On 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the so-called General Data Protection Regulation) will come into force within the European Union. In contrast to the currently existing directive, the provisions of this regulation are applicable directly, that is they do not require prior transposition into national law. Only a few matters expressly identified in that regulation can be specified in greater detail at the national level.
The Regulation introduces a number of revolutionary changes in the protection of personal data. First and foremost, it broadens the information obligations of economic operators. In addition, it requires that such information is to be presented in a concise, clear, understandable, and easily accessible form, and that clear and plain language be used. Consequently, economic operators will be forced to develop new catalogues of information to be provided to data subjects.
Furthermore, the Regulation confers on data subjects the right to obtain, in a structured and commonly used machine-readable format, the personal data they provide to a data controller. Such individuals may also require the data controller concerned to send their personal data to another controller. Under certain circumstances, the data subject may also require the data controller to promptly remove the data they provided (the so-called “right to be forgotten”). To fulfil the obligations related to these rights of data subjects, it will be necessary for the data controller to develop appropriate internal procedures and interpretative formats allowing data transfers.
Under this Regulation, the data controller will be required to analyse the risks involved in data processing and implement administrative and technical measures to mitigate these risks. Such measures should ensure an appropriate level of security while taking into account the state of the art and the costs of their implementation in relation to the risks and the nature of personal data to be protected.
In the case of a personal data breach, the controller is obliged to notify, without undue delay (no later than 72 hours after having become aware of it if feasible), the personal data breach to the supervisory authority. Furthermore, the controller must document any personal data breaches, including the facts surrounding the breach, its effects, and the remedial action taken.
It is crucial to know that should data controllers fail to respect the obligations stipulated in this Regulation, they can have a pecuniary penalty imposed on them of up to 20 million euros or up to 4% of their annual worldwide turnover in the previous year – whichever is greater.
Given the nature of this publication, we have presented only some of the new rules. However, it should be stressed that these changes to the personal data protection legislation are much more substantial in scope. Economic operators may find this general data protection regulation overwhelming, in terms of both the scope and complexity of the obligations imposed on them. This is why they should now undertake action with a view to implementing solutions ensuring compliance with the provisions of the Regulation.