On 14 April 2016 the European Parliament approved the new General Data Protection Regulation (the „Regulation”).
The Regulation replaces the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data („Data Protection Directive”) and it will enter into force 20 days after its publication in the EU Official Journal.
The Regulation is a result of the rapid technological evolution and it aims to strengthen the rights of the individuals by offering uniform protection all across Europe, while improving legal certainty and fair competition between businesses.
IMPACT & TIMEFRAME
Unlike the Data Protection Directive, the Regulation is directly applicable in all of the EU Member States, no implementation legislation or formalities being required.
Direct application will occur two years after its entry into force (with certain particularities for the UK, Ireland and Denmark).
The new Regulation is expected to have a significant impact on data controllers and data processors. The Regulation will affect both companies which (i) are active within the EU as well as (ii) those located outside EU but who monitor the behavior of EU consumers, or offer them goods or services online.
Even though the rules will start to take effect around the summer of 2018, businesses should begin to check their compliance with the new rules as soon as possible.
Sanctions for non-compliance with the new Regulation have significantly increased. Non- compliance with the obligations regarding the internal record keeping may trigger fines up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater).
Violations relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers may trigger fines of up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater).
WHAT IT TAKES TO COMPLY WITH THE NEW REGULATION
The purpose of the Regulation is to increase the degree of protection of the personal data, including:
- the data processors should bring more clarity into their privacy policies and use a more straightforward language;
- the right to transfer one’s data from a service provider to another (data portability);
- the requirement of a clear and affirmative consent from the data subject;
- a stronger right to be forgotten (the right of an individual to require, in certain conditions, the deletion of the personal data related to him/her).
The Regulation also brings about a new, stronger, enforcement system. The new rules contain a mechanism of cooperation between the data protection authorities in different member states.
We recommend to the Companies to prepare for the entry into force of the Regulation by
adopting and implementing a clear strategy in terms of processing personal data.
As a first step, the Companies could audit their operations in order to have clarity on the following:
- what personal data they process and how they process it,
- what are the policies they have in place in relation thereto and if those policies comply with the Regulation,
- what are the means whereby they ensure protection of the data subjects and
- what is the process for investigating data breaches.
Some Companies will have to designate a Data Protection Officer or a designated responsible for data protection matters within their organization.
Upon request we may provide further details on any of the matters above and we remain available should you require any assistance in preparing for the entry into force of the Regulation.
Please note that this information note does not purport to be and should not be construed as legal advice. Professional advice should therefore be sought before any action is undertaken in relation to the matters set out in this information note.
|Burlacu Maria-Ecaterina||Ioan Dumitrascu|
|+40 733 551 031||+40 733 551 013|