27 April 2016, the European Parliament and
Council Regulation (EU) 2016/679 (hereinafter - the "Regulation") on
the protection of processing of personal data and free movement of personal data
repealing Directive 95/46 / EC was adopted.
The Regulation upgrades rules for personal data
processing in the EU. The Regulation is directly applicable and bound to legal
entities and individuals, as well as public authorities. The Regulation provides
new rights for data subject and responsibilities of data controllers regarding employees
and customer data processing. It also provides severe penalties for
non-compliance with requirements of the Regulation.
The most important news introduced by the Regulation
- the data controller is obliged to maintain an
internal data register of operations processed;
- volume of information to be provided to data
subject before the start of data processing is increased;
- strict requirements regarding consent by individuals
for data processing (a Consent Form, opportunity to take a decision by a person
based of free will etc);
- the rights of data subject to request transfer
of his/her data fully, "to be forgotten", rights to data processing;
- the data controller is obliged to ensure
technical set-up for recording personal data in digital format, transfer of
data and erasure upon request of data subject;
- guidelines and standard clauses for personal
data processing and transmission are implemented;
- in certain cases, the data controller should appoint
a data protection officer before start of data processing;
- rights of data subject to claim material
and moral compensation from data controller;
- evaluation of the impact of performance on
data protection in some cases will be compulsory;
- to relieve data controller from the liability,
it has to prove compliance with the requirements of Regulation (as per internal
provisions of the Regulation);
- new requirements for rights of data
controller to co-operate with data processors, providing as well contract
between data controller and data processor;
- new requirements for the transfer of data to
third countries;
- the European Data Protection Board is new
monitoring and the competent authority for reporting of violation of data
processing.
Penalties for non-compliance
- Administrative penalty for failure to comply
with requirements set out in Regulation may be defined to 4% of turnover derived
worldwide in previous accounting year of the person or up to EUR 20 million,
depending which amount is higher (currently up to 14 000 EUR).
Taking into account the considerable changes,
the Regulation will be applicable from 25 May 2018 thus enabling data controllers and processors to a preparatory period to ensure compliance with data processing requirements
of the Regulation. Curranty, less than one year is left until applicability of the
Regulation. Thus, persons engaged in processing of personal data and not having
evaluated conformity with the Regulation of operations performed, we recommend
to do it immediately to ensure the compliance and avoid severe penalties.
07.06.17