The New General Data Protection Regulation: what changes?
As from May 25th a new set of rules on data protection (General Data Protection Regulation or GDPR) will take effect across the EU, involving individuals, companies, administrations and other organizations to the same extent. This new European framework aims to provide greater protection of individual rights and new opportunities for business by clarifying and modernizing data protection rules.
- One-Stop Mechanism
The Regulation establishes a harmonized legal framework for a uniform and consistent application of the rules throughout all Member States with the introduction of the one-stop-shop mechanism. In general, the controller and processors will only have to communicate with the lead supervisory authority, i.e. the supervisory authority of the main establishment or sole establishment of the controller or the processor, in accordance with Article 56 (1) of the GDPR. However, local supervisory authorities continue to have powers in various sectors and both authorities will collaborate in investigations.
- Strengthening of Individual Rights
The Regulation introduces new transparency requirements; reinforcement of rights to information, access, erasure (the “right to be forgotten” is present in Article 17 of the GDPR); silence and inactivity cease to be valid consents, and consent becomes more demanding, since clear affirmative action is required to express consent (Article 4 of the GRDP); and the protection of children online (if the child is under the age of 16, treatment is only permissible if and to the extent that consent is given or authorized by the holders of the child’s parental responsibilities, and Member States are free to legislate a lower age for said purposes, provided that it is not less than the age of 13).
- Processors
Processors (natural or legal person, public authority, agency or other body that treats the personal data on behalf of the controller) will have direct obligations and responsibilities, which means that processors can be directly held accountable. Data treatment by processors shall be governed by the contract which binds the processor to the controller, establishes the object and duration of the treatment, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the obligations and rights of the controller. Processors shall provide sufficient guarantees for the implementation of appropriate technical and organizational measures in such a way that the treatment meets the requirements of the Regulation. In addition, they can not contract another processor without prior written authorization by the controller.
- Data protection from conception to default
The controller should adopt internal guidelines and apply measures that respect in particular the principles of data protection from the beginning and may include minimizing the processing of personal data, the pseudominization of personal data, encryption, among others.
- Right to Data Portability
The Regulation establishes a new data portability right, which allows citizens to request a company or organization to return the personal data that the citizen has provided to that company or organization on the basis of consent or contract; it also allows for personal data to be transmitted directly to another company or organization where it is technically possible. Such a right contributes then to the free movement of personal data in the EU, avoids retention of personal data and encourages competition between companies.
- Improved Protection Against Personal Data Violations
The Regulation clearly defines what constitutes a “breach of personal data” and introduces an obligation to notify the competent supervisory authority in accordance with Article 55, when the breach of data is susceptible of individual rights and freedoms, at the latest within 72 hours (Article 33 of the RDPR). Under certain circumstances, it requires the holder of the data to be informed about the breach by enhancing protection compared to what is currently happening in the EU.
- Fines
The fines may amount to EUR 20 million or, in the case of a company, to 4% of the annual worldwide turnover for the preceding financial year, whichever is the higher.
- Principle of Responsibility
The Regulation is based on the principle of self-responsibility of the controllers and processors dealing with personal data, through obligations that can be adjusted according to risk, i.e. the presence of a Data Protection Officer (DPO) or the obligation to conduct impact assessments on data protection. The latter is a new tool to help assess the risk before starting data treatment (Article 35 of the GDPR). The obligation to carry out this assessment exists when the treatment is liable to entail a high risk to the rights and freedoms of natural persons. The Regulation specifically mentions three situations: when a company systematically and comprehensively assesses personal aspects relating to natural persons (including profile definition); when it handles sensitive data on a large scale; or systematically control large-scale publicly accessible areas. The supervisory authorities will have to make public the lists of cases requiring an impact assessment on data protection.
- Transfer of Personal Data to Third Countries
The Regulation requires companies based outside the EU to apply the same rules as EU-based companies if they offer goods and services related to personal data or monitor the behaviour of individuals within the Union. Companies operating from countries outside the EU and are active in the single market should in certain circumstances appoint a representative in the EU to whom citizens and authorities may go to in complement or in replacement of the company established abroad.
This applies in cases where the company, even if it is Portuguese, subcontracts the storage of data with countries outside the EU.
In the absence of a decision on the adequacy of the level of protection, data controllers or processors may only transfer personal data to a third country if they have provided appropriate safeguards and given that data subjects have enforceable rights and remedial legal measures effective.
As far as adequacy decisions are concerned, the Regulation introduces an accurate and detailed catalogue of the elements which the Commission must take into account when assessing whether a foreign system adequately protects personal data. The Regulation also formalizes and extends the number of alternative transfer instruments, such as standard contractual clauses and binding rules applicable to companies.