A new EU General Data Protection Regulation (GDPR), entered into application on 25 May 2018, across the EU countries, sets out rules for all companies operating in the EU, wherever they are based.
Unlike the EU Data Protection Directive of 1995 (Directive 95/46/EC), which has been the main legislative instrument regulating the processing of personal data at European level, the new General Data Protection Regulation introduced stronger rules on data protection:people now have more control over their personal data and businesses have to benefit from a level playing field.
Fred K. Nkusi
The new regulation depicts an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market. This law will also do away with the current fragmentation and costly administrative burdens.
However, the actual enforcement of the General Data Protection Regulation will take place once a Joint Committee Decision (JCD) incorporating the GDPR completes this exercise which is expected to end in mid-July 2018.
In addition to the adoption of a JCD incorporating the GDPR into the European Economic Area (EEA) Agreement, the national parliaments of the EU States will have to amend national legislations in accordance with the rules of the GDPR.
The new GDPR that will replace the current Data Protection Act [Data Protection Directive of 1995 (Directive 95/46/EC], becoming a new citizen’s charter for the protection of personal data.
Specifically, what does the General Data Protection Regulation govern? It is designed to change how personal data can be collected and used. Even companies based outside the EU must adhere to the new rules if they offer services in the EU. It is a comprehensive law that applies to all EU citizens.
Needless to say, it applies to the companies from the USA or China or Africa that deal with EU citizens. The companies, especially as the Internet Intermediaries, will no longer use old tricks of collecting and using personal data.
Most importantly, the new law spells out higher standards for obtaining a valid consent prior to using personal data. Consent, in processing personal data, is one of the cardinal principles of data protection.
The GDPR requires consent to be freely given, specific, informed and unambiguous. In addition, consent must be based on a clear affirmative action, and individuals must be able to withdraw it at any time.
Consent is only one of the legal grounds for conducting data processing activities under the GDPR. On this basis, before starting a processing operation, organizations should always determine whether consent constitutes the appropriate legal ground.
Consent is an appropriate legal basis only when data subjects are offered real control over their personal data. In particular, data subjects must be free to accept or decline the terms offered without any detriment (e.g., without incurring any negative consequence).
Besides, a person, technically referred to as the data subject, shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the data subject, any available information as to their source and so forth.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards, and these safeguards must be at level of protection in the EU.
Under the GDPR, a person (data subject) has the right to erasure, commonly known as the right to be forgotten, or to obtain from the controller (i.e. national data protection agency) the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where among other grounds applies: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and the personal data have been unlawfully processed.
In the event of non-compliance, by companies or individuals, the GDPR imposes stiff administrative fines. If a firm infringes on multiple provisions of the GDPR, it shall be fined according to the gravest infringement, as opposed to being separately penalized for each provision.
The minimum fine is up to €10 million, or 2% of the annual revenue and the maximum fine is up to €20 million, or 4% of the annual revenue.
The writer is a law expert.
The views expressed in this article are of the author.