The General Data Protection Regulation (EU) 2016/679, which was published in the Official Journal of the European Union on 4 May 2016, was adopted and its provisions will apply from May 25, 2018.
According to the National Supervisory Authority for the Data Personal Processing, the novelties brought by the new Regulation refers to:
For targeted persons: New rights are guaranteed:
• the right to be forgotten - it may be necessary to delete the data if it is illegally processed, without consent or if the data are no longer necessary for the purpose for which it was initially processed;
• The right to data portability - there is more freedom of choice. You may choose to transmit data to another operator;
• Specific provisions regarding minors - clear and simple rules that the young person / child understands and necessary parent / guardian's consent, if necessary;
• Proximity to the data subject - the supervisory authority in the Member State of the person concerned is acting as a point of contact when the complainant operator is established in another State.
Enhanced co-operation between supervisors - In the case of transnational data processing (those involving people from several EU Member States), the Regulation provides the supervisory authority in your competent state with the authorities of the other countries concerned to ensure that the data are processed in accordance with the rules and principles established by it.
For Data Operators:
• One stop shop - for data controllers operating in several EU Member States, the competent supervisory authority is the one in the Member State in which the operator has established its principal place of business.
• Data Operator Accountability - The focus is on the transparency of the data subject and the responsibility of the data controller over the way the data is processed.
• Impact Study - In the case of data processing involving a high risk to the privacy of individuals, the operator must conduct a Private Life Impact Study. The outcome of such a study will allow it to identify specific risks and adopt measures to prevent these occurrences.
• Data transfers outside the EU - For data transfers outside the Union, the Regulation introduces new tools, in addition to those already established: BCR, standard contract clauses and European Commission Decisions on an adequate level of protection.
operatorii de date:
Privacy by design & Privacy by default - two new essential principles for data operators:
• Privacy by design - Application developers (who will also process personal data) must ensure, from the development stage, that your application complies with the rules and principles set out in the Regulation;
• Privacy by default - application providers processing personal data must ensure that the initial settings allow users to maintain control of their privacy / what they post or share with other users.
DPO - data protection officer / data protection officer - the appointment of a DPO at the level of the data controller is one of the measures by which data operators are to be made accountable. It provides the consultant with the necessary advice in order to comply with all its obligations and to ensure the necessary transparency towards the data subjects.
Severe sanctions - up to 10-20 million euros or between 2% and 4% of international turnover.