Giuristidimpresa.co.uk

Giuristidimpresa.co.ukGiuristidimpresa.co.ukGiuristidimpresa.co.uk

Global edition

Global edition Global edition

Articles Compliance

www.giurisitidimpresa.co.uk - Compliance

The new General Data Protection Regulation (GDPR)

  

The new General Data Protection Regulation (GDPR)


Abstract


The aim of the GDPR is to protect all EU citizens from privacy and data breaches in a data-driven world that is different from the time in which the 1995 directive was established. 


The new General Data Protection Regulation will enter into force on 25 May 2018, replacing the current data protection law. Non-compliant companies may be subject to penalties of up to Euro 20 million or 4% of their revenue, depending on local data protection laws.


The General Counsel or Partner will be responsible if the It department or the systems miss the requirements. 


It applies to all companies processing the personal data or data subjects residing in the Union, regardless of the company’s location. It also became applicable to data controllers sand data processors offering good or services to the EU or monitoring the behaviour of individuals in the EU. 


The GDPR does not apply to certain processing covered by the Law Enforcement Directive (Directive 2016/680/EC). 


In the article we underline the key aspects of the GDPR:


1. Scope

2. Territorial Scope

3. Fundamental Principles

4. Lawfulness of processing 

5. Consent

6. Individuals rights

7. Accountability of data controllers 

8. Data Protection Officer

9. Obligations of data processors 

10. Breach Notification 

11. International Transfers 

12. One Stop Shop

13. Sanctions and controls

14. European Data Protection Board (EDPB)

15. Conclusions

16. Link of interest 


1. Scope (art. 2)


The GDPR applies to the processing of personal data. Personal data is defined as any information relating to an identifiable natural person and includes data such as an IP address, an email address or a telephone number. 


Particular protection it is offered to special categories of personal data that revealing: 


· racial or ethnic origin

· political opinions 

· religious or philosophical belief 

·  trade union membership  

· genetic and biometric data 

· data concerning health 

· sexual orientation. 


Any member State could introduce further category or conditions.


2. Territorial Scope (Art. 3) 


The General Data Privacy Regulation has an extended jurisdiction, it applies to data controllers and data processors with a legal residence in EU, or established outside the EU that target individuals in the EU by offering goods and services or that monitor the behaviour of individuals in the EU (where that behaviour takes place in the EU). 


Data controllers and/or data processors not established in the EU, but whose activities fall within the scope of GDPR, will generally have to appoint a representative established in an EU member State. 


The representative is the point of contact for all Data Protection Authorities (DPAs) and individuals in the EU on all issues related to data processing. 


3. Fundamental Principles (art.5)


Personal data must be processed in accordance with the principles of: 


· lawfulness

· fairness 

· transparency. 


Those data must be collected for specified, explicit and legitimate purposes, meaning that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they were processed and in accordance with the principle of purpose limitation. 


4. Lawfulness of processing (art.6)


Under the GDPR, a processing of personal data will only be compliant if: 

  1. The data subject has provided the consent to the processing
  2. The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  3. The processing is necessary for compliance with a legal obligation to which the controller is subject
  4. The processing is necessary to protect the vital interests of the data subject or of another natural person
  5. The processing is necessary for the purpose of the legitimate interests pursued by controller or by a third party, expect where such interests are overridden by the by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

5. Consent (art. 4,7 and 8)


The request for consent must be given in an understandable and easily accessible form, with the purpose for data processing attached. Consent must be clear and distinguishable from other matters. It must be as easy to withdraw consent as it is to give it.​ 


In relation to children’s consent, an individual below the 16 years hold, must be obtained from the parent or the holder of parental responsibility. 


6. Individual rights (art. 12 -23)


The individual that have given the consent maintain the rights to: 

  • be Informed (the right to require and obtain update on the status of the processing)
  • be forgotten (the right to have all the data erased, if the data are no longer necessary)
  • restriction of processing (the right to give the consent just for a restrict time)
  • Data portability (transmission of the data processing from a data controller to another)

There are restrictions to these rights for national security and similar circumstances accordingly with art. 23 of the GDR.


7. Accountability of data controllers (art. 5,25,30,35 – 43)


The data controllers have to ensure compliance with GDPR and be able to demonstrate it. The data controllers generally must implement appropriate technical and organizational measures, including data protection policies. In adherence of the law the data controllers have to establish a Data Protection Officer (DPO) and conducting a data protection impact assessments (DPIA).


8. Data Protection Officers


Data Protection Officers (DPO) are mandatory only for controllers and processors whose activities require processing and monitoring data on regular, systematic and large scale bases or, of special categories of data or, data relating to criminal convictions and offences. 

Importantly, the Data Protection Officers:

  • Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
  •  May be a staff member or an external service provider
  • Contact details must be provided to the relevant DPA
  • Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
  • Must report directly to the highest level of management
  • Must not carry out any other tasks that could results in a conflict of interest

9. Obligations of data processors (art. 28) 


A data processor is a person who processes data on behalf of a data controller. 


The data controller decides the purpose and manner to be followed to process the data, while data processors hold and process data, but do not have any responsibility or control over that data. 


The GDPR introduces new requirements which apply directly to data processors giving them a separate legal status from the data controllers, particularly with regards to security measures and international data transfers. 


Data processors, must provide expected guarantees just as data controllers do and implement appropriate measures to ensure that the processing will meet the requirements of the GDPR. 

Data processors must also assist data controllers in matters of security, DPIA and data breach notifications and alert the controller if their processing instructions would lead to a possible violation of the GDPR or of a provision of Union or Member State law. 


The Processing by a processor shall be governed by a contract or other valid legal act that is binding on the processor by the controller. 


The GDPR enumerates specific clauses that must be included, such as: 

  • the data processor may only process data in accordance with documented instructions from the controller 
  • the processor cannot engage another processor without the authorisation of the data controller

10. Breach Notification (art. 33 – 34)


Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. 


Data processors will also be required to notify their customers, the controllers, “without undue delay” after having become aware of a data breach. 


11. International Transfers (Art. 44 – 49)


Personal data may be transferred outside the EU to third countries or international organisations that provide an “adequate level of data protection”, meaning “essentially equivalent” to the level of protection afforded within the EU.

 

Where there is no adequacy decision and no appropriate safeguards in place a transfer of personal data can only be made in limited situations for example, where an individual explicitly consents to the proposed transfer after having been provided with all necessary information about the risk.


12. One Stop Shop (OSS) (Art. 15) 


The one-stop-shop principle represent the harmonisation of data protection laws throughout Europe, and is an addition respect the previous regulation. However, the principle is not as simple as it can appear. The One Stop Shop only applies to a controller or a processor carrying out “cross-border processing”, meaning:

  • The processing of personal data by the controller or processor through local operations across more than one Member State
  • The processing of personal data by a controller or a processor established in a single Member State that “substantially affects or is likely to substantially affect” data subjects in more than one Member State.

13. Sanctions and controls (art. 50 -83)


DPAs will have the power to impose administrative fines reaching up 20 million euros or 4% of the annual worldwide turnover for certain infringements of the GDPR provisions. 


The GDPR also introduces a new procedure for collective actions.


14. European Data Protection Board (EDPB) (art. 64,65,66 and 68)


The EDPB is given a long and detailed list of tasks, but its primary role will be to oversees the application of the GDPR throughout the EU. 


The EDPB will have the status of an EU body with legal personality and extensive powers to settle dispute between national supervisory authorities and issue opinions on specific matters such as list of risky processing, codes of conduct and certification bodies accreditation criteria. 


The EDPB will also be responsible for issuing guidelines, recommendations and best practices. 


15. Conclusions


Privacy protection as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. More specifically - 'The controller shall implement appropriate technical and organisational measures “in an effective way” in order to meet the requirements of this Regulation and protect the rights of data subjects'. 


Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing. 


The company now need to review their existing processing, identify the most appropriate lawful basis, and check that it applies. In many cases will be the same as the existing conditions for processing under the previous legislation. 


A check list

  1.  We have checked that consent is the most appropriate lawful basis for processing. 
  2.  We have made the request for consent prominent and separate from our terms and conditions.
  3.   We ask people to positively opt in. 
  4.  We don’t use pre-ticked boxes, or any other type of consent by default. 
  5.  We use clear, plain language that is easy to understand. 
  6.  We specify why we want the data and what we’re going to do with it.
  7.   We give granular options to consent to independent processing operations. 
  8.  We have named our organisation and any third parties. 
  9.  We tell individuals they can withdraw their consent. 
  10.  We ensure that the individual can refuse to consent without detriment. 
  11.  We don’t make consent a precondition of a service. 
  12.  If we offer online services directly to children, we only seek consent if we have age-verification and parental-consent measures in place.
  13. We keep a record of when and how we got consent from the individual. 
  14.  We keep a record of exactly what they were told at the time. Managing consent 
  15.  We regularly review consents to check that the relationship, the processing and the purposes have not changed.
  16.   We have processes in place to refresh consent at appropriate intervals, including any parental consents. 
  17.  We consider using privacy dashboards or other preference management tools as a matter of good practice. 
  18.  We make it easy for individuals to withdraw their consent at any time, and publicise how to do so. 
  19.  We act on withdrawals of consent as soon as we can. 
  20.  We don’t penalise individuals who wish to withdraw consent.

16. Link of interest


  •  https://www.eugdpr.org 
  •  https://ico.org.uk 
  • http://bit.ly/2ruWgIs 


by Daniele Lupi 

February 2018


Copyright © 2025 giuristidimpresa.co.uk - Tutti i diritti riservati.

Gestito da

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept