New regulation for the protection of personal data

Therefore, considering the forthcoming entry into force of the European Union’s General Data Protection Regulation, we thought of a new section for our blog focused on legal and privacy matters. In the new Legal & Privacy section, you’ll find contributions and insights from our experts to keep you informed on the important issue of privacy protection and legal issues involved in email marketing.

With this first blog post, we dive into the new General Data Protection Regulation.

After a four-year discussion, the reform of the legislation on handling personal data by companies operating in the EU is now complete.

On the 25th January, 2016, the European Commission submitted a legislative package – consisting of a proposed Regulation and proposed Directive on the processing of personal data – to update the current legislation, which dates back to 1995 (Directive 95/46/EC).

Why a reform? The great impact of the Internet and technological advances on the economy and social relations has prompted the European Commission to make the protection of personal data one of the priorities of its Digital Agenda. Hence the decision to introduce a general regulation on data protection to replace individual national regulations without the need for transposition laws.

The Regulation allows the following three fundamental goals to be achieved:

1. updating the principles contained in the 1995 Data Protection Directive and introducing a single regulatory text which is directly applicable in all 28 member states of the European Union;
2. establishing the rights of individuals and the obligations of data processors and data controllers;
3. establishing methods to ensure compliance with regulations, and the scope of the sanctions imposed on those who infringe them.

After long discussions lasting over three years, at a special meeting held on the 17th of December 2015, the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament expressed its position on the texts agreed following the talks between the Council, the European Parliament and the Commission. On December 18, the Committee of Permanent Representatives (COREPER) approved the final text of the regulation, which is now only pending several formalities before it is published in the Official Journal of the European Union.

The draft regulation addresses several key issues and changes the current legislation in relation to numerous substantial elements. Here is a summary of the main points:

The regulation lists the rights of concerned parties, i.e. natural persons whose personal data is processed. These reinforced rights give individuals more control over their personal data through:

• the need for clear consent to the processing of personal data;
• easier access for concerned parties to their personal data;
• the right to rectify, delete and have data “destroyed”;
• the right to object to the use of personal data, including for the purpose of “profiling”;
• the right to transfer the data from one service provider to another.

The regulation also establishes the requirement for data controllers to provide concerned parties with transparent and easily accessible information on the handling of their data.

The new regulation specifies the general obligations of the personal data owners and those who process them on their behalf (data processors). These include the obligation to implement appropriate security measures based on the risk associated with the data processing (risk-based approach). Data owners are also required, in certain cases, to disclose personal data breaches (data breach notification). Moreover, all public authorities and companies that perform risky data processing must appoint an additional executive that will be in charge of data protection, known as the Data Privacy Officer.

The regulation confirms the current requirement for EU Member States to establish a national independent supervisory authority; it also aims to establish mechanisms to ensure consistency in the application of data protection across the EU. In particular, a single decision will be adopted for important cross-border cases involving several national supervisory authorities. According to this principle (known as the “one stop shop” principle), a company with subsidiaries in several Member States must only interact with the data protection authority in the Member State where its main site is located.

The draft agreement also includes the establishment of a European Data Protection Committee, made up of representatives from all 28 independent supervisory authorities.

Concerned parties have the right to make a complaint to the supervisory authority, as well as the right to a judicial review, compensation and liability. Concerned parties shall also have the right to seek a review by a national court in regard to the decisions taken by the respective authorities for data protection. The above shall apply regardless of the Member State where the data controller is based.

Data controllers or data processors who breach the rules on data protection are subject to very heavy sanctions; up to EUR 20 million or 4% of their overall annual turnover, which will be imposed by the national data protection authorities.

The proposal also provides for the transfer of personal data to third countries and international organisations. In this case, the Commission will assess the level of protection provided by a processing sector or region in third countries. In the absence of an appropriate decision by the Commission, the transfer of personal data may still take place in particular cases or where there are appropriate safeguards, such as data protection clauses, binding corporate rules or contractual clauses.

The text will be submitted for the adoption of a political agreement at a forthcoming meeting of the Council. Following the adoption of the Council’s position at the first reading, it will be submitted to the Parliament for approval.

The regulation is expected to come into force in the Spring of 2016 and to become applicable in the Spring of 2018.

In the next blog post, we will go into more detail on the new elements introduced by the regulation, focusing on the ten points you need to know to avoid possible sanctions. Queries or concerns? Leave a comment below.