As of 25 May 2018, the General Data Protection Regulation (GDPR) will apply in the EU. The GDPR is a horizontal privacy legislation that applies across sector and to companies of all sizes. It replaces the previous data protection Directive 1995/46. The overall objectives of the legislation remain the same. Fines in case of non-compliance can reach up to 4% of the annual worldwide revenue or 20 million euros – whichever is higher. Even if the GDPR is applicable only as of 25 May 2018, we urge companies of all sizes and sectors to start the compliance process as soon as possible with assistance of legal counsel. Note: this report does not provide an exhaustive presentation of GDPR. Please refer to other available resources.
Last Published: 11/15/2017

Subject Matter and Scope

Whether it is for personal data or processing, the GDPR uses broad definitions.  “Personal data” is any personally identifiable information such as birthdate, email address, tax ID number, etc.  “Processing” includes actions such as collecting, recording, storing, using and transferring.  

A company that is not established in the Union may have to comply with the Regulation when processing personal data of European citizens:
a)    If the company offers goods or services to European data subjects in the EU; or,
b)    If the company is monitoring EU data subjects’ behavior; or,
c)    If the company has employees in the EU.


Key principles of the GDPR

Some of the key principles of the GDPR are:  
⦁    Accountability and governance: companies must be able to demonstrate their compliance;
⦁    Transparency: Personal data must be processed lawfully, fairly and transparently;
⦁    Purpose limitation: the purpose for which data is collected must be specified, explicit and legitimate;
⦁    Data Minimization: only relevant data should be collected and processed;
⦁    Security: It must be processed in a way that ensures appropriate security of the personal data;
⦁    Privacy-by-design/privacy-by default: GDPR creates a general obligation to demonstrate that companies are integrating data protection into their processing activities.
 

Valid basis for data processing

The GDPR provides six legal basis for processing of EU personal data.  These includes:
⦁    Consent of the data subject;  
⦁    Legitimate interest;
⦁    Contractual obligation.


Key requirements for companies (non-exhaustive list) 

The GDPR builds on existing legislation and adds new requirements.  It distinguishes between organizations that are data controllers (i.e. the one that defines the way data is collected, processed, etc.) and/or data processors (i.e. the organization that executes instructions from the data controller).  

A “Controller” determines the purpose(s) and means of the processing of personal data.  Responsibilities of a data controller can include:
⦁    Maintain a record of processing activities;
⦁    Notify personal data breaches; 
⦁    Conduct data protection impact assessment prior to processing; 
⦁    Designate a data protection officer or a representative in the European Union. 

A “Processor” processes personal data on behalf of a controller.  Processors are subject to similar requirements as the controllers, but they also have additional responsibilities.
 

Rights of the Data Subject

The GDPR provides for many rights to data subjects. These rights include:
⦁    Transparency and information: the controller must provide information to the data subject i.e. who they are and how to contact them, who the data protection officer is, why the controller needs the information and who is receiving it;
⦁    Right of Access, Right to Rectification, Right to Erasure (“right to be forgotten”) and Right to Restriction of Processing: The controller must act immediately to correct inaccurate personal data when the subject makes a complaint.  The controller may have to erase personal data and/or restrict personal data processing; 
 

Liability and Penalties

There are two tiers of maximum fines under the GDPR.  The higher fine threshold is 4% of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher.  The lower threshold fine is 2% of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher.  Higher fines apply for instance in case of violation of the basic principles for processing data, including consent; data transfer provisions.  Lower fines apply for non-compliance with notification of a personal data breach or the obligation to designate a data protection officer among others. 
 

Resources

Link to the full text of the GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC 
European Commission’s public site on GDPR: http://ec.europa.eu/justice/newsroom/data-protection/infographic/2017/index_en.htm 

For More Information: The U.S. Commercial Service at the U.S. Mission to the European Union is located at Boulevard du Regent 27, Brussels 1000, Belgium, and can be contacted at +32 2 811 4817. See also: www.export.gov/europeanunion. To the best of our knowledge, the information contained in this report is accurate as of the date published. However, the Department of Commerce does not take responsibility for actions readers may take based on the information contained herein. Readers should always conduct their own due diligence before entering into business ventures or other commercial arrangements. The Department of Commerce can assist companies in these endeavors. INTERNATIONAL COPYRIGHT, U.S. DEPARTMENT OF COMMERCE, 2011. ALL RIGHTS RESERVED OUTSIDE OF THE UNITED STATES.



Europe Information Management Market Access Commercial Law