November 2017 – References to the European General Data Protection Regulation (the „GDPR”) are currently widespread. In this article, we provide a short and handy guide on the key takeaways of the GDPR, the new-coming EU-wide data protection framework, enforceable from 25 May 2018.
Definitions introduced by the GDPR
(i) Personal Data – any information relating to an identified or identifiable natural person, for example a birth identification number, a working e-mail address, a picture of a person or medical records. Under the GDPR the concept of “sensitive personal data” is expanded and now includes genetic and biometric data.
(ii) Data Controller - this is a person who determines the purposes for which, and the way in which, personal data is processed. For example, when Company A collects data from its employees to have records on file about them, it acts as a data controller.
(iii) A “Data Processor”, another key term in the GDPR, is anyone who processes personal data on behalf of a data controller. Therefore, if Company A sends data about its customers (or representatives of its customers), for direct marketing purposes, the marketing provider acts as a data processor. Also, any affiliate of Company A can be classified as a data processor when, for example, it works with the data under the instructions of Company A.
We have singled out the following key takeaways of the new rules:
1. Extraterritorial reach. The GDPR applies to:
(a) businesses established in the European Union;
(b) businesses established outside the European Union, if they offer goods and services to, or monitor, data subjects in the European Union; or
(c) businesses established outside the European Union based on international law.
2. Data Subject Rights. The GDPR further stipulates or strengthens certain rights of individuals (data subjects), for example, those that have been formulated through the courts and supervisory authorities. The GDPR also introduces new rights of individuals (data subjects), for example the right of an individual to have his/her complete history deleted (the “right to be forgotten”) and the right to transfer the data (the “right to data portability”). Internal policies of companies shall be reviewed to duly address these new rights of data subjects.
3. Consent. The basic concept of an individual’s consent with data processing as one of the legal grounds for processing personal data remains the same. However, the GDPR introduces more requirements for consent to be valid; therefore, it will be harder to obtain valid consent under the GDPR. On the other hand, there are other (and often safer) legal grounds for processing personal data other than consent. The form of consent used should be revisited by companies.
4. Data Security. The GDPR requires data processors to adopt appropriate technical and organisational measures to protect personal data. Certain enhanced measures such as encryption, pseudonymisation, the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident as well as regular testing of effectiveness are required “where appropriate”. An IT audit (in addition to legal audit) will be often recommended and may involve a need to purchase better security software.
5. Data Breaches Notification. The data controller must notify the supervisory authority of data breaches and, in some cases, must notify the data subjects as well. Adoption of strict internal guidelines and sufficient trainings will be needed from next year.
6. Data Protection Officer. Depending on the kind of personal data processes, data processors may be required to appoint a data protection officer, i.e., a person with adequate professional qualities and expertise in data protection law. The data protection officer must be involved in all data protection issues and must, to a large extent, be independent, i.e. they must report directly to the highest management and may not be dismissed or penalised for performance of their role. Companies should review their obligation in this regard and adopt decisions on the election or non-election of officer(s).
7. Data Processors. Newly, certain obligations under the GDPR also apply to data processors. New obligations imposed on data processors will need to be included in data processing agreements between the data controller and data processor. Companies cooperating with other businesses (e.g., distribution channels, insurance companies etc.) should re-visit their eventual exposure for breach by their partners and consider mitigating these risks (e.g., renegotiation of contractual clauses on the limitation of damages, purchasing additional insurance coverage etc.).
8. Sanctions. The GDPR introduces significantly higher sanctions that can be as much as 4% of annual worldwide turnover or EUR 20 million (for the most serious violations). Commencing early legal and IT audits could prevent, or at least mitigate, the most severe sanctions.
For more information about this article, or our TMT sector and expertise, please contact Viliam Myšička, Partner and the firm-wide head of the TMT sector, at .