General Data Protection Regulation - what changes starting today
Today, the new General Data Protection Regulation comes into force replacing the current data protection law.
This Regulation was prepared and debated for four years until it was finally approved by the European Parliament on 14 April 2016. The main purpose of this new regulation is to standardize the Data Privacy laws in Europe and to reshape how European organizations - or those working in the European Union - address the processing of citizens' data.
The General Data Protection Regulation introduces new obligations and requirements for the processing of personal data, requiring changes that are relevant for and impact all types of organizations, both public and private.
If your company deals in some way with personal data and has not been preparing for the entry into force of this Regulation, it can face very large fines, based on two levels, depending on the seriousness of the infraction:
-
In less serious cases, the fine may be worth up to EUR 10 million or 2% of the annual worldwide turnover, whichever is the greater.
-
In the most serious cases, the fine may be up to EUR 20 million or 4% of the annual worldwide turnover, whichever is the greater.
The Regulation introduces two new basic rights for data subjects:
-
Data Portability Right: The data subject has the right to receive the personal data that concerns him and which he has provided to a data controller in a structured, current and automatic reading format, as well as the right to transmit such data to another controller without the data controller being able to prevent it, if the processing is based on consent or is performed by automated means.
-
Right to Be Forgotten: The holder has the right to obtain from the controller the erasure of his / her personal data without undue delay and he / she has the obligation to erase the personal data without undue delay, in accordance with the grounds set out in number 1. Article 17.
The rights that existed previously in the law in force, such as the Right of Access of the data subject, the Right of Rectification, Right to limitation of Treatment, Right of Opposition, and the Right to Individual Automated Decisions remain.
Companies must adopt internal and subcontracting procedures to deal with cases of breaches of personal data and to report violations of personal data to the National Data Protection Commission, within 72 hours of being aware of the violation in order to communicate it to the CNPD.
The new Regulation also introduces a new figure: the Data Protection Officer. Contrary to what was initially thought, this position is not mandatory for all companies but for public organizations that process personal data on a large scale and in a systematic way. (eg banks) or companies dealing with special categories of personal data on a large scale. (eg racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, among others).
Finally, the GDPR poses some challenges to companies with e-commerce and / or that use Email Marketing, since it requires obtaining the consent of the user, to receive any type of communication or for processing of personal data by the company. In order to be in compliance with the regulation, obtaining consent must be:
-
Disaggregated of terms and conditions;
-
"Opt-in", so that the consent boxes are not automatically filled in;
-
Granular, so that consent for different marketing activities must receive separate consents;
-
Designated, so that all third parties are specifically mentioned.
Does your company act in accordance with the General Data Protection Regulation that comes into force today? If not, contact Zalox and find out how we can help you.