Personal data protection after May 25, 2018. GDPR

On 25 May 2018, the EU General Data Protection Regulation comes into force. It replaces the 1995 EU Data Protection Directive 65/46/EU. The regulation is designed to unify the rights of individuals in the field of protection of personal information in the EU by introducing uniform regulatory frameworks. business rules— instead of the laws in force at national level. To date, all Member States have implemented the rules introduced in 1995 differently — making it difficult for international business corporations to operate within the EU.

Field of application

The new Regulation applies to the processing of personal data by a controller or processor within the EU, regardless of whether the processing takes place in the Union or not. The Regulation shall also apply to the processing of personal data of data subjects located in the Union by a controller or processor not established in the Union, where the data processing activities relate to the supply of goods or services to data subjects within the Union, whether the goods or services offered are paid or the monitoring of the conduct of such entities. The Regulation also applies to controllers of personal data who are not established in the territory of the EU, but in the territory where, by virtue of the rules of international law, Union law applies.

The obligation to register as a personal data controller

With the entry into force of the Regulation, the obligation to register as a personal data controller of the persons processing data ceases. In place of this obligation, the so-called accountability principle appears. The same is expressed in the obligation of the administrator to be able to prove at any time, that it complies with the requirements of the Regulation. That is to say, at any time, upon possible verification by the CPDP, it should be possible to ascertain what personal data are being processed, for what purposes and for what period of time, how the data are stored, whether the data are provided to third parties and who these persons are, what measures have been taken to ensure the security of the processed data.

Principles for the processing of personal data

The principles that the new regulation introduces in the field of processing and protection of personal data are:

• lawfulness, good faith and transparency of processing;
• purpose limitation — the data are collected for specific, explicitly stated and legitimate purposes and are not further processed in a manner incompatible with these purposes;
• data minimisation — only relevant data related to and limited to what is necessary in relation to the purposes for which they are processed are processed;
• accuracy — data should be kept up to date and all reasonable measures should be taken to ensure the timely deletion or correction of inaccurate personal data, taking into account the purposes for which they are processed;
• restriction of storage — the data is stored in a form that allows the identification of the data subject for a period not longer than necessary for the purposes for which the personal data are processed;
• integrity and confidentiality — the data is processed in a way that ensures an appropriate level of security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, applying appropriate technical or organisational measures.

Data Protection Officer

In certain casesThe Regulation introduces an obligation for the personal data controller to also designate a Personal Data Protection Officer, who may be: an employee of the controller himself or a natural or legal person acting on the basis of a concluded service contract. The said person has the obligation to supervise compliance with the Regulation and to advise the controller in the field of personal data protection.

Rights of individuals

The new regulation strengthens citizens' existing rights in the field of personal data, provides for new ones and ensures greater control of citizens. The basic rights are:

• Facilitated access to the data of the subject being processed;
• the right to data portability, which is new;
• Clarified right to erasure (“right to be forgotten”) — when a person no longer wishes their data to be processed and there is no legitimate reason for them to be stored, the data will be deleted;
• the right to know when personal data have been subject to external intrusion — personal data controllers should notify data subjects in a timely manner of serious breaches related to their data. They will also have to notify the relevant data protection supervisory authority.

Obligations for personal data controllers

In view of the accepted principle of accountability, the new regulation imposes a number of obligations on personal data controllers, including:

• providing data subjects with clear information on the collection of personal data, the purposes of processing personal data, the rules for storing and deleting personal data;
• ensuring adequate and adequate protection of stored personal data;
• adopting a procedure for action in the event of a data breach, including the adoption of clear rules on notification to supervisory authorities;
• processing of data only after obtaining consent from the data subject;
• Conducting trainings on employees, handling personal data;
• adoption of new/ or updating of the company's policies in the field of personal data;
• providing a data protection officer where necessary;

Violations

If a breach of the security of personal data is detected, the CPDP should be notified no later than 72 hours after the detection of the breach, as well as the person whose personal data are the subject of the breach. The infringement should be documented, as well as its consequences and the actions taken to address the infringement.

Sanctions

The control of compliance with the requirements of the Regulation will be carried out by the Commission for Personal Data Protection. The penalties provided for in the Regulation are significant and can reach up to 4% of the company's annual turnover.

‍

‍