The new GDPR and treatment of personal data

The General Data Protection Regulation (GDPR), a new European Regulation on privacy and data protection will enter in force on May 25th 2018 with the aim to uniform the national laws of the member states on data processing and fully guarantee rights on the control of personal data of individuals.

Under the GDPR, personal data means any information relating to an identified or identifiable natural person (‘data subject’), including: (a) Basic identity information such as name, address and ID numbers; (b) Web data such as location, IP address, cookie data and RFID tags; (c) Health and genetic data; (d) Biometric data; (e) Racial or ethnic data; (f) Political opinions; (g) Sexual orientation.

Individuals, as foreseen by the new Regulation, are entitled to many rights with respect to the protection of their data, such as the right to access, i.e. the user’s right to request access to personal data and to ask how their data is used by the company after it has been gathered; the right to be forgotten, i.e. the users’ right to ask their personal data to be fully removed; the right to data portability, i.e. the right of individuals to transfer their data from one service provider to another; the right to be notified, i.e. the obligation for companies which process personal data to notify in writing the users, within 72 hours, in case of data leakage.

The GDPR applies to data controllers (companies or organizations that collect data from EU residents), or processors (companies or organizations that process data on behalf of a data controller like cloud service providers), based in the EU, or also outside the EU, provided that they store or process personal information about EU citizens.

The GDPR requires controllers and the processors to designate a DPO (Data Protection Officer) to oversee data security strategy and GDPR compliance. Companies are required to have a DPO if they process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. Some public entities such as law enforcement may be exempt from the DPO requirement.

The GDPR, like the other European Regulations, will be directly applicable to every member State of the EU, irrespective of any national implementation. This means that companies shall be prepared to put systems and processes in place within May 25th to comply with the new provisions and avoid fines and penalties.

Supervisory authorities are entitled to impose administrative fines in the event of non-compliance with the GDPR. Administrative fines may, depending on the infringed provision of the GDPR, amount to a maximum of EUR 20 million, or, if this is a higher amount, 4% of the total worldwide annual turnover of an organization. Such fines may be imposed on both the controller and the processor. For instance, a violation of requirements governing privacy by design and default is subject to a maximum fine of EUR 10 million or 2% of the total worldwide annual turnover. Violating the basic principles for processing, including the conditions for obtaining valid consent as well as non-compliance with a supervisory authority’s order may result in the highest fine of EUR 20 million or 4% of the total worldwide annual turnover.

It is therefore important for companies operating in the EU, and also outside the EU (in case of process of EU Nationals Data) to ensure they are in full compliance with the new GDPR. Should you need any counselling on the new Regulation, please do not hesitate to contact our experts via