The new EU General Data Protection Regulation (“GDPR”) will replace the Data Protection Directive 95/46/EC and will come into force on the 25th of May, 2018 aiming the harmonization of the existing data privacy legislations across the EU region and the protection of all EU citizens’ personal data.
‘Personal data’ is any information that can directly or indirectly identify a natural person and can be in any format. The personal data of an individual may be processed by either a controller or a processor and for the purposes of the GDPR, a data controller is the entity which determines the purposes for which (and the means by which) the personal data of the individual is to be processed whereas the data processor is the entity which processes personal data only on behalf of the controller.
The GDPR introduces the following major changes to the current law on data protection:
The GDPR applies to all data controllers and data processors established in one or more EU Member States but it also applies to data controllers and data processors established outside the EU who:
- offer goods or services to individuals in the EU; or
- monitor the behaviour of individuals within the EU.
Organisations that fail to comply with the GDPR will have to face the heavy penalties imposed by it and can be fined up to €20 million or 4% of the annual global turnover of the preceding financial year, whichever is higher.
Where consent is used as the lawful basis for processing, consent must be specific, informed and freely given by a clear and affirmative action. Consent must also be distinguishable from other matters and be provided in an easily accessible form in plain language. Importantly, individuals have now the right to withdraw their consent.
Although the key principles of data privacy still hold true to the previous directive, the GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the previous directive.
The GDPR provides the following rights:
Right of Access
The GDPR provides individuals the right to access their personal data and supplementary information free of charge so that they are aware of and can verify the lawfulness of the processing.
Right to Erasure
Also known as “the right to be forgotten” allows an individual to request the deletion or removal of his personal data where there is no compelling reason for its continued processing.
With the GDPR coming into force, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. The data controller must notify the relevant supervisory authority within 72 hours of having become aware of the breach and must also notify directly the affected individual(s) without undue delay.
An individual has the right to receive his personal data which has previously provided in a ‘commonly use and machine-readable format’ and has the right to forward that data to another controller.
Privacy by Design
The GDPR imposes a general obligation on the controller to put technical and organisational measures into place to ensure the protection of the rights and freedoms of individuals. Controllers shall, in light of the data minimisation, process only the necessary data for the completion of their duties and limit the access to personal data to those needing to act out the processing.
Data Protection Officer (DPO)
The GDPR requires the appointment of a DPO in three cases:
- Public authorities;
- Entities of which their core activities include:
- Processing operations which require “regular and systematic monitoring” of individuals “on large scale”; and
- “Large scale” processing of sensitive data or data relating to criminal convictions and offences.
Compliance with the GDPR does not have to be intimidating. Advanced and effective legal advice can equip you with all necessary knowledge in order to prepare your organisation on time for the implementation of the new regulation.
Please contact us for more information or assistance in relation to the above matter.
The author of the article is Sophia Stylianou.
Sophia is a legal consultant at Royal Pine & Associates. She is a qualified lawyer with experience in the corporate field and an admitted member at the Cyprus Bar. She holds an LL.B from the University of Surrey and has completed the LPC with BPP University.