New Legislation

On 25 May 2018 a new Regulation (EU) 2016/679 of the European Parliament and of the council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46EC (General Data Protection Regulation) (hereinafter – “Regulation”) will come into force. The Regulation provides that personal data means any information relating to an identified or identifiable natural person (“data subject”), e.g. name, surname, address, e-mail, phone number, location, IP address, photos, information about credit cards, etc. 

The General Data Protection Regulation will reform the rules of personal data protection and strengthen the responsibilities of the data processor and data controller.

The main innovations in the new Regulation are the following:

- New rights of the data subject (for example: the right to be forgotten, the right to data portability);

- Stricter requirements for data subject’s consent to process their data (consent must not be ambiguous, an obligation to prove that the subject has understood and agreed with the processing of data, etc.);

- New requirements for processing of child’s personal data;

- The obligation to inform data subjects about breaches of personal data security;

- The obligation to designate a Data Protection Officer;

- There is a new requirement to clearly inform the data subject for what purposes the data provided will be used;

- The Regulation states that responsibility for the processing of personal data will have to be shared both by the data processor and the data controller;

- “One-stop-shop” mechanism (the supervisor has the competence to act as the lead supervisor when the data controller or data processor carries out cross-border processing of data);

- Increased cooperation between supervisory authorities;

- New requirements for the data controller (it is necessary to carry out an assessment of the impact of processing operations on the protection of personal data before the data is processed);

- The new Regulation introduces the representation of data subjects (the data subject will have the right to authorize a non-profit institution, organization, association to act solely on its behalf in relation to the protection of personal data);

- Extension of the territorial scope of the Regulation (the Regulation applies even if the company has only a branch in the EU and the head office is not established in the EU).

The rules of the new Regulation will be directly applicable to all EU Member States, and for the violation of these rules, a fine in the amount of up to EUR 20 million or 4 percent of the company’s annual worldwide turnover (whichever is the higher) may be imposed. Thus, the companies, which are working with data allowing to identify a person should be duly prepared for the entry into force of this Regulation in the spring of 2018. 

The wording of the Regulation can be found here. 

Back to the news list