The General Data Protection Regulation (RGPD), what is it?
This is the new European reference text on the protection of personal data. It aims to consolidate and unify data protection for individuals in the European Union. Adopted on 14 April, its entry into force is scheduled for 25 May 2018. In other words this term will involve bringing companies dealing with personal data into compliance by the end of May 2018.
Compliance for what? What changes will this text bring?
The main objective of the RGPD is to “give back to the citizens the control of their personal data while simplifying the regulatory environment of companies”. To this end, the General Data Protection Regulation contain numerous provisions. We propose you to discover the main ones:
Where and to whom does this regulation apply? A better defined framework
In order to harmonize all the rules relating to personal data, it will be applicable directly in all Member States of the European Union. In other words more fragmentation among nations of current data protection laws.
These rules will apply to all companies even outside the EU which process data relating to the activities of the organizations of the European Union. Those dealing with the profiling of citizens of EU countries will also be affected by the Regulation as well as those selling products or services on the European market.
Two new rights
The right to forgetfulness (or the right to effacement) will be applicable according to 6 well-defined motives. In other words the data subject can obtain the deletion of the personal data concerning him if the latter fall into one of the categories specified by the regulation. .
The right to data portability: The data subjects have the right to receive personal data concerning them previously provided to a data controller and also have the right to transmit this data to another data controller.
Security information and sanctions
A new “default security” rule requires that any organization (company, association, organization) have a secure information system. An impact assessment of the proposed processing operations will also be put in place prior to any processing of data in organizations dealing with numerous or sensitive personal data. This is in order to anticipate the impact that a possible leak of these data could have for example.
In the event of data leakage by the companies the latter must imperatively inform the national protection authority in case of serious data breach, in order to allow the users to take the necessary measures to limit the damage on their data.
The penalties applicable will be more important: in the event of non-compliance, fines of up to 4% of the annual global turnover or 20 million euros may be applied.
A data protection delegate will be appointed to each body (public or private) whose “core activities require regular and systematic large-scale monitoring of data subjects”. It will be responsible for verifying compliance with the Regulation, advising the data controller and acting as an intermediary between the body and the supervisory authority.
A European Data Protection Committee is also planned and represents authority for any matter of interpretation of the by-law.
For more information on the General Data Protection Regulation you can also consult the full text of the regulation on the www.dg-datenschutz.de website where “Data Protection Officer” can be booked from the “German Association for Data Protection” or that companies can contact the “German Association for Data Protection” for any help on European Data Protection.