Regulation implements
the Data protection reform, which aims for a better protection of the personal
data and privacy. The new rights of natural person have been established in
this Regulation:
- a right to data portability. Persons
will have a right to receive personal data concerning them in a structured,
commonly used, machine-readable format and to transmit it to another
controller;
- a right to be forgotten. A
person will have a right to have his or her personal data erased where he or
she has withdrawn his or her consent or objects to the processing of personal
data;
- a right to be communicated of a personal data
breach. A company shall have an obligation to notify the
personal data breach to the person concerned.
Attention should
be drawn to the fact that the Regulation is applicable directly and thus, to
meet the requirements, set in the Regulation the companies shall take the following
measures:
- review the Internal Order and procedures related
to personal data, to renew them and assure the correlation with the new
requirements;
- the Regulation sets a requirement for
the companies to make the persons aware of where, for what purposes and how
their personal data will be used. It is important to note that
personal data may not be used for different purposes, unless a separate consent
will be provided by the person. The companies will have to assure that the person
is aware of the purpose the consent is being provided for. Also, that amount of
personal data collected shall not exceed the one necessary for provision of the
service. A declaration of the consent pre-formulated by the controller should
be clear, provided in an intelligible and easily accessible form;
- introduce measures by which the
data may be provided to the person and which would allow to implement the
person’s right to be forgotten;
- where the Regulation sets out a requirement - to
establish position of data protection officer. This officer
is responsible for implementation of Regulation requirements, accountability,
monitoring the processing of data etc. The person may be employed for this
position or he / she may provide services upon agreement of service provision.
The group of companies may employ one data protection officer;
- to inform and instruct the personnel, so
that everyone would be aware of the extent of their duties and authorizations
related to personal data protection.
Let us draw your
attention, that the territorial scope of Regulation has been extended. The
Regulation will be applicable not only to those companies established in the
European Union (hereinafter – EU), but also to those which process the data of
the persons who are in the EU and their activities are related to offering of
goods and services to such persons or the monitoring of their behavior as far
as their behavior takes place within the EU even though such companies are not
established in the European Union.
The Regulation will be applicable
to all processors and controllers who process names, surnames, e-mail addresses,
information of credit cards, delivery address of of goods or the billing
address, despite of it is natural or legal person (ex. e-shops, owners of the
loyalty cards etc.).
The Regulation could be found:
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
25.08.17