On 25 May 2018, Regulation (EU) 2016/679 of the
European Parliament and of the Council on the
protection of natural persons with regard to the
processing of personal data and on the free
movement of such data (the so-called General Data
Protection Regulation) will come into force within
the European Union. In contrast to the currently
existing directive, the provisions of this regulation
are applicable directly, that is they do not require
prior transposition into national law. Only a few
matters expressly identified in that regulation can
be specified in greater detail at national level.
The
Regulation
introduces
a
number
of
revolutionary changes in the protection of personal
data. First and foremost, it broadens the
information obligations of economic operators. In
addition, it requires that such information is to be
presented in a concise, clear, understandable and
easily accessible form, and that clear and plain
language be used. Consequently, economic
operators will be forced to develop new catalogues
of information to be provided to data subjects.
Futhermore, the Regulation confers on data
subjects the right to obtain, in a structured and
commonly used machine-readable format, the
personal data they provide to a data controller.
Such individuals may also require the data
controller concerned to send their personal data to another controller. Under certain circumstances,
the data subject may also require the data
controller to promptly remove the data they
provided (the so-called “right to be forgotten”). To
fulfil the obligations related to these rights of data
subjects, it will be necessary for the data controller
to develop appropriate internal procedures and
interpretative formats allowing data transfers.
Under this Regulation, the data controller will be
required to analyse the risks involved in data
processing and implement administrative and
technical measures to mitigate these risks. Such
measures should ensure an appropriate level of
security while taking into account the state of the
art and the costs of their implementation in
relation to the risks and the nature of personal data
to be protected.
In the case of a personal data breach, the
controller is obliged to notify, without undue delay
(no later than 72 hours after having become aware
of it if feasible), the personal data breach to the
supervisory authority. Furthermore, the controller
must document any personal data breaches,
including the facts surrounding the breech, its
effects and the remedial action taken.
It is crucial to know that should data controllers fail
to respect the obligations stipulated in this
Regulation, they can have a pecuniary penalty
imposed on them of up to 20 million euro or up to
4% of their annual worldwide turnover in the
previous year – whichever is greater.
Given the nature of this publication, we have
presented only some of the new rules. However, it
should be stressed that these changes to the
personal data protection legislation are much more
substantial in scope. Economic operators may find
this
general
data
protection
regulation
overwhelming, in terms of both the scope and
complexity of the obligations imposed on them.
This is why they should now undertake action with
a view to implementing solutions ensuring
compliance with the provisions of the Regulation.
MILLER, CANFIELD,
W. BABICKI, A. CHEŁCHOWSKI I WSPÓLNICY SP.K.
ul. Batorego 28-32
81-366 Gdynia
Tel. +48 58 782-0050
Fax +48 58 782-0060
gdynia@pl.millercanfield.com
ul. Nowogrodzka 11
00-513 Warszawa
Tel. +48 22 447-4300
Fax +48 22 447-4301
warszawa@pl.millercanfield.com
ul. Skarbowców 23a
53-125 Wrocław
Tel. +48 71 780-3100
Fax +48 71 780-3101
wroclaw@pl.millercanfield.com
Disclaimer: This publication has been prepared for clients and professional associates of Miller Canfield. It is intended to provide only a summary of
certain recent legal developments of selected areas of law. For this reason the information contained in this publication should not form the basis of any
decision as to a particular course of action; nor should it be relied on as legal advice or regarded as a substitute for detailed advice in individual cases.
The services of a competent professional adviser should be obtained in each instance so that the applicability of the relevant legislation or other legal
development to the particular facts can be verified.