The General Data Protection Regulation (GDPR), which will enter into force on 25 May 2018, provides for a new, directly applicable data protection law for all of Europe. Enterprises (as well as government entities, which are included in the scope of the new regulation) need to comply with a multitude of new obligations to be implemented in their own organisations. Failure to do so risks severe penalties: fines of up to € 20m or up to 4% of their worldwide turnover.
- List of processing operations
Data controllers (natural or legal persons that commission data processing activities) and data processors (natural or legal persons which process personal data on behalf of the controller) will have to keep a list of their data applications, to be known as “list of processing operations”, which covers own contact data, the purposes of the applications, a description of the data categories included in each data application, the categories of recipients, data transfers to third countries (separately shown) and, to the extent possible, the planned duration of the data storage and a general description of the technical and organisational measures taken to ensure data security.
Enterprises with fewer than 250 employees will need to keep such a list only:
- when their data processing poses a considerable risk to the rights and freedoms of the data subjects and data processing is carried out regularly; or
- when sensitive data or data regarding criminal behaviour are processed.
- Obligatory Data Protection Officer
A Data Protection Officer (DPO) will have to be designated whenever:
- data processing is carried out by a public authority or body; or
- the core activities of the controller or the processor consist of processing operations, which, by virtue of their nature, their scope and/or their purposes, require in-depth, regular and systematic monitoring of data subjects; or
- when the controller’s or processor’s core activity requires in-depth processing of sensitive data or criminal convictions.
The DPO needs to be appointed on the strength of his/her occupational quality and expert know-how of the laws and practices of data protection.
- New duties of information and new rights of data subjects
The GDPR will accord data subjects (identified natural persons) much more extensive rights. When it comes to collecting, receiving or disclosing data, the duties to inform data subjects will be substantially enlarged. Existing rights are extended to cover the right to receive information and to request rectification or erasure. Data controllers/processors will need to inform on how long the data will be stored and will have to comply with data subjects’ rights within one month. Implementing the so-called “right to be forgotten” will require some intense efforts, as will the new obligation to inform all those whose data are transferred of their rights to have processed data rectified, erased or restricted. The new right of “data portability” requires data controllers to furnish data in a structured and commonly used, machine-readable format; a data subject may even request the controller to transfer such data directly (!) from one controller to another controller.
- International data transfer – complex as ever
The basic premise remains that it is generally forbidden to transfer data to third countries outside the EU unless one of the data transfer tools applies. Existing tools are the standard contract clauses and the Binding Corporate Rules, added to which are the Code of Conduct and approved certification mechanisms.
The GDPR states expressly that data transfer approvals issued by national data protection authorities remain valid. It is thus possible to proactively prepare for 2018.
- Technical and organisational obligations
Entirely new obligations apply with regard to “data protection by technology” and data-protection-friendly settings. The GDPR introduces a novel obligation to perform a data protection impact assessment (DPIA): when data are processed by tools that use new technologies and that may involve a high risk of infringing on the privacy of data subjects in terms of type, scope, context and purposes it is necessary to assess their impact.
- Processor contract management is necessary
It will continue to be necessary for the controller and its processor to enter into a processor contract the minimum content of which is defined in the GDPR. Enterprises should therefore introduce a service provider contract management system since non-compliance with the rules carries fines of up to € 10m or 2% of the group’s annual turnover.
- Data breach: to be reported within 72 hours
The GDPR introduces at a European level the obligation to report any data breach such as was already specified in the Austrian Data Protection Act of 2000. If a breach occurs the controller must promptly inform the data subject if it is liable to be affected, as well as the competent data protection authority, to the extent possible within 72 hours of obtaining knowledge of such an data breach.
- Conclusion: tight timeline required
This string of obligations makes it clear that public as well as private controllers and processors need to follow a tight timeline in order to prepare for May 2018 because the GDPR makes no provision for a grace period.
For further information on this topic please contact Rainer Knyrim at Preslmayr Attorneys at Law by telephone (+43 1 533 16 95) or email (knyrim@preslmayr.at). The Preslmayr Attorneys at Law website can be accessed at www.preslmayr.at.