GDPR: Ο Γενικός Κανονισμός για την Προστασία Δεδομένων (GDPR) είναι ο νέος νόμος περί προστασίας δεδομένων της Ευρωπαϊκής Ένωσης. Έχει σχεδιαστεί για να επιτρέπει σε μεμονωμένα άτομα να έχουν μεγαλύτερο έλεγχο των προσωπικών τους δεδομένων και επιβάλλει νέες υποχρεώσεις σε οργανισμούς που συλλέγουν, διαχειρίζονται ή αναλύουν τέτοιου είδους δεδομένα, συμπεριλαμβανομένων των οργανισμών except of the EU.
The GDPR regulation will enter into force on 25 May 2018, so you should have started preparing from yesterday…
GDPR: 95 / 46 / EC (1), the main legal instrument for the protection of personal data in the European Union, has managed over 23 years to ensure the protection of personal data and the smooth functioning of the single market.
However, this act was introduced before 23 years, in a very early technological environment.
The rapid technological developments that followed created new challenges in the field of personal data protection. The rapid development of the information society, globalization as well as the operation of the single market itself have resulted in an unprecedented increase in the collection, againstchange and cross-border data flow from both private businesses and public authorities.
Although the existing rules still meet the Union's basic objectives, they have not achieved the required degree of harmonization, with the result that the right to the protection of personal data is not guaranteed in an efficient, efficient and uniform manner. In this context, the need to adopt a single, uniform and more coherent framework for the protection of personal data has become clear.
Since January of 2012, the European Commission has proposed the reform of the rules on the protection of personal data by introducing a regulation replacing the 95 / 46 / EC Directive.
The final version of Regulation (EU) 2016 / 2016 of the European Parliament and of the Council "on the protection of individuals with regard to the processing of personal data and on the free movement of such data was published in the Official Journal of the European Union and repealing the 679 / 95 / EC Directive ".
The regulation in question came into force around the end of May of the same year, but it is set in application by 25 May of the year 2018. Consequently and taking into account that as a Regulation it has direct application in the Member States of the European Union, all companies, persons and bodies must from 25-5-2018 comply and apply the provisions of this Regulation .
GDPR - Definitions
Before entering into the examination of the main changes brought about by the new Regulation, it is appropriate to briefly list some of the basic concepts as detailed in the text of the Rules of Procedure:
* 'Personal data' Any information concerning an identified or identifiable natural person ("data subject"). Identifiable is the natural person whose identity can be ascertained directly or indirectly by reference to an identifier, to location data or to one or more factors that characterize the physical, physiological, genetic, psychological, economic, cultural or social identity of the individual. due to natural person.
* "Processing": Any act or series of acts carried out on personal data, with or without the use of automated means, such as e.g. the collection, filing, organization, structuring, storage, dissemination, recovery, use, deletion, destruction, etc.
* "Editor": A natural or legal person, a public authority, a service or another body that defines the purposes and manner of processing personal data.
* "Running": The natural or legal person, public authority, agency or other body that processes personal data for account of the controller.
GDPR - Major changes
As mentioned above, the aim of the new Regulation is the uniform and more effective protection of EU citizens in a rapidly evolving technological and global environment. The new Regulation ensures a high level of harmonization (immediate application in the Member States), while leaving room for maneuver in the Member States, where and when necessary.
Some of the key innovations - major changes introduced by the new Regulation are the following:
i) Widening the scope
The scope of the Regulation includes entities that have their establishment in the EU, regardless of whether the processing takes place within the EU. The new Regulation also provides that even operators, which are not established in the EU, are obliged to apply the Regulation, in the event that they offer goods or services on the EU market. Today operators who have their establishment in the EU must respond to different standards than companies based outside the EU but doing business in the single market. With the reform, companies based outside the EU will have to apply the same rules when offering goods or services on the EU market (a level playing field).
(ii) Strengthening the rights of data subjects
The new Regulation strengthens the already existing rights of data subjects (e.g. right to information and access in the data), while also granting new rights.
It is worth noting that specifically the right of remission ("right to forgiveness") is now clearly, distinctly and explicitly stated. Based on this right, the data subject may request the deletion of data that is not complied with for a particular legitimate and stated purpose.
The Regulation goes hand in hand with a new right, the 'right to portability'. According to this, the data subject has the right to receive or request the transfer of his data in machine-readable form from one controller to another under certain conditions.
iii) Establishing new obligations
The Regulation imposes a series of new obligations on both processors and processors. Particularly:
* Take appropriate technical and organizational measures: The controller must demonstrate - whenever requested by the competent supervisory authority - that he has taken all appropriate technical and organizational measures to protect personal data (eg pseudonymization, minimization of data, incorporation of necessary guarantees in the processing, etc.).
* Data protection by design (“data protection by design”): The data controller has an obligation to protect data right from the design of the products and services, creating from the beginning friendly and appropriate conditions for the protection of personal data.
* Data protection by default: The controller is required to apply appropriate technical and organizational measures to ensure by default that only the data necessary for the purpose of the processing is processed.
* Reinforce the condition of the subject's consent: If the consent of the data subject is provided in a written statement which also concerns other matters, the request for consent must be made in such a way that it is clearly distinct from the other subjects in a comprehensible and easily accessible form, using clear and simple wording.
* Infringement Notification: The controller is required to immediately notify - within 72 hours - the violation of personal data to the competent supervisory authority and to the data subject (if the breach poses serious risks) .
* Assignment of the processing to the processor: The processing of data by the processor must be compulsorily governed by a contract or other legal act, which must have the specific content provided by the Regulation.
Keeping records of processing activities: Every processor and processor must keep - in written or electronic form - a detailed record of the processing activities he performs. It should be noted that the activity record obligation does not apply to companies or organizations employing fewer than 250 individuals unless the processing involved may cause a risk to the data subject's rights and freedoms, processing is not occasional or the processing involves specific data categories or data relating to criminal convictions.
* Data Protection Impact Assessment: Under the status of the new Regulation, there is no longer a general obligation to notify - a license from the competent supervisory authority to process the data. In order to replace the general obligation to notify - authorization by the competent authority where processing may involve a high risk to the rights of individuals, in particular because it is systematic, large-scale, concerns specific categories of data and is based on the use of new technologies, to carry out an impact assessment on data protection. Where, on the basis of the impact assessment carried out and despite the provision of protection measures, a high risk of processing remains, the controller is required to consult the supervisory authority in advance.
* Designation of a Data Protection Officer: A new obligation for persons processing personal data (2) is the definition of 'Data Protection Officer'. This person has the role of personal data custodian and is responsible inter alia for: (a) monitoring the compliance of the organization with the law; (b) communicating with the competent supervisory authority; and (c) advising the organization on any matter concerning the protection of personal data. The Data Protection Officer is defined on the basis of professional qualifications and may be a member of the staff of the organization or perform his / her duties under a service contract.
The obligation to designate a "Data Protection Officer" applies in any case, which:
1. the processing is carried out by a public authority or body other than courts acting within their jurisdiction,
2. the main activities of the controller or processor consist of processing operations that, due to their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale or
3. the main activities of the controller or the processor are to process large-scale specific categories of personal data (eg data on race or ethnic origin, political opinions, religious or philosophical beliefs, participation in a trade union, the processing of genetic or biometric data and data relating to health, sexual life of the individual or sexual orientation) and penalties s convictions and offenses referred to in article 10 of the Rules.
GDPR Codes of Conduct - Certification
The new Regulation encourages the drafting of codes of conduct by associations and other bodies representing categories of controllers or processors who may be submitted for approval to the competent supervisory authority. Similarly, the establishment of certification mechanisms, seals and data protection signals to support compliance with the Regulation is also encouraged. It is noted that the development of codes of conduct as well as certification are both optional.
* The fines threatened in the event of a violation of the Regulation - and depending on the type of each violation - amount to up to 10.000.000 euros or in the case of businesses up to 2% of the total global annual turnover work of the previous financial year (whichever is higher). In specific cases, (such as for violations against the rights of the subjects, or the basic principles of processing) the fines imposed amount up to the amount of 20.000.00 euros or in the case of businesses up to 4% of the total global annual turnover of the previous financial year (whichever is higher).
* The sanctions adopted make it clear that the new Regulation seeks to create a stricter framework for the protection of personal data.
i. Supervisory co-operation - Coherence
* Adoption of the so-called 'Cohesion Mechanism': In order to ensure the coherent application of the Regulation across the Union, a cohesive mechanism for cooperation between supervisors was established. This mechanism will apply, for example, when a supervisor intends to adopt a measure that will produce legal effects in respect of processing operations that substantially affect a significant number of data subjects in more than one Member State.
* Establishment of a European Data Protection Council: A new body with decisive competences at EU level, which will be called the 'Data Protection Council', will be set up and will play a key role in promoting the 'Cohesion Mechanism'. The Data Protection Board will be represented by all national supervisory authorities.
* Establishment of the 'one stop shop': According to this mechanism, in specific cases where a body is established in more than one Member State and cross-border data processing, cooperation is foreseen between the Chief Supervisory Authority (of the main place of establishment of a body) and the national authorities concerned, which may be the subject of a case of trans-European interest. The aim is to ensure homogeneity in dealing with such cases.
The innovations introduced by the GDPR Regulation attempt to create a uniform, coherent and stricter framework for the protection of personal data. The new GDPR Regulation is expected to enter into force in just a few months (25 May 2018), which means that the countdown has already begun for businesses and the public, which are called upon to modify their structures and take the necessary measures to comply with its forecasts.
(1) Directive 95 / 46 / EC of the European Parliament and of the Council "on the Protection of Individuals with regard to the Processing of Personal Data and on the free movement of such data" of 23.11.1995.
(2) Concerns both processors and processors (see 37 of the GDPR Regulation).
Posted by the lawyer Georgia Pattili for Businessnews.gr
- CLOUD: the law that passed under the table & concerns us all
- Google: When the idiot looks at the finger