As of 25 May 2018, the GDPR will come into effect.This memorandum serves as a brief guide to its main provisions:
Wider geographical scope
The GDPR will also impact controllers or processors established outside of the EU to the extent they target EU data subjects.
New Concepts of Privacy by design and by default
Privacy by design is a concept that promotes privacy and data protection compliance from the outset of any data processing operation. It entails that appropriate technical and organisational measures should be built into the system of an organisation (business processes, IT applications, etc.) in the early stages of any project, and then throughout its lifecycle. An example of such measures would be pseudonymisation of data
Privacy by default requires organisations to put in place mechanisms to ensure that only personal data that is necessary for each specific purpose is processed and that the strictest privacy settings should apply by default, i.e. without any intervention required from the end user.
Subject to a limited derogation, the introduction of the one-stop shop mechanism will allow a controller or a processor carrying out cross-border processing to appoint one lead supervisory authority in the jurisdiction of his main or single establishment.
Designation of Data Protection Officer (DPO)
Certain private and most public sector organisations will be required to appoint a DPO to oversee their data processing operations. A DPO will be required where:
(i) the processing is carried out by a public authority or body,
(ii) the core activities of the controller or processor consist of processing which requires regular and systematic monitoring of data subjects on a large scale,
(iii) the core activities consist of processing special categories of data on a large scale.
Data Protection Impact Assessment
The GDPR introduces the concept of a Data Protection Impact Assessment (DPIA), which is designed to:
- provide a systematic description of processing operations,
- assess the necessity and proportionality of such operations
- help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data.
Carrying out a DPIA is not mandatory for every processing operation. It is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”.
Enhanced Rights of Data Subjects
The right of data subjects to receive information is enhanced as controllers will be required to provide significantly more information to data subjects about their processing activities.
Right of access requests must be dealt with free of charge.
New rights include the right to data portability (right to obtain a copy of one's personal data from the controller and have them transferred to another controller), right to erasure (or 'right to be forgotten'), right to restriction of processing and right to object to automated decision-making, including profiling.
More stringent conditions will apply for obtaining valid consent from data subjects, both by adults and in so far as children are concerned.
Consent will require a statement or clear affirmative act on the part of the data subject. Silence, pre-ticked boxes and inactivity will not be sufficient.
When the processing has multiple purposes, consent should be given for each one of them.
The GDPR clarifies cases where consent will not be considered to have been freely given (for example where there is a clear imbalance between the data subject and the controller or where it does not allow separate consent to be given to different personal data processing operations).
Data subjects must be informed of their right to withdraw consent and withdrawal of consent must be as easy as provision thereof.
Data Breach Notification
Controllers will have to report personal data breaches to the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the breach (unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects).
Affected data subjects must also be notified of a breach without undue delay if such breach is likely to result in a "high risk" for their rights or freedoms.
Data Transfers to third countries
The GDPR retains the majority of the cross-border data transfer rules of the Directive, but adds some new ones such as certification mechanisms and codes of conduct, as well as a new limited derogation for transfers based on compelling legitimate interests.
In essence, Data Transfers to third countries may be permitted on the basis of:
- an adequacy decision of the European Commission, or
- where the controller or processor have provided appropriate safeguards, by way of, inter alia, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority and approved by the Commission, an approved code of conduct or approved certification mechanism, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards as regards the data subjects’ rights.
Data transfers on the basis of an adequacy decision or such appropriate safeguards shall not require any specific authorisation.
Irrespective of the above, binding corporate rules and codes of conduct must be approved by the competent authority and certifications must be issued either by the competent authority or by certification bodies accredited by the authority.
Data transfers to third countries on the basis of contractual clauses other than the ones adopted by the European Commission shall require the authorisation of the competent supervisory authority.
In the absence of an adequacy decision or appropriate safeguards, there continue to be a number of derogations permitting cross-border transfers, which are similar to the existing derogations, and include inter alia, explicit consent, contractual necessity, important reasons of public interest and legal claims.
A new derogation is provided in the GDPR for non-repetitive transfers involving a limited number of data subjects where the transfer is necessary for compelling legitimate interests of the controllers, which are not overridden by the interests or rights of the data subject, and where the controller has assessed all the circumstances surrounding the data transfer and has on this basis provided suitable safeguards. The controller must inform the supervisory authority and the data subjects when relying on this derogation.
Significantly higher administrative fines shall apply under the GDPR.
Infringements of the following provisions (amongst others) shall be subject to administrative fines of up to 10.000.000 EUR, or in the case of an undertaking, of up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
- The conditions relating to a child's consent
- The data controller’s obligations in relation to the responsibilities of the Data Protection Officer
- Data protection by default or by design
Infringements of the following provisions (amongst others) shall be subject to administrative fines up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
- the basic principles for processing, including conditions for consent
- the data subjects’ rights
- cross-border transfer rules
- provision of access to the relevant supervisory authority to the premises of the controller and the processor.
Please feel free to contact our law firm for any assistance in connection with the provisions of the GDPR and on how these shall affect your business, as well as any other data privacy matters.