The new European regulation on personal data protection will come into effect on May 25th, 2018. The approval of this text must allow Europe to adapt to the new realities of digital technology.
THE REFORM OF DATA PROTECTION PERSUES THREE GOALS :
- Strengthening the rights of individuals, including the creation of a right to the portability of personal data and specific conditions to
- Making data processing players aware of their responsabilities. (processing supervisors and subcontractors).
- Increasing regulatory awareness through enhanced cooperation between data protection authorities, which may in particular adopt common decisions when data processing will be transnational and penalties increased.
A UNIFIED LEGAL FRAMEWORK FOR THE ENTIRE EU
The adopted text is a European regulation, which means that, unlike a directive, it is directly applicable throughout the Union without the need for transposition in the different Member States. The same text will therefore apply throughout the Union.
The regulation is applicable from May 25th, 2018. Thereafter, processings already implemented on that date will have to be brought into line with the provisions of the Regulation.
AN EXTENDED FIELD OF APPLICATION
? The criterion of targeting ?
The Regulation applies as soon as the processing supervisor or the subcontractor is established in the European Union or as soon as the processing supervisor or the subcontractor implements processings aiming to provide goods and services to European residents or to « target » them.
In practice, European law will therefore apply whenever a European resident is directly targeted by data proces- sing, including via the Internet.
? The responsibility of the subcontractors
For that matter, whereas the current data protection law mainly relates to the « processing supervisors », that is to say the bodies that determine the purposes and methods of processing personal data, the Regulation extends to the subcontractors a large part of the obligations imposed on processing supervisors. All companies are therefore potentially affected.
STRENGTHENING THE RIGHTS OF PEOPLE
The European regulation strengthens the rights of people and facilitates the exercise of these rights.
? Reinforced consent and transparency
The regulation requires the provision of clear, intelligible information that is easily accessible to persons concerned by data processings.
The expression of consent is defined as follows: users must be informed of the use of their data and have to, in principle, agree to the processing of their data, or be able to oppose it. The responsibility of proving the consent falls to the processing supervisor. The materialization of this consent must be unambiguous.
? New rights
The right to portability of data : this new right allows a person to retrieve the data provided in an easily reusable way, and, if necessary, to transfer them to a third party.
Specific conditions for children’s data processing : for the first time, European legislation contains specific provisions for minors under 16 years of age.
Introduction of the principle of collective actions : as in the case of consumer protection legislation, associations active in the field of the protection of rights and freedoms of the individuals regarding data protection will have the possibility to lodge collective pleas with regards protection of personal data.
A right to compensation for material or moral damage : Any person having suffered material or moral damage, as a result of a violation of this regulation in question, has the right to obtain from the processing supervisor or the subcontractor compensation for the damage suffered
New compliance tools to be implemented :
- Keeping a register of the processings implemented,
- Notification of security breaches (to the authorities and persons concerned),
- Certification of processings,
- Adherence to codes of conduct,
- DPO (Data Protection Officer),
- Privacy impact studies (PIAs).
New possible sanctions in case of non-compliance.
? The protection authorities may in particular :
- Issue a warning,
- Put the company on notice,
- Limit temporarily or definitively a processing,
- Suspend data flows,
- Order to satisfy requests for the exercise of the rights of persons,
- Order rectification, limitation or deletion of
As regards administrative fines, they may, depending on the category of the offense, be between € 10 and € 20 million, or in the case of a company, between 2 % and 4 % of the annual worldwide turnover, the highest amount being withheld.
In order to be up to date with your obligations, contact now your public accountant !