EU General Data Protection Regulation - Brief Summary

The European General Data Protection Regulation was ratified in 2016 and came into force on May 25th, 2018. It consists of two instruments:

1. the General Data Protection Regulation (GDPR), which regulates the processing of personal data relating to individuals in the EU, performed by an individual, a company or an organization;

2. the Data Protection Directive (EU) 2016/680, which protects natural persons in matter of personal data processing in criminal justice sectors.

This document is aimed at summarizing the key components of this regulation, which is intended to establish one single set of rules across the EU.

Entities outside the European Union are subject to the EU jurisdiction just by collecting data concerning an EU resident.

1. Personal Data

According to the GDPR and the above-mentioned Directive, the term “personal data” means any information relating to a person who can be directly or indirectly (e.g. through localization, physical, cultural or economic data, or even through IP addresses or cookies) identified.

There is no distinction between personal data concerning individuals in their private, public or work roles.

2. Controllers and Processors

The Regulation separates responsibilities and duties of data controllers and processors, obligating controllers to engage only those processors that are able to provide “sufficient guarantees to implement appropriate technical and organizational measures” aimed at protecting data subjects’ rights and freedoms.

These measures-which are partly expressly suggested (e.g. pseudonymization and/or encryption of data, regular testing, assessment and evaluation of the effectiveness of measures etc.) – should always take into account “the state of the art and the costs of implementation”, as well as “the nature, scope, context and purposes of the processing”. The controller-processor relationship must be documented and managed with a specific contract (art.28). Controllers must assure themselves of processors’ privacy capabilities.

3. Sanctions and Enforcement

Organizations that do not comply with new Regulation, will be punished with heavy penalties up to:

- 10 million or 2% of the global gross revenue, in case of violations concerning record-keeping, security, obligations to notify and privacy impact assessment obligations;

- 20 million or 4% of the global gross revenue, in case of violations concerning the legal justification for processing (including consent), data subject rights and cross-border data transfers.

Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation.

4. Data Protection Officers (DPO)

Under art.37 of the GDPR, the data controller and the data processor must appoint a Data Protection Officer (DPO) where:

(1) the processing is carried out by a public authority (except for Courts acting in their judicial capacity);

(2) the core activities of the controller or the processor involve the “regular and systematic monitoring of data subjects on a large scale”;

(3) the controller or the processor conduct large-scale processing of “special categories of personal data” (e.g. ethnic origin, political opinions, religious or philosophical beliefs etc.).

A company with multiple subsidiaries (a “group of undertakings”) may appoint a single DPO, provided that a data protection officer is “easily accessible from each establishment”. The DPO is required to have “expert knowledge of data protection law and practices”, considering also the type of data processing operations carried out and the level of protection required. The GDPR also allows the DPO functions to be performed by either an employee of the controller or the processor (as long as it does not create conflicts of interest) or by a third party service provider.

According to art.39 of the GDPR, the DPO shall have at least the following tasks:

(1) inform and advise the controller or the processor and the employees of their obligations to comply with the GDPR and other data protection laws;

(2) monitor the compliance with the Regulation, including managing internal data protection activities, training data processing staff and conducting internal audits;

(3) provide advice with regard to data protection impact assessment and monitor its performance;

(4) cooperate with the supervisory authority;

(5) act as a contact point for the supervisory authority.

The DPO shall also be available for inquiries from data subjects on issues relating their personal data.

Of course, in order to fulfil the above-mentioned tasks, the DPO must have complete access to the company’s data processing personnel and operations.

5. Privacy Management

The Regulation mandates a “risk-based approach”: appropriate measures must be developed according to the degree of risk associated with the processing activities from the earliest stages. Where appropriate, privacy impact assessments shall be made, with a particular focus on the protection of data subjects’ rights.

Moreover, according to art.30 of the GDPR, each controller shall maintain a written or electronic record of processing activities. The record of processing activities is not mandatory for small businesses (less than 250 persons), unless the processing they carry out is likely to result in a risk to the rights and freedoms of the data subjects, is not occasional, includes special categories of data or includes personal data relating to criminal convictions and offences.

6. Consent

Along with legitimate interests, necessary execution of a contract and others, consent is a basis for legal processing. According to the Regulation, “consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of his/her personal data.

Consent should always be demonstrable and collected for specified, explicit and legitimate purposes. Data subjects should always have the possibility to withdraw consent.

According to art.22 of the GDPR, data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effect concerning them, or otherwise significantly affects them.

Automated processing is legal only when:

(1) data subjects have explicitly consented to it;

(2) profiling is necessary under a contract between the data subject and the controller;

(3) profiling is authorized by EU or domestic law.

Cookies and other similar tracking technologies, when used for non-essential processes (like profiling and advertising), require prior consent.

7. Direct marketing

The Regulation recognizes that the processing of data for “direct marketing purposes” can be considered as a legitimate interest, i.e. one of the grounds (like consent) for legal processing.

Even if the concept of “direct marketing” has not been clearly defined, it seems that-for example simple mailing to existing customers and prospects is completely legitimate without direct consent, even if “profiling” for marketing purposes cannot certainly fall within this meaning (consent is mandatory).

8. Information to be provided and rights

The Regulation (art.13) precisely defines the information that the controller shall provide the data subject at the time when data are collected:

(1) the identity and the contact details of the controller and the DPO (where applicable);

(2) the purposes of the processing for which the personal data are intended, as well as the legal basis of the processing;

(3) the legitimate interests pursued by the controller or by the third-party (where applicable);

(4) the recipients or categories of recipients of the personal data (if any);

(5) if the controller intends to transfer personal data to a third-country or international organization;

(6) the data retention period (When the data retention period expires, data must be erased. Similarly, if the data subject later withdraw consent, data must be destroyed. If not possible, the criteria used to determine it);

(7) the existence of:

−the right of access (art.15). Exercising the right of access, the data subject receives more information on how his/her personal data are processed. Data subjects’ access requests must be executed without undue delay and at the latest within one month of receipt of the request:

−the right to rectification of inaccurate personal data (art.16);

−the right to erasure (or “right to be forgotten”) without undue delay (art.17);

−the right to restriction of processing (art.18);

−the right to data portability (art.20). The data subject shall have the right to receive his/her personal data in a structured, commonly used and machine-readable format, as well as the right to transmit those data to another controller (or ask the first controller to directly do that) without hindrance from the controller to which the personal data have been provided, where the processing is based on consent and is carried out by automated means. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

− the right to object to processing of personal data (art.21) and to withdraw consent at any time;

− the right to lodge a complaint to a supervisory authority.

In the event that data are obtained through third-parties, it is also necessary to indicate the Procedures involved, as well as the purposes of data processing and the consequences for the data subject.

The aforementioned obligations do not apply when the effort would be disproportionate and when the information has already been provided to the data subject.

9. Breach and notification

According to the Regulation, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. It’s important to note that the willful destruction or alteration of data is as much a breach as theft.

In case of a personal data breach, data controllers must notify the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it” (art.33).

If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.

Notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals”.

If the controller considers the personal data breach likely to result in a high risk to the rights and freedoms of individuals, it must also notify-without undue delay-the affected data subjects (art.34).

The communication to the data subjects shall not be required in the following circumstances:

(1) the controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”;

(2) the controller has taken subsequent measures which “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize;

(3) the communication would involve disproportionate effort. In this case, alternative communication measures may be used.

Article source: BLB Studio Legale