European Parliament adopts the General Data Protection Regulation

The European Parliament took a vote on the General Data Protection Regulation (GDPR) today. Organizations will have until 2018 to comply with the provisions of the Regulation. Because of its direct effect, the GDPR will replace the European Privacy Directive of 1995 and national regulations, including the Dutch ‘Wet bescherming persoonsgegevens’. 2018 seems far down the road, but the GDPR brings some profound changes which will cost a lot of time for organizations to implement correctly. When organizations fail to be compliant (in time), they risk receiving heavy fines. We will give a short outline of the highlights.

A first important highlight is that the provisions of the GDPR don’t solely apply to organizations which are active on European Union soil, but also apply to controllers and processors when their processing activities are targeted on individuals resided in the EU or are if the processing activities are related to the monitoring of their behavior. A second highlight is that when organizations want to process data of data subjects aged sixteen years or less, consent from their parents is required. Member States are allowed to set the age limit lower, with a minimum of thirteen years old. Also, another legal basis for processing for profiling is introduced: the explicitconsent of the data subject.

Another highlight is the introduction of a Data Protection Officer (DPO). A DPO has both an advisory role and a supervisory role. Controllers and processors are obliged to appoint a DPO when:

• The processing is carried out by a public body; or
• When the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
• When the processing concerns special categories of data.

Appointing a DPO could be very helpful for organizations, especially for controllers, even if they are not obliged to do so. Controllers are required to implement appropriate and effective measures and must be able to demonstrate compliance with the provisions of the GDPR (accountability). An example thereof is maintaining records of all of their processing activities. Furthermore, Privacy by Design and Privacy by Default are mandatory when developing new products or services. Controllers are obliged to implement privacy-enhancing measures at the start of the development of products and services that involve processing of personal data and to use by default the most privacy-friendly settings. Additionally, controllers have the obligation to carry out a data protection impact assessment when the processing of personal data is likely to result in a high risk for the rights and freedoms of individuals. A DPO can assist an organization during above mentioned processes.

The GDPR does not only impose extra obligations, it also tries to meet the needs of organizations by introducing the so-called one-stop-shop. The one-stop shop ensures that controllers and processers that are established in several Member States only have to deal and communicate with the data protection authority in the country of its main establishment. This data protection authority will monitor and coordinate the enforcement with all other EU data protection authorities.

The data subject also obtains two new important rights: the right to be forgotten and the right to data portability. The first right contains the possibility for the data subject to request erasure of his personal data. This right is not new, however: the organization to which his request is sent, is not only required to delete the personal data he possesses, but is also obliged – when the personal data are made public – to inform third parties which process the (same) data that the data subject requested deletion of the data. This means that every link to, copy of or reproduction of those personal data should be deleted. This right is mainly relevant for data subjects whom as a child did not fully realize the consequences of giving their consent to process their data. The other right, data portability, means that data subjects have a right to transfer their personal data (received in a structured manner and readable format) from one service to another. A Facebook-user could for example transfer all his data to a different social network.

Last but not least: the national authorities gain a lot of strength under the new Regulation. They can impose fines on controllers and processors who infringe the provisions of the GDPR. The fines can amount – per infringement – a maximum of €20 million or 4% of the annual turnover of the organization. The recently introduced data breach notification in the Netherlands will however not disappear; controllers are obliged to inform the designated authority within 72 hours after the data breach has been discovered.

If you want to prepare your company optimally to comply with the GDPR and to prevent receiving high fines you can contact us. Considerati has many years of experience with privacy, carrying out Privacy Impact Assessments and drafting privacy-compliant policies. Our experienced data protection officers can offer you everything you need to become compliant with the GDPR.