Revolution in Personal Data Protection: GDPR – New Provisions, Bigger Penalties
On 25 May 2018, the provisions of the general Regulation of the European Parliament and of the Council (EU) 2016/670 of 27 April 27 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation (GDPR)) will enter into force. The changes are many.
First of all, the GDPR expands the catalog of natural persons whose personal data is processed. There is a new right to have data deleted (the “right to be forgotten”) and a right to demand the transfer of data. Another important change concerns the opportunity of submitting an objection to data processing for the purpose of direct marketing. Where personal data is processed for this purpose, the person whom the data concerns will have the right at any moment to object to the processing of their personal data for the purpose of such marketing, including profiling, within the scope of which that processing is related to direct marketing (Article 21 par. 2 GDPR).
In accordance with motive 74 of the Preamble to the GDPR, a number of obligations, as well as legal liability, are imposed on an administrator for the processing of personal data by or on behalf of that administrator. In particular, an administrator is obliged to implement appropriate, effective measures and should be able to show that its processing activities comply with the GDPR. It must also be able to show that the activities it conducts are effective. The means measures employed by an administrator should take account of the nature, scope, context, and purposes of the data processing, as well as of the risk of infringements of the rights and freedoms of natural persons. The effective implementation of the provisions of the GDPR requires all internal processes of a given organisation be accounted for where these have any connection whatsoever with personal data processing. Moreover, the effective implementation of the new provisions requires that a personal data audit first be conducted in order to determine what areas must be adopted to the new requirements.
Certain companies will also be obliged to appoint a Personal Data Protection Inspector.
The GDPR also imposes on an administrator an obligation to promptly (no later than within 72 hours following the detection of an infringement) submit any personal data protection infringements to the relevant supervisory authority within the organisation.
The GDPR also sets out provisions concerning consent to personal data processing and expands the scope of information that must be provided to the personal data concern (known as an informational obligation).
The most significant change, however, is the introduction of severe penalties for infringements of the provisions concerning personal data protection. The GDPR provides financial penalties in the amount of up to EUR20 million, or in the case of corporations, up to 4% of the total global annual turnover of the business in the previous financial year.