GDPR all for the General Data Protection Regulation

GDPR: The General Data Protection Regulation (GDPR) is the new law on of European Union data. It is designed to allow individuals to have greater control over their personal data and imposes new obligations on organizations that collect, manage or analyze such data, including organizations outside the EU.

The GDPR regulation will enter into force on 25 May 2018, so you should have started preparing from yesterday…

_______________________________________________

GDPR: The main legislative act for the protection of personal data in the European Union, 95/46/EC (1), managed for 23 years to ensure the protection of personal data and the smooth functioning of the single .

However, this act was introduced before 23 years, in a very early technological environment.

The rapid technological developments that followed have created new challenges in the field of personal data protection. The rapid growth of the information society, globalization and the very functioning of the Single Market have resulted in an unprecedented increase in the collection, exchange and cross-border flow of data from both private and public authorities.

Although the existing rules still meet the Union's basic objectives, they have not achieved the required degree of harmonization, with the result that the right to the protection of personal data is not guaranteed in an efficient, efficient and uniform manner. In this context, the need to adopt a single, uniform and more coherent framework for the protection of personal data has become clear.

Since January of 2012, the European Commission has proposed the reform of the rules on the protection of personal data by introducing a regulation replacing the 95 / 46 / EC Directive.

The final version of Regulation (EU) 2016 / 2016 of the European Parliament and of the Council "on the protection of individuals with regard to the processing of personal data and on the free movement of such data was published in the Official Journal of the European Union and repealing the 679 / 95 / EC Directive ".

That Regulation entered into force at the end of May of the same year, but it was put into effect by 25 May of the year 2018. Consequently and taking into account that as a Regulation it has direct application in the Member States of the European Union, all companies, persons and bodies must from 25-5-2018 comply and apply the provisions of this Regulation .GDPR

GDPR - Definitions

Before entering into the examination of the main changes brought about by the new Regulation, it is appropriate to briefly list some of the basic concepts as detailed in the text of the Rules of Procedure:

* 'Personal data' Any information relating to an identified or identifiable natural person ("data subject"). An identifiable person is a natural person whose identity can be directly or indirectly identified by reference to an identifying identifier, location data or one or more factors relevant to the physical, physiological, genetic, psychological, economic, cultural or social identity of that person due to a natural person.

* "Processing": Any act or series of operations carried out on personal data, with or without the use of automated means, such as collection, registration, organization, structure, storage, dissemination, recovery, use, deletion, destruction, etc.

* "Editor": A natural or legal person, a public authority, a service or another body that defines the purposes and manner of processing personal data.

* "Running": The natural or legal person, public authority, service or other entity processing personal data on behalf of the controller.
GDPR

GDPR - Major changes

As mentioned above, the aim of the new Regulation is the uniform and more effective protection of EU citizens in a rapidly evolving technological and global environment. The new Regulation ensures a high level of harmonization (immediate application in the Member States), while leaving room for maneuver in the Member States, where and when necessary.

Some of the key innovations - major changes introduced by the new Regulation are the following:

i) Widening the scope

The scope of the Regulation includes entities that have their establishment in the EU, regardless of whether the processing takes place within the EU. The new Regulation also provides that even operators, which are not established in the EU, are obliged to apply the Regulation, in the event that they offer goods or services on the EU market. Today operators who have their establishment in the EU must respond to different standards than companies based outside the EU but doing business in the single market. With the reform, companies based outside the EU will have to apply the same rules when offering goods or services on the EU market (a level playing field).

(ii) Strengthening the rights of data subjects

The new Regulation strengthens the already existing rights of data subjects (e.g. right and data access), while at the same time securing new rights.

It is worth noting that specifically the right of remission ("right to forgiveness") is now clearly, distinctly and explicitly stated. Based on this right, the data subject may request the deletion of data that is not complied with for a particular legitimate and stated purpose.

The Regulation goes hand in hand with a new right, the 'right to portability'. According to this, the data subject has the right to receive or request the transfer of his data in machine-readable form from one controller to another under certain conditions.

iii) Establishing new obligations

The Regulation imposes a series of new obligations on both processors and processors. Particularly:

* Take appropriate technical and organizational measures: The controller must demonstrate - whenever requested by the competent supervisory authority - that he has taken all appropriate technical and organizational measures to protect personal data (eg pseudonymization, minimization of data, incorporation of necessary guarantees in the processing, etc.).

* Data protection by design: The controller is required to protect data from the design of products and services, creating friendly and appropriate conditions from the outset for the protection of personal data.

* Data protection by definition (“data protection by ”): The data controller is obliged to apply appropriate technical and organizational measures that ensure by definition that only the data necessary for the purpose of the processing are processed.

* Reinforce the condition of the subject's consent: If the consent of the data subject is provided in a written statement which also concerns other matters, the request for consent must be made in such a way that it is clearly distinct from the other subjects in a comprehensible and easily accessible form, using clear and simple wording.

* Infringement Notification: The controller is required to immediately notify - within 72 hours - the violation of personal data to the competent supervisory authority and to the data subject (if the breach poses serious risks) .

* Assignment of processing to processors: The processing of data by the processor must be governed by a contract or other legal act, which must have the special provided by the Regulation.

Keeping records of processing activities: Every processor and processor must keep - in written or electronic form - a detailed record of the processing activities he performs. It should be noted that the activity record obligation does not apply to companies or organizations employing fewer than 250 individuals unless the processing involved may cause a risk to the data subject's rights and freedoms, processing is not occasional or the processing involves specific data categories or data relating to criminal convictions.

* Data Protection Impact Assessment: Under the status of the new Regulation, there is no longer a general obligation to notify - a license from the competent supervisory authority to process the data. In order to replace the general obligation to notify - authorization by the competent authority where processing may involve a high risk to the rights of individuals, in particular because it is systematic, large-scale, concerns specific categories of data and is based on the use of new technologies, to carry out an impact assessment on data protection. Where, on the basis of the impact assessment carried out and despite the provision of protection measures, a high risk of processing remains, the controller is required to consult the supervisory authority in advance.

* Designation of data protection officer (“Data Protection ”): A new obligation provided for persons processing personal data(2) is the definition of a “data protection officer”. This person has the role of the custodian of personal data and is responsible for, among other things, (a) monitoring the operator's compliance with the law, (b) communicating with the competent supervisory authority and generally (c) advising the operator for any issue related to the protection of personal data. The data protection officer is appointed on the basis of professional qualifications and may be a member of the institution's staff or perform his duties under a service contract.

The obligation to designate a "Data Protection Officer" applies in any case, which:

1. the processing is carried out by a public authority or body other than courts acting within their jurisdiction,
2. the principal activities of the controller or the processor consist of processing operations which, by their nature, scope and / or purpose, require regular and systematic monitoring of data subjects on a large scale or
3. the main activities of the controller or processor are related to large-scale processing of special categories of personal data (e.g. data concerning racial or national origin, political opinions, religious or philosophical beliefs, participation in a trade union, processing of genetic or biometric data and data concerning it , the sexual life of a natural person or sexual orientation) and data concerning criminal convictions and offenses referred to in article 10 of the Regulation.

GDPR Codes of Conduct - Certification

The new Regulation encourages the drafting of codes of conduct by associations and other bodies representing categories of controllers or processors who may be submitted for approval to the competent supervisory authority. Similarly, the establishment of certification mechanisms, seals and data protection signals to support compliance with the Regulation is also encouraged. It is noted that the development of codes of conduct as well as certification are both optional.

i. Fines

* The fines threatened in case of violation of the Regulation - and depending on the type of each violation - amount to 10.000.000 euros or in the case of companies up to 2% of the total global annual turnover of the previous financial year (whichever is higher). In certain cases, (such as for violations against the rights of the subjects, or the basic processing authorities) the fines imposed amount to the amount of 20.000.00 euros or in the case of companies up to 4% of the total global annual turnover of the previous financial year (whichever is higher).

* The sanctions adopted make it clear that the new Regulation seeks to create a stricter framework for the protection of personal data.

i. Supervisory co-operation - Coherence

* Adoption of the so-called 'Cohesion Mechanism': In order to ensure the coherent application of the Regulation across the Union, a cohesive mechanism for cooperation between supervisors was established. This mechanism will apply, for example, when a supervisor intends to adopt a measure that will produce legal effects in respect of processing operations that substantially affect a significant number of data subjects in more than one Member State.

* Establishment of a European Data Protection Council: A new body with decisive competences at EU level, which will be called the 'Data Protection Council', will be set up and will play a key role in promoting the 'Cohesion Mechanism'. The Data Protection Board will be represented by all national supervisory authorities.

* Establishment of the 'one stop shop': According to this mechanism, in specific cases where a body is established in more than one Member State and cross-border data processing, cooperation is foreseen between the Chief Supervisory Authority (of the main place of establishment of a body) and the national authorities concerned, which may be the subject of a case of trans-European interest. The aim is to ensure homogeneity in dealing with such cases.

GDPR Conclusion

The innovations introduced by the GDPR Regulation attempt to create a uniform, coherent and stricter framework for the protection of personal data. The new GDPR Regulation is expected to enter into force in just a few months (25 May 2018), which means that the countdown has already begun for businesses and the public, which are called upon to modify their structures and take the necessary measures to comply with its forecasts.

_________________________

(1) Directive 95 / 46 / EC of the European Parliament and of the Council "on the Protection of Individuals with regard to the Processing of Personal Data and on the free movement of such data" of 23.11.1995.

(2) Concerns both processors and processors (see 37 of the GDPR Regulation).

Posted by the lawyer  Georgia Pattili for Businessnews.gr

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).