GENERAL DATA PROTECTION REGULATION
(GDPR – Reg 679/2016)
The General Data Protection Regulation (GDPR), which comes into force on May 25, 2018, is a massive reform of data protection for persons in the European Union.
The impact of the GDPR is not limited to a particular field but, on the contrary, its effects will occur in virtually all industries and also in the public and private sectors, including non-profit organizations.
Furthermore, new rules will apply from this date also to existing data already collected, which means that the way these data were collected and processed should be reviewed in the light of the changes made by the GDPR.
GDPR also has additional obligations and responsibilities for data controllers as well as increased rights for data subjects. Otherwise, the sanctions regulated by the GDPR are extremely high (the minimum fine is 10,000 euros and can reach up to 10-20 million euros or between 2% and 4% of the international turnover for private companies).
WHO DOES IT APPLY TO
Not exactly, but almost to everyone. Article 2 of the GDPR states:
“1. This Regulation shall apply to the processing of personal data wholly or partly by automated means and to the processing by non-automated means of personal data which are part of a data recording system or which are intended to be part of a data recording system.“
There are some exceptions:
- The provisions of the Regulation shall not apply to processing undertaken for the purpose of the prevention, investigation and prosecution of offenders or the execution of criminal sanctions. For these cases, the provisions of Directive (EU) 2016/680 will apply;
- The provisions of the Regulation will not apply to activities outside the EU law. The GDPR will apply to the processing of personal data by an operator not established in the EU but which offers goods and services to EU citizens, i.e. effects occur in the EU;
- The Regulation will not apply to data processing performed by a natural person during an exclusively personal activity.
WHAT ARE PERSONAL DATA
Any information about an identified or identifiable individual by reference to an identifier such as:
- identification number (ID number);
- location data;
- email addresses (personal or work if it has their name and surname firstname.lastname@example.org/com in the structure);
- telephone number (personal or work);
- online identifiers (IPs);
- physical, physiological (photos, video), genetic or psychic elements, biometric elements (fingerprint, facial image);
- registration plates of motor vehicles;
- economic, cultural or social elements.
The targeted persons are: employees, clients, potential clients, potential employees, suppliers, other contractors or beneficiaries, visitors etc.
WHAT COMPANIES HAVE TO DO
1. Appoint a Personal Data Protection Officer (Day-by-Day DPO) – who is responsible for coordinating and supervising the implementation of GDPR compliance conditions, highlighting processes and making the necessary periodic reporting;
Not all organisms are required to designate DPOs but only:
– Public institutions;
– Organizations that process large-scale special categories of data (data revealing racial or ethnic origin, religion, political opinions, membership of trade unions, biometric genetic data, etc.);
– Organizations that regularly and systematically monitor the data of the data subjects on a large scale.
This service can be outsourced. If a person inside the organization is appointed, they should not be in the company’s management to avoid conflict of interest. This position should be seen as a controller or auditor.
DPO tasks are provided for in Article 39 of the GDPR. It is important for the DPO to be involved in all aspects of data protection
2. Perform an internal security audit (GAP Analysis), i.e. a de facto audit (initial compliance analysis), assess the impact on data protection (risk – DPIA) and establish a plan of measures to comply with GDPR, risk mitigation (alteration / alienation / loss);
NB Data protection must be proven from the time of conception and by default.
3. Carry out the data mapping, i.e. to highlight the data processing operations (mandatory for enterprises with more than 250 employees) – Personal data processing registry;
4. Establish security policies and compliance with rights of individuals (Procedures must include information on the rights of data subjects, information of data subjects, application models, response models, etc.);
5. To implement technical security measures (the most concerned departments are: HR, IT, Law, Marketing, Sales);
6. Perform security tests and document them;
7. Perform an annual security audit;
8. To inform the data subjects (in writing);
9. Provide employee training;
10. To inform and conclude appropriate legal documents with the empowered persons, who in turn must keep records of the processing;
11. Monitor, manage and inform the Authority if a breach occurs in the security system;
12. To have a civil liability insurance.
WHAT THE AUTHORITY PERSUES
The Authority seeks to respect the rights of the person concerned:
– Right to information (independently of the existence of a request);
– Right of access (based on a request);
– The right to rectification;
– Right to delete data (If the data have been made public, the operator will have to take technically and economically reasonable measures to inform other operators that the data subject has requested the deletion of the data);
– The right to restrict the processing;
– The portability of the data (they may also request the transmission of this data to another operator);
– Right to opposition.
THE COMPANY’S LIABILITY
Any natural person, any person concerned, has the right to file a complaint with the National Supervisory Authority (ANSDCP) if they consider the personal data processing to be in breach of their rights.