New requirements under the New General Data Protection Regulation
The new Regulation 2016/679 for data protection shall be in force from 25th of May 2018 and shall apply directly in all the countries-members of the European Union. The General Data Protection Regulation (GDPR) is legislation that will update and unify data privacy laws across in the European Union. The countries members of European Union shall also observe Directive 2016/680.
The Regulation is establishing a variety of principles which should be fulfilled by the processors of personal data - lawfulness, integrity and confidentiality, fairness, purpose limitation, data minimisation, accuracy, etc.
The new Regulation extends the territorial scope of European data protection rules and shall also apply to administrators who are not established in the EU but process personal data of citizens who are in the EU.
The GDPR requires that the individuals shall give explicit consent for their data processing. According to the GDPR the consent of the individual – subject of data protection must be given freely, and explicitly. It is not necessary the consent to be in writing but in case of dispute the processor should prove that the individual has really given his/her consent.
The Regulation introduces the figure of „joint administrators", namely, it is allowed two or more administrators could jointly define the purposes and means of processing personal data. The Joint Administrators are required to define their responsibilities for the fulfillment of their obligations.
The GDPR requires special protection for special category subjects. The major part of the provisions are related with the data children protection. It is required the consent of the parents for data processing of children under the age of 16.
According to the Regulation any individual has the rights with regards to obtain confirmation whether his/her personal data are being processed; to access the data; to be provided with supplemental information about the processing, etc.
The Regulation is giving rights to the individual to object to processing which is for direct marketing purposes, processing for scientific/historical research/statistical purposes.
The Regulation is predicted “the right to be forgotten”- individuals have the right to have their data ‘erased’ in specifics situations under the GDPR. The right can be exercised against controllers, who must respond without undue delay. (in this respect useful information is containing the case “Google Spain SL, Google Inc.” against Agencia Española de Protección de Datos (AEPD) Mario Costeja González)
The Regulation is predicted also the “right to restrict the processing”.
According to the Regulation controllers and processors are free to appoint a Data Protection Officers under the conditions specified in the Regulation.
The Regulation is predicted that organisations are obliged to keep a record of their processing activities. Data processors are also required to maintain such a record.
The Regulation is arranging the single set of rules and “one-stop shop” principle, so that the controller to be in contact only with the supervisory authority in the state where its head establishment is.
In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”, the Regulation is predicted the obligation for data processors to notify data controllers and the obligation for data controllers to notify the supervisory authority.
According to the Regulation a data protection authority can impose a fine to a registrar, the amount rising to a maximum of 10 million or 20 million euros depending on the deed in need of sanctioning. In addition, the fine can be imposed according to the company's total turnover.
In view of the above, all companies and persons who are processing personal data should observe all the requirements of the GDPR as to sign in this respect additional annexes or additional contractual clauses as well as to take all necessary technical measures in order to ensure the best protection of the personal data.
All rights reserved for “Valova & Angelova Law firm”