The EU General Data Protection Regulation: Key takeaways
June 14, 2016 - Discussing the most important consequences which are new to the the EU General Data Protection Regulation.
Recently the General Data Protection Regulation (EU) 2016/679 has been published. It will replace Directive 95/46/EC in May 2018. Being a Regulation instead of a Directive it will assure data protection is regulated the same all over the EU, since a Regulation contrary to a Directive does not need to be translated to national law. It is meant to better protect citizens’ personal data in the digital era. To ensure this, the Regulation imposes rules on data controllers and processors. According to the Regulation data controllers are “natural or legal persons, public authorities, agencies or other bodies determining the purposes and means of the processing of personal data”, i.e. all businesses and organizations who have data about their users/customers/citizens. This can be web shops, banks, hospitals, government agencies, etc. The processor is the party actually processing personal data on behalf of the controller. Processor and controller can be the same party.
The Regulation imposes partly new rules on data controllers and processors, but at the same time it may facilitate compliance with the Regulation and reduce costs for these parties since they’ll only have to deal with one Regulation and one supervisory authority irrespective of the number of Member States in which they conduct business and notification to the supervisory authority is only required in cases of high risk.
The Regulation has a number of consequences for data processors and controllers. In this article we will discuss the most important consequences which are new with respect to the current situation.
Right to be forgotten and right to data portability
- The new Regulation provides data subjects with the right to have their personal data removed and the right to take their personal data in electronic format from one controller to another. Data controllers and processors will have to support this.
Consent for children
- In the current situation consent from the data subject is already required to allow processing of personal data (unless the processing takes place because of a legal obligation or in the public interest). The new Regulation places special conditions on the consent for children. Up till the age of 16 (or a lower age if a country allows it, although not below the age of 13) consent is required from or needs to be authorized by the holder of parental responsibility over the child. The data controller has to make reasonable efforts to verify this, taking into consideration available technology.
Notification of personal data breach
- Data controllers have the obligation to notify the supervisory authority of personal data breaches within 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Data processors have the obligation to notify the controller about a data breach. In case the data breach is likely to result in a high risk to the data subjects whose data is concerned, the controller also needs to inform the data subjects. The supervisory authority can request a data controller to notify the data subjects if it has not yet done so.
Data protection impact assessment
- Data controllers have the obligation to perform a Data Protection Impact Assessment (DPIA) where a type of processing is likely to result in a high risk. The supervisory authorities will establish and make public a list of the kind of processing operations which are subject to the requirement for a DPIA and a list of the kind of processing operations for which no DPIA is required. In some countries (NL, UK) experience already exists in performing similar privacy impact assessments. Also in a number of non-EU countries privacy impact assessments are common and sometimes mandatory. A data protection impact assessment shall include the following elements:
- A systematic description of the envisaged processing operations and the purposes of the processing;
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- An assessment of the risks to the rights and freedoms of data subjects;
- The measures envisaged to address the risks.
The controller shall consult the supervisory authority prior to processing where a data protection impact assessment indicates high risk in the absence of measures.
Prior consultation of supervisory authority
- In the current situation prior consultation of the supervisory authority is in principal required before carrying out any automatic processing operation. The new Regulation only requires prior consultation where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. This may reduce the number of cases in which prior notification is required.
Data protection officer
- The data controller and processor have the obligation to designate a data protection officer if the processing is carried out by a public authority or body, the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or the core activities of the controller or the processor consist of processing on a large scale special categories of data. Special categories of data are so-called article 9 and 10 data with article 9 data being data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation and article 10 data being data relating to criminal convictions and offences.
- The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of his/her tasks. The data protection officer shall directly report to the highest management level of the controller or the processor. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in the Regulation, i.e. inform and advise, assign responsibilities, raise awareness, deliver training, perform audits, and have regards of the risks. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under the Regulation.
Transfer of personal data to third countries or international organizations
- Data controllers are only allowed to transfer data to third countries or international organizations on basis of an adequacy decision by the Commission that the country, a specific sector in the country or the organization ensures an adequate level of protection. They may then only transfer data if they have provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for the data subjects are available. In case of a judgment of a court or tribunal or administrative authority of a third country requiring data transfer this may only take place if based on an international agreement. If no adequacy decision or appropriate safeguards exist, a transfer shall take place only if the data subject has explicitly consented it, it is necessary for the performance of a contract between the controller and by or in the interest of the data subject, or in the public interest, legal claims, or to protect the vital interests of the data subject or other persons.
- Under the new Regulation data protection authorities will be able to put sanctions on data controllers and processors which do not comply with the Regulation. These sanctions may reach up to a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
- The establishment of data protection certification mechanisms and of data protection seals and marks will be encouraged by Member States, supervisory authorities, the Board and the Commission, but it will not become mandatory. Certification bodies will need to be accredited by a supervisory authority and/or by the national accreditation body. Certification may be issued for a maximum period of three years after which re-certification will be required.
- Under the new Regulation harmonization of data protection within the EU is considered very important. For that purpose, the supervisory authorities shall cooperate with each other and the Commission. The current working party will be replaced by the European data protection board. Where a data controller or processor has multiple establishments in the EU or will process data of citizens in multiple countries, it will have a single supervisory authority as its lead authority based on the location of its main establishment (i.e., the place where the main processing activities take place). The lead authority will act as a “one-stop shop” to supervise all the processing activities of that controller or processor throughout the EU.
It will be interesting to see how the Regulation will be applied in practice. To specify more clearly how it should be implemented, delegated and implementing acts may occur later.