Personal data: new rules in the European Union

    The new Personal Data Protection Rules (GDPR) were approved on April 14, 2016 and will come into force presumably in May 2018. These rules will apply not only to European companies, but also to companies from other countries that offer goods and services in the European Union.
    These rules replace the European Union Directive, adopted in 1995, which is in force today. What will be new in the field of personal data in Europe?

    First, regulation can now apply to companies outside the EU. The rules must be observed by any companies that process personal data in order to offer goods or services in the EU (including free ones) or which monitor the behavior of citizens in the EU. The offer of goods and services in a specific country within the EU is the use of the language or currency that is used in that country and the opportunity to order goods or services in that country. And monitoring is the use of special technologies that allow you to use data about the user to influence his choice or determine his preferences. So companies physically located outside the EU, but virtually affecting users located in the EU, are subject to the new rules.

    Secondly, the regulation requires the consent of users to the processing of their personal data. And at the same time, separate consent will be needed for processing data with different purposes. Such consent must be free, conscious and specific and may be withdrawn at any time. Consent will not be considered free if the user is forced to give such consent in order to gain access to the site, program or application. An exception is when personal user data is required to execute an agreement. And in cases where personal data is collected and processed for marketing purposes, the user should be able to disagree with the collection and processing of his data. And it will be necessary to separately draw the user's attention to the fact that he has such a right.

    Thirdly, companies working with personal data will have new responsibilities. They will have to keep records of transactions with personal data (the type of data and the purposes for which they are processed), as well as conduct an internal audit. And projects related to the use of personal data will have to provide for the fulfillment of certain obligations by companies. For example, the obligation to minimize the use of data in accordance with the principle of data protection by design (i.e. to limit the use of data only to specific purposes, to use anonymized data if possible). All companies will have to adopt internal documents regarding measures to be taken in case of violation of the procedure for handling personal data.

    Fourth, companies must notify regulatory authorities of any violations of personal data within 72 hours. You will also need to maintain an internal registry of violations.
    Certain provisions of the new document relate to the cross-border transfer of personal data. When transferring data outside the EU, users will need to be informed of the risks involved. Cross-border transfer of personal data within the framework of companies of one group is possible, but at the same time all companies included in the group must have mandatory corporate rules regarding the protection of personal data.

    And finally, it should be noted the increase in liability for violations. The maximum fine will now be either 20 million euros, or 4% of the annual global business turnover.
    Discussing new changes, European lawyers note that companies working with personal data will have to conduct a large number of events in order to ensure that their activities in the future comply with the new rules. For example, to develop new internal documents, conduct an internal audit, check existing agreements with users, conduct staff training and appoint responsible persons in the company.

    Also popular now: