processing. In replacement to the general obligation for notification – permission from the competent authority, where a type of processing is likely to result in a high risk to the rights of natural persons, in particular because it is carried out systematically, on a large scale, relating to special categories of data and using new technologies, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Where a data protection impact assessment indicates that the processing would result in a high risk despite measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority prior to processing.
- Designation of the Data Protection Officer: A new obligation for persons processing personal data2 is the designation of a “Data Protection Officer”. Such officer shall be the guardian of personal data and shall have, among others, the following tasks: (a) to monitor operator’s compliance with law, (b) to cooperate with the supervisory authority and generally (c) to provide advice where requested as regards data protection. The Data Protection Officer shall be designated on the basis of professional qualities and may be a staff member of the operator or fulfill the tasks on the basis of a service contract.
A “data protection officer” must be designated in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data (e.g. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, the processing of genetic or biometric data and data concerning health or data concerning a natural person’s sex life or sexual orientation) and personal data relating to criminal convictions and offences referred to in Article 10 of the Regulation.
(iv) Codes of conduct – Certification
The new Regulation encourages the drawing up of codes of conduct by associations and other bodies representing categories of controllers or processors, which may be submitted for approval to the competent supervisory authority. Similarly, the establishment of certification mechanisms, seals and data protection signals is also encouraged for the purpose of demonstrating compliance with the Regulation. It is noted that the development of codes of conduct and certification mechanisms is voluntary.
- Administrative fines for Regulation’s infringements, depending on the circumstances of each individual case, shall be up to 10.000.000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher). In certain circumstances (as, for example, infringements of the data subjects’ rights or of the basic principles of processing) administrative fines shall be up to 20.000.000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher).
- The penalties adopted make it clear that the new Regulation seeks to create a stricter framework for data protection.
(vi) Cooperation between the supervisory authorities – Consistency:
- Establishment of the so-called “consistency mechanism”: In order to ensure the consistent application of the Regulation throughout the Union, a consistency mechanism for the cooperation between supervisory authorities has been established. This mechanism will apply, for example, where a supervisor intends to adopt a measure that will produce legal effects in respect of processing operations, which substantially affect a significant number of data subjects in more than one Member States.
- Establishment of the “European Data Protection Board”: A new body with decisive tasks at EU level, which will be called the “Data Protection Board”, will be set up and will play a key role in promoting the “consistency mechanism”. The Data Protection Board will be represented by all national supervisory authorities.
- One-stop-shop mechanism: Pursuant to this mechanism, in specific cases where a body is established in more than one Member States and carries out cross-border data processing, cooperation is foreseen between the lead supervisor (of the main establishment of the body) and the concerned national authorities, within the competence of which may fall a case of trans-European interest. The aim is to ensure uniformity in dealing with such cases.
The innovations introduced by GDPR attempt to create a uniform, coherent and stricter framework for data protection. The new Regulation is expected to enter into force in just a few months (May 25, 2018), meaning that the countdown has already begun for both businesses and the State, which are called upon to modify their structures and take the necessary measures in order to comply with the provisions thereof.
- Directive 95/46/EC of the European Parliament and of the Council “on the protection of individuals with regard to the processing of personal data and on the free movement of such data” 23.11.1995
- It refers to both controllers and processors (see ar. 37 GDPR).