PERSONAL DATA PROTECTION REFORM

A study conducted last autumn by a US software producer SYMANTEC showed that many UK, German and French companies are not only not ready yet, but also lack the right understanding of how this Regulation will affect the organizations’ activities.

In essence, the purpose of the new Regulation is to establish robust and better harmonized data protection system based on strict enforcement because it is important to create confidence that will enable the economy to develop in its internal markets, and to ensure equal and high level of protection for individuals, to remove barriers to the movement of personal data within the EU, to guarantee the equal protection of the rights and freedoms of individuals in the processing of personal data.

jbm6923-1024x713This new legal act establishes even more clearly than the current legislation that the processing of personal data will be possible only with the consent of the data subject, and the definition of “consent of the data subject” is defined more clearly. The new Regulation establishes that it should be ensured that the data subject is clearly and unambiguously aware of the fact that he/she gives the consent and why, the consent must be given by means of a clear statement confirming that it is a voluntary, specific, based on information and unambiguous indication that the data subject agrees to processing of the personal data relating to him/her.

Any person who has suffered damage due to a violation of the Regulation will be entitled to compensation from the controller or processor for the damage suffered: the controller will be liable for damage caused by the processing of data by processor in violation of the Regulation, and the processor – in case he does not comply with the obligations imposed on the processors in the Regulation or will work disregarding the legitimate instructions of the data controllers or violating them.

After the Regulation enters into force, there will be no obligation to notify authorized institution about data processing: companies and organizations intending to carry out fully or partly automatic data processing will no longer have to notify in advance the Personal Data Supervisor.

The new thing is that data controllers and data processors will be able to transfer personal data to a third country only if the data controller or the data processor has established adequate security measures, as long as the access to use the enforceable rights of data subjects are provided and the effective remedies are available to data subjects.

Any person who has suffered damage due to a violation of the Regulation will be entitled to compensation from the controller or processor for the damage suffered.

In addition, it will be necessary to inform the data subjects without undue delay about the personal data security breach, if this could lead to serious danger to the rights and freedoms of individuals. For the first time in EU law, Regulation also foresees processing of personal data of a minor up to 16 years of age.

It has been established that the processing of personal data of children under the age of 16 is legal only if the consent was given or permission to process the data was given by the holder of the child’s parental rights and to the extent that such consent or permission was granted.

In order for the states to promote business and take responsibility for the fact that the data will be used by the business in such way that it cannot harm individuals, to whom the data belongs, the Regulation provides for the position of the Data Protection Officer (required only in the cases provided by the Regulation).

The Data Protection Officer should become an intermediary among the employees of the company departments, the persons whose data is collected (clients, customers, partners) and supervisory authorities. This will ensure confidence and smooth cooperation between the mentioned entities, and manage the risk of fines. The Regulation allows organizations to choose whether the functions of the Data Protection Officer will be performed by the employee or the external person acting according to the service contract.

Companies that collect and process one or another data of their customers, should already prepare for the entry into force of the new Regulation. First of all, it is advisable for companies to start communicating understandably, when asking for data, say why personal data is processed, how long it will be stored, who will receive it. People must be allowed to access their data, delete their personal data if they ask for it.

First of all, it is advisable for companies to start communicating understandably, when asking for data, say why personal data is processed, how long it will be stored, who will receive it.

It is advisable to keep in mind the use of additional safety measures for health information, race, sexual orientation, religion and political views, giving people the right to refuse direct marketing for the purpose of which their data is used, and provide legal agreements to transfer data to countries which are not approved by the EU institutions.

_jbm1049The size of the penalties provided in the new Regulation should seriously compel current and future data controllers and take a very responsible attitude towards personal data protection. For data controllers and processors who have breached the provisions of the Regulation administrative penalties may be imposed which will be effective on every specific case, proportionate and dissuasive: depending on the nature of the violation of the Regulation, the fine will range from 2 to 4 percent the total annual worldwide turnover of the previous financial year, or from 10 000 000 EUR to 20 000 000 EUR, depending which amount is higher. The maximum penalties shall be imposed for the collection of data without the consent of the person or other legal basis, collection of excess data that is not necessary for the company or refusal to introduce a person with the information accumulated therein.

“Depending on the nature of the violation of the Regulation, the fine will range from 2 to 4 percent the total annual worldwide turnover of the previous financial year, or from 10 000 000 EUR to 20 000 000 EUR, depending which higher”.

In Lithuania, the current new Code of Administrative Offenses provides much lower fines for the irresponsible approach to data protection – up to 3,000 EUR – and this is one of the lowest fines in Europe. However, organizations should focus on understanding why and what Regulation will require rather than on penalties.
It is estimated that the new data protection system will help reduce 130 million EUR costs, informing 28 different business data protection authorities in the EU under the old system, and also anticipating 2.3 billion EUR economic benefit with one single legal act. New rules should increase consumer confidence and, in return, encourage business.

Contact person:

Loreta Andziulytė