Tag: GDPR

About 28,000 data protection officers are requiered to be appointed under the GDPR

20. April 2016

Article 37 of the GDPR states that data controllers and processors of personal information are required to appoint a data protection officer in cace:

(a)  The processing is carried out by a public authority or body (except courts); or

(b)  The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”

A data protection officer is able to be appointed by a group, public authorities or individual legal entity. Article 39 of the GDPR requires that a data protection officer is “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. Compliance, trainings on how to process data according to the law and the communication with the national authorities are part of the task area of a data protection officer.

Therefore, due to the GDPR organizations worldwide have to prepare for a number of new requirements in terms of data collection and processing. One particular requirement is that certain organizations will now have to appoint a data protection officer according to Arcticle 37 of the GDPR, as mentioned above. Research indicates the number of data protection officers required to be appointed under the GDPR will be about 28,000. This is an estimate based on official statistics regarding both public and private sector data controllers in the EU and taking further assumptions into account such assuming that US companies obliged to comply with the GDPR would also require a data protection officer, and of those companies who self-certified under Safe Harbor are likely included in that number.

Parliament finally approves of GDPR

15. April 2016

The European Union will have a new data protection regulation. After four years of ups and downs, the European Parliament came to an agreement on thursday in a plenary vote of support for the GDPR and the companion Data Protection Directive for policing and the judiciary.

The German MEP Jan Philipp Albrecht commented that “the General Data Protection Regulation makes a high, uniform level of data protection throughout the EU a reality,” and added that, “the regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty, and fairer competition.”

In order to give businesses and organizations time to adjust their compliance and data protection issues, the new GDPR will officially become effective in two years. The GDPR includes provisions such as the impositions of a clear and affirmative consent for processing personal data and a clear privacy notice. Further, there will be obligations concerning the breach of notification and the implementation of potential fines up to 4 percent of a company’s global annual turnover.

European Commission First Vice-President Frans Timmermans, Vice-President of the Digital Single Market Andrus Ansip, and Commissioner for Justice, Consumers and Gender Equality Vera Jourova welcomed the new regulation as it will “help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.” They went on commenting the Data Protection Directive for police and the judiciary, saying that it “ensures a high level of data protection while improving cooperation in the fight against terrorism and other serious crime across Europe.”

Therefore, in order to build public awareness of the reforms “the EU will launch public awareness-raising campaigns about the new data protection rules” Albrecht and Jourova, along with MEP Marju Lauristin commented and added that “the European Commission will work closely with member states, the national data protection authorities, and stakeholders to ensure the rules will be applied uniformly across the EU.”

European Council accelerates the process for adopting the GDPR

7. April 2016

The Council of the European Union announced that the process for adopting the GDPR will be accelerated. This is due to the the fact that the General Secretariat of the Council sent a Note requesting the Permanent Representatives Committee to use the so called “written procedure” in order to adopt the Council’s position. Initially a vote on the Council’s position was planned on 21st April 2016, when the next Justice and Home Affairs Council takes place. However, the Council has decided to accelerate the process for adoption by using the “written procedure”. Proceding this way is an exemption as it does not include public deliberation.

The mentioned Note states that the “need to send the Council’s position at first reading to the European Parliament during its April I plenary, will only be possible to adopt the Council’s position at first reading within this very short deadline via the written procedure, which would be launched on Thursday 7th April 2016 and would end on Friday 8th April 2016, at midday. Delegations’ attention is drawn to the exceptionally short duration of this written procedure.”

When looking on the next steps it is to say that once the Council’s position is adopted,  it will then be sent to the European Parliament. The European Parliament will go on by acknowledging the receipt during the next plenary session taking place on 11-13 April 2016. Afterwards, the Parliament’s Civil Liberties Committee will vote on a recommendation to Parliament regarding the Council’s position. These recommendation will then be used as a foundation for the Parliament’s adoption of the GDPR in one of the following plenary meetings.

Ten relevant practical consequences of the upcoming General Data Protection Regulation

22. January 2016

After several negotiations, the European Parliament, the European Council and the European Commission finally reached a consensus in December 2015 on the final version of the General Data Protection Regulation (GDPR), which is expected to be approved by the European Parliament in April 2016. The consolidated text of the GDPR involves the following practical consequences:

1) Age of data subject´s consent: although a specific, freely-given, informed and unambiguous consent was also required according to the Data Protection Directive (95/46 EC), the GDPR determines that the minimum age for providing a legal consent for the processing of personal data is 16 years. Nevertheless, each EU Member State can determine a different age to provide consent for the processing of personal data, which should not be below 13 years (Arts. 7 and 8 GDPR).

2) Appointment of a Data Protection Officer (DPO): the appointment of a DPO will be mandatory for public authorities and for data controllers whose main activity involves a regular monitoring of data subjects on a large scale or the processing of sensitive personal data (religion, health matters, origin, race, etc.). The DPO should have expert knowledge in data protection in order to ensure compliance, to be able to give advice and to cooperate with the DPA. In a group of subsidiaries, it will be possible to appoint a single DPO, if he/she is accessible from each establishment (Art. 35 ff. GDPR).

3) Cross-border data transfers: personal data transfers outside the EU may only take place if a Commission decision is in place, if the third country ensures an adequate level of protection and guarantees regarding the protection of personal data (for example by signing Standard Contractual Clauses) or if binding corporate rules have been approved by the respective Data Protection Authority (Art. 41 ff. GDPR).

4) Data security: the data controller should recognize any existing risks regarding the processing of personal data and implement adequate technical and organizational security measures accordingly (Art. 23 GDPR). The GDPR imposes strict standards related to data security and the responsibility of both data controller and data processor. Security measures should be implemented according to the state of the art and the costs involved (Art. 30 GDPR). Some examples of security measures are pseudonymization and encryption, confidentiality, data access and data availability, data integrity, etc.

5) Notification of personal data breaches: data breaches are defined and regulated for the first time in the GDPR (Arts. 31 and 32). If a data breach occurs, data controllers are obliged notify the breach to the corresponding Data Protection Authority within 72 hours after having become aware of it. In some cases, an additional notification to the affected data subjects may be mandatory, for example if sensitive data is involved.

6) One-stop-shop: if a company has several establishments across the EU, the competent Data Protection Authority, will be the one where the controller or processor’s main establishment is located. If an issue affects only to a certain establishment, the competent DPA, is the one where this establishment is located.

7) Risk-based approach: several compliance obligations are only applicable to data processing activities that involve a risk for data subjects.

8) The role of the Data Protection Authorities (DPA): the role of the DPA will be enforced. They will be empowered to impose fines for incompliances. Also, the cooperation between the DPA of the different Member States will be reinforced.

9) Right to be forgotten: after the sentence of the ECJ from May 2014, the right to be forgotten has been consolidated in Art. 17 of the GDPR. The data subject has the right to request from the data controller the erasure of his/her personal data if certain requirements are fulfilled.

10) Data Protection Impact Assesment (PIA): this assessment should be conducted by the organization with support of the DPO. Such an assessment should belong to every organization’s strategy. A PIA should be carried out before starting any data processing operations (Art. 33 GDPR).

 

Pages: Prev 1 2 3
1 2 3