The GDPR
The inconsistent compliance requirements between Member States as well as different standards of interpretation and enforcement, the exponential impact of new technologies impacting the management of personal data since the mid-90s are largely the factors that led to the need for a new data protection regime in the EU.
The General Data Protection Regulation (EU) 2016/679 of 24 May 2016 (the “GDPR”) is a technology-neutral regulation that enters into force in all Member States without the need for national transposition, and will therefore harmonise data protection across the EU.
Companies will now have consistent data protection compliance requirements across the EU.
The GDPR also gives national data protection authorities greater powers of enforcement, with harsh fines for regulatory infringement and increased litigation risk arising from aggrieved data subjects.
The GPDR is applicable as of 25 May 2018.
Key changes
Increased Territorial Scope
The GDPR has extra-territorial applicability and applies to all companies processing personal data of data subjects residing in the EU, regardless of a company’s location.
A controller or processor not established in the EU is caught by the GDPR where its processing activities:
► relate to offering goods or services to data subjects in the EU (irrespective of whether payment is required) or
► are related to the monitoring of their behaviour (to the extent such behaviour takes places within the EU).
In such a case, the controller or processor must designate in writing a representative in the EU.
Penalties
The GDPR takes a tiered approach to fines. Organizations in breach of the GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Consent
Consent must be as easy to withdraw as it is to give.
Conditions for processing based on consent of data subjects have been strengthened, transparency is increased and ‘assumed consent’ models are redundant under the GDPR.
Requests for consent must be given in an “intelligible and easily accessible form, using clear and plain language”, with the precise purpose for the intended data processing attached to that consent.
The GDPR expressly states that when assessing whether consent is freely given, account will be taken of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is unnecessary for the performance of that contract.
Breach notification
Under the GDPR, notification of personal data breaches by the controller to supervisory authorities is mandatory where the data breach is likely to “result in a risk for the rights and freedoms of individuals”.
Notification must be made within 72 hours of the controller becoming aware of the breach.
Controllers must also notify data subjects “without undue delay” on becoming aware of a data breach.
Right to access
The GDPR gives data subjects the right to obtain confirmation from a data controller of whether or not his/her personal data is being processed and, if it is, the location and for what purpose.
Right to be forgotten
The right to be forgotten entitles the data subject to obtain from the data controller the erasure of his/her personal data.
The grounds on which this right can be invoked include where the purpose for which the data was collected is no longer applicable and where the data subject withdraws their consent to processing.
The inconsistent compliance requirements between Member States as well as different standards of interpretation and enforcement, the exponential impact of new technologies impacting the management of personal data since the mid-90s are largely the factors that led to the need for a new data protection regime in the EU.
The General Data Protection Regulation (EU) 2016/679 of 24 May 2016 (the “GDPR”) is a technology-neutral regulation that enters into force in all Member States without the need for national transposition, and will therefore harmonise data protection across the EU.
Companies will now have consistent data protection compliance requirements across the EU.
The GDPR also gives national data protection authorities greater powers of enforcement, with harsh fines for regulatory infringement and increased litigation risk arising from aggrieved data subjects.
The GPDR is applicable as of 25 May 2018.
Key changes
Increased Territorial Scope
The GDPR has extra-territorial applicability and applies to all companies processing personal data of data subjects residing in the EU, regardless of a company’s location.
A controller or processor not established in the EU is caught by the GDPR where its processing activities:
► relate to offering goods or services to data subjects in the EU (irrespective of whether payment is required) or
► are related to the monitoring of their behaviour (to the extent such behaviour takes places within the EU).
In such a case, the controller or processor must designate in writing a representative in the EU.
Penalties
The GDPR takes a tiered approach to fines. Organizations in breach of the GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Consent
Consent must be as easy to withdraw as it is to give.
Conditions for processing based on consent of data subjects have been strengthened, transparency is increased and ‘assumed consent’ models are redundant under the GDPR.
Requests for consent must be given in an “intelligible and easily accessible form, using clear and plain language”, with the precise purpose for the intended data processing attached to that consent.
The GDPR expressly states that when assessing whether consent is freely given, account will be taken of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is unnecessary for the performance of that contract.
Breach notification
Under the GDPR, notification of personal data breaches by the controller to supervisory authorities is mandatory where the data breach is likely to “result in a risk for the rights and freedoms of individuals”.
Notification must be made within 72 hours of the controller becoming aware of the breach.
Controllers must also notify data subjects “without undue delay” on becoming aware of a data breach.
Right to access
The GDPR gives data subjects the right to obtain confirmation from a data controller of whether or not his/her personal data is being processed and, if it is, the location and for what purpose.
Right to be forgotten
The right to be forgotten entitles the data subject to obtain from the data controller the erasure of his/her personal data.
The grounds on which this right can be invoked include where the purpose for which the data was collected is no longer applicable and where the data subject withdraws their consent to processing.