NEW EU DATA PRIVACY LEGISLATION (GDPR)NEW EU DATA PRIVACY LEGISLATION
Subject Matter and ScopeWhether it is for personal data or processing, the GDPR uses broad definitions. “Personal data” is any personally identifiable information such as birthdate, email address, tax ID number, etc. “Processing” includes actions such as collecting, recording, storing, using and transferring.
A company that is not established in the Union may have to comply with the Regulation when processing personal data of European citizens:
a) If the company offers goods or services to European data subjects in the EU; or,
b) If the company is monitoring EU data subjects’ behavior; or,
c) If the company has employees in the EU.
Some of the key principles of the GDPR are:
Key principles of the GDPR
⦁ Accountability and governance: companies must be able to demonstrate their compliance;
⦁ Transparency: Personal data must be processed lawfully, fairly and transparently;
⦁ Purpose limitation: the purpose for which data is collected must be specified, explicit and legitimate;
⦁ Data Minimization: only relevant data should be collected and processed;
⦁ Security: It must be processed in a way that ensures appropriate security of the personal data;
⦁ Privacy-by-design/privacy-by default: GDPR creates a general obligation to demonstrate that companies are integrating data protection into their processing activities.
Valid basis for data processingThe GDPR provides six legal basis for processing of EU personal data. These includes:
⦁ Consent of the data subject;
⦁ Legitimate interest;
⦁ Contractual obligation.
The GDPR builds on existing legislation and adds new requirements. It distinguishes between organizations that are data controllers (i.e. the one that defines the way data is collected, processed, etc.) and/or data processors (i.e. the organization that executes instructions from the data controller).
Key requirements for companies (non-exhaustive list)
A “Controller” determines the purpose(s) and means of the processing of personal data. Responsibilities of a data controller can include:
⦁ Maintain a record of processing activities;
⦁ Notify personal data breaches;
⦁ Conduct data protection impact assessment prior to processing;
⦁ Designate a data protection officer or a representative in the European Union.
A “Processor” processes personal data on behalf of a controller. Processors are subject to similar requirements as the controllers, but they also have additional responsibilities.
Rights of the Data SubjectThe GDPR provides for many rights to data subjects. These rights include:
⦁ Transparency and information: the controller must provide information to the data subject i.e. who they are and how to contact them, who the data protection officer is, why the controller needs the information and who is receiving it;
⦁ Right of Access, Right to Rectification, Right to Erasure (“right to be forgotten”) and Right to Restriction of Processing: The controller must act immediately to correct inaccurate personal data when the subject makes a complaint. The controller may have to erase personal data and/or restrict personal data processing;
Liability and PenaltiesThere are two tiers of maximum fines under the GDPR. The higher fine threshold is 4% of an undertaking’s worldwide annual turnover or 20 million euros, whichever is higher. The lower threshold fine is 2% of an undertaking’s worldwide annual turnover or 10 million euros, whichever is higher. Higher fines apply for instance in case of violation of the basic principles for processing data, including consent; data transfer provisions. Lower fines apply for non-compliance with notification of a personal data breach or the obligation to designate a data protection officer among others.
ResourcesLink to the full text of the GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
European Commission’s public site on GDPR: http://ec.europa.eu/justice/newsroom/data-protection/infographic/2017/index_en.htm For More Information: The U.S. Commercial Service at the U.S. Mission to the European Union is located at Boulevard du Regent 27, Brussels 1000, Belgium, and can be contacted at +32 2 811 4817. See also: www.export.gov/europeanunion. To the best of our knowledge, the information contained in this report is accurate as of the date published. However, the Department of Commerce does not take responsibility for actions readers may take based on the information contained herein. Readers should always conduct their own due diligence before entering into business ventures or other commercial arrangements. The Department of Commerce can assist companies in these endeavors. INTERNATIONAL COPYRIGHT, U.S. DEPARTMENT OF COMMERCE, 2011. ALL RIGHTS RESERVED OUTSIDE OF THE UNITED STATES.
Europe Information Management Market Access Commercial Law