General Data Protection Regulation
General Data Protection Regulation – GDPR was approved by the EU Parliament on April 14, 2016 Regulation No. 2016/679 and it has come into force 20 days after its publication in the Official Journal of the EU. As a Regulation it is directly applicable in all EU Member States two years after set in force, on May 25th 2018, when the bodies; companies and organizations that will not comply will face heavy fines.
General Data Protection Regulation replaces the EU Directive on Data Protection 95/46/EC, and aims (a) to harmonize data protection laws across Europe (b) protect and strengthen the privacy of EU citizens and (c) to reshape the way in which the agencies active in the EU approach and manage personal data security. GDPR will also require much closer co-operation between the different independent authorities such as “Supervisory Authorities” or “Private Data Protection Authorities”.
EU REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
EU DIRECTIVE 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
When GDPR is applied?
The date of application of the regulation in EU Member States is May 25th, 2018
Who does the GDPR affect?
GDPR affects all EU bodies; companies and organizations, private, public and state controlled that maintain and manage private data of EU citizens. In this sense companies and organizations outside EU that manage personal data of EU citizens are also affected.
What is considered personal data?
Any information related to a natural person or “Data Subject” that can be used to directly or indirectly identify the person is considered personal data. This information can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
How it is applied?
After May 25th, 2018 bodies, companies and organizations operating within the EU should use high-tech security systems for the protection of the personal data they manage. Also companies outside EU that manage personal data of EU citizens should also comply by using high-tech security systems for protecting personal data.
Which are the penalties for violations?
In case of private data protection breach, companies (a) they must inform immediately their National Authority of Personal Data Protection and their National Regulating Authority and (b) will face fines of up to 4% of their annual turnover or 20 million Euro (whichever is greater).
Companies’ obligations under GDPR
Follow the basic data protection principles.
Transfer personal data to non-EU countries only under certain conditions.
Give access to personal data managed to partners only under controlled and secure conditions and only if they
demonstrate their compliance with GDPR.
Develop and use electronic computerized procedures and tools for timely and free or charge requests of individuals
manage their personal data.
Notify and inform the individuals appropriately and promptly about their rights on personal data protection and
Ensure personal data protection throughout their life cycle.
Keep records and inform for any personal data breach within 72 hours the National Private Data Protection Authority and
the individuals with direct communication and public announcements.
Be able to prove that they comply with all GDPR requirements.