Broadlaw Group Newsletter – New General Data Protection Regulation, what you need to know
After years of negotiations, the European Council, the European Parliament and the European Commission agreed on 15 December 2015 on the text of a new General Data Protection Regulation (GDPR), which was first proposed in January 2012. The new Regulation is expected to be formally approved in spring 2016. It will be directly applicable in all Member States without the need for additional national laws of implementation. The GDPR, which will replace Directive 95/46/EC, aims to create a unique data protection framework applying to both public and private data processing across all EU Member States and is expected to come into effect in 2018.Key changes provided in the GDPR The most significant changes brought about by the GDPR will be the following:
• Increased territorial scope of the GDPRThe new rules do not only apply for companies seated in Europe, but to all companies that offer goods or services in the EU. Hence, even companies based outside the EU will have to comply with the GDPR as far as they are doing business in EU Member States and process data generated there.
• One-stop-shopFor companies doing business in several EU Member States, rather than having to deal with the national data protection authorities of all those countries (as is the current position), only the information regulator of the Member State where the company’s headquarters are located shall be competent to act as the lead authority for the company. The lead regulator shall have responsibility to coordinate all proceedings. This so-called one-stop-shop mechanism is aimed at facilitating cross-border data transfers and business.
• Data Protection OfficersData controllers whose core activities consist of regular and systematic monitoring of data subjects on a large scale or engage in the processing of sensitive data will be required to appoint a designated Data Protection Officer, whose role will be to monitor and ensure compliance.• Consent requiredThe GDPR provides for a « consent based approach », meaning that in general, the processing of personal data requires the data subject’s « unambiguous » consent. This requires consent to comprise a « clear affirmative action », indicating the data subject’s freely given, specific and informed agreement. For the processing of special categories of data, such as sensitive data, consent must be « explicit ». Where children under 16 are concerned, consent must be obtained from their parents. Member States can lower the age threshold for parental consent from 16 to any age above 13.
• Data portability and right to be forgottenThe GDPR provides for a right of users to migrate their personal data from one service provider to another, by receiving their personal data in a structured, commonly used and machine-readable format. Moreover, a statutory « right to be forgotten » will facilitate the deletion of published information which affects an individual person. In particular, data subjects have the right to ask data controllers and processors to erase their personal data where those data are no longer necessary in relation to the purposes for which those data were collected or processed or where data subjects have withdrawn their consent or object to processing.
• Privacy by design and by defaultBy means of appropriate technical and organizational measures and safeguards (e.g. pseudonymisation), data controllers must ensure that personal data are processed only to the extent necessary for a specific purpose; by default, personal data should not be collected or retained beyond the minimum necessary for those purposes (data minimisation). In some cases, companies will have to undertake « data protection impact assessments ».
• Liability of data processorsUnder the new regulatory framework, commissioned data processors are directly liable for data protection breaches so far as concerns third parties. Thus, a written contract or other legal act, binding the data processor to the data controller, specifying the duties and responsibilities of both parties is required.
• No registration required Whereas currently in some Member States, data controllers must register with or notify the national data protection authorities with regard to their activities, this will not be necessary under the GDPR. However, controllers will have to maintain records of their data processing activities.
• Data Breach notificationIn the case of a personal data breach, e.g. by a hack or another data leak, the data controller is obliged to notify the competent supervisory authority without undue delay, in any case and when feasible no later than 72 hours after becoming aware of the breach. When the breach is likely to pose a risk to the rights and freedoms of individuals, this notification shall be made no later than 72 hours after the data controller becomes aware of the breach and without undue delay to the data subject. In such case, a data processor has the obligation to inform the controller on behalf of which it processes personal data.
• Substantially higher administrative finesUnder the GDPR, administrative fines are increased and there will be no fixed limit for the amount of fines in case of data protection violations. Fines can be imposed up to a maximum amount of 4% of a company‘s global annual turnover per breach, for example, infringements of the basic principles of processing including conditions for consent, data subjects’ rights or international transfer rules. Therefore, violations of data protection rules can be punished by a fine running into millions for large companies in the future. Recommendation: what you should consider now Even though the Regulation will not become effective and directly applicable in Member States before 2018, companies should start reviewing their existing data processes and data protection policies and assess the impact the GDPR will have on their business. The transitional period of two years should be used for the review and implementation of new data protection policies and processes. As Member States are permitted to maintain or introduce national provisions to further specify the application of certain provision of the Regulation, companies should monitor further developments regarding the GDPR.Our expertise Our law firms combine their international advisory services by cooperating within an exclusive alliance having 30 offices located in major cities across Europe, as well as in selected cities covering Asia, the Middle East and North Africa. We are highly familiar with the constantly increasing amount of legal requirements to comply with local and EU data protection and data privacy issues. Due to our comprehensive expertise and our extensive know-how in the relevant law, we can provide clear advice, efficient guidance and tailor-made and innovative solutions which will cover your needs. Broadlaw Group – All rights reserved. The reproduction, duplication, circulation and/or the adaption of the content and the illustrations of this document as well as any other use is only permitted with the prior written consent of the Broadlaw Group. DisclaimerThis client briefing exclusively contains general information which is not suitable to be used in the specific circumstances of a certain situation. It is not the purpose of the client briefing to serve as the basis of a commercial or other decision of whatever nature. The client briefing does not qualify as advice or a binding offer to provide advice or information and it is not suitable as a substitute for personal advice. Any decision taken on the basis of the content of this client briefing or of parts thereof is at the exclusive risk of the user. The Broadlaw Group as well as the partners and employees mentioned in this client briefing do not give any guarantee nor do the Broadlaw Group or any of its partners or employees assume any liability for whatever reason regarding the content of this client briefing. For that reason we recommend you to request personal advice.