New EU Data Protection Regulation has been approved

On 14 April 2016 the European Parliament approved the new General Data Protection Regulation.

It replaces the current data protection directive, i.e. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and makes an uniform level of data protection throughout the European Union, being directly applicable in all of member states.

The Regulation will enter into force 20 (twenty) days after its publication in the EU Official Gazette.

The new rules of the Regulation will become applicable 2 (two) years thereafter.

New rules under the Regulation
The main amendment brought to the specific legal framework governing personal data processing through the Decision is the change in the legal regime regarding the notification of the Authority.

According to the Decision, the notification to the Authority regarding personal data processing will become an exception, being applicable only in the cases expressly stated by law and mentioned below, while the general rule would be that personal data processing is allowed without any other prior notification.

This new legal regime does not exempt the data controller from its other obligations based on Law no. 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data, especially obligations to protect the rights of the persons in cause, the confidentiality and security of data.

Notification of data processing cases to the Authority
The new rules will give individuals greater control over their personal data and include, among others:

1. The right to be forgotten
Data subjects have the right to require a data controller to delete data files relating to them if there are no legitimate grounds for retaining it.

2. Clear consent to the processing of personal data
Consent should be understood as a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subjects agreement to the processing of personal data.

3. A right to transfer the data to another service provider
Businesses must ensure data subjects can easily transfer their data files from one service provider to another.

4. The right to be notified with respect to data breaches
Business will be required to notify the local data protection authority, and the data subjects, of significant data breaches.

5. Clear and understandable language of privacy policies
Businesses will need to adapt their privacy policies and other information support notices in order to include much more detailed information.

6. Appointment of a data protection officer
Businesses will need to appoint a data protection officer in certain cases, such as of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of the data subjects on a large scale.

New sanctions
To ensure proper enforcement of the Regulation, sanctions for non-compliance are significantly increased.

The Regulation distinguishes between 2 (two) types of sanctions: – Infringements of data protection obligations: EUR 10 million or up to 2% of total annual worldwide turnover – Infringements of basic processing principles (proportionality, legitimacy, consent etc.); data subject rights (access, right to be forgotten etc.); international data transfers; or noncompliance with a data protection authority order: EUR 20 million or up to 4% of total annual worldwide turnover Next steps In preparation of various businesses to ensure compliance with the Regulation by adopting and implementing a clear strategy in terms of processing personal data, we suggest to undertake a privacy quick scan in order to check the compliance degree of the manner in which personal data are processed.

The privacy quick scan will assess:
– where personal data is processed in your business;
– where your business currently stands on privacy compliance in general;
– where and what your privacy risks are; and
– which steps you should take in the near future, and when, why and how to take them, to improve your privacy compliance level.

Andrei Burz-Pînzaru

Maria-Silvia Axinescu
Managing Associate REFF & ASOCIAȚII

Related posts