The implementation of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR or the Regulation) is mandatory from the 25th of May 2018 for companies that process personal data and have their headquarters both within the European Union and outside the Union if the personal data processing is related to the provision of goods or services to persons targeted in the Union or the monitoring of their behaviour within the Union. As a result, these companies processing personal data will be required to comply with the GDPR rules, being otherwise subject to sanctions of up to EUR 20,000,000 or 4% of the company’s worldwide annual turnover, whichever is higher of the two being applied1.
Although the volume of information on the Regulation may seem overwhelming, the design of some guidelines or steps to get to know it, as these are referred to below, is intended to clarify the legal requirements and allow for the consistent application of the Regulation. The brief review of the GDPR will focus on highlighting the principles of personal data processing, emphasizing the main actor in applying the principles of the Regulation, describing the audit of the data, listing the instruments demonstrating the compliance of the processing with the provisions of the Regulation, pointing out the rights of the data subject and obligations the controller, and, last but not least, the disclosure of how the controller becomes liable.
STEP 1. The first step in getting familiar with the GDPR is to present the principles related to the processing of personal data, namely: legitimacy, fairness, transparency, determined and explicit purpose, accuracy and, last but not least, a limited and adequate personal data processing. In case of non-compliance with these principles the sanctions are the most severe, as has been shown above.
Perhaps the most important principle is the legitimacy of processing because it includes in its structure the consent of the personal data processing subject, the need for processing for the purpose of executing an agreement or in order to fulfil a legal obligation of the controller, as well as to protect the vital interests of the data subject.
From our point of view, the controllers should pay more attention to the consent of the data subject, as this is one of the paths to the proper compliance with the provisions of the Regulation.
The consent of the data subject means any manifestation of free, specific, informed and unambiguous will of the data subject through which he / she accepts, through a statement or by unequivocal action, that the personal data relating to him / her be processed
Among the conditions of consent provided by the Regulation there is the form it must have, namely, it must be presented in an intelligible and easily accessible form, using a simple and clear language. The controllers shall also pay attention to the fact that if the data processing is done for multiple purposes, the consent is to be given for all purposes of the processing. We also have a special situation in the case of minors under the age of 16, such processing being lawful only if the consent is granted or authorized by the holder of parental responsibility for the child.
However, perhaps the most important thing in expressing the consent is that, even after it has been given, it may be withdrawn at any time by the data subject, being informed of this in advance, and this withdrawal shall not in any way affect the legitimacy of the processing carried out until its withdrawal..
Last but not least, the controller must demonstrate that the data subject has consented to the processing of his or her personal data.
STEP 2. This step comes as a complement to the previous step by highlighting the main actor in applying the principles of the Regulation, namely the Data Protection Officer (“DPO”). When?, Where?, Who? and How? are the questions we need to answer in order to create an overview of the main responsibilities of the Data Protection Officer, as follows:
The appointment of a data protection officer shall be made by the controller or the empowered person whenever3:
STEP 3. This step tells us where and for which personal data we need to implement the Regulation. So, we must to understand where this data is within the company we are running and how that data is used. Companies not only receive personal data from all directions, but also send these data to third parties with whom they work, and these actions determine the need for a data audit.
This data audit is the foundation we need to have to successfully implement the rules set out in the Regulation. Through the audit, we must to find answers to the following questions
STEP 4. In this step, we highlight the tools that the Regulation establishes in support of demonstrating the consistency of the processing of personal data by both the controllers and the persons empowered by them.
The Regulation provides three categories of instruments through which the controller may demonstrate the observance of the personal data processing:
I. Impact assessment
The impact assessment on data protection implies an assessment of the impact of the envisaged processing operations on personal data protection, especially in areas that pose a high risk to the rights and freedoms of individuals (especially those based on the use of new technologies).
The impact assessment is mandatory in cases where there is a:
II. Codes of conduct
The Member States, the surveillance authorities, the committee and the Commission support the creation of codes of conduct designed to help ensure the proper application of the Regulation, of course, in conjunction with the specific needs of companies, while taking into account the specificities of the different processing sectors6.
The code of conduct is a voluntary instrument whereby the controller may demonstrate the conformity of the data processing in accordance with the specific characteristics of the various processing sectors.
The codes of conduct, if these concern processing activities from more than one Member State after these have been carried out, are sent to the surveillance authority, which in turn sends these to the committee where such codes are subject to endorsement, with regard to compliance with the Regulation. As an alternative, if these are not related to processing activities from several states, the surveillance authority issues an endorsement on compliance with the Regulation, and then registers and publishes the code.
The advantages for implementing a code of conduct by the large controllers (at the industry level) are practical, namely: demonstrates compliance and offers clarifications, a transfer may be implemented between Member States and, in addition, is a positive factor in the impact assessment.
Based on the Regulation, it is encouraged to establish data protection certification mechanisms, as well as seals and trademarks in this area, to demonstrate that the processing of personal data is in accordance with the Regulation. The certification is voluntary and available through a transparent process, but does not reduce the responsibility of the controller or of the person empowered by the controller to comply with the Regulation.
STEP 5. As part of this step, we shall also explain the Regulation from the perspective of the data subject, by exemplifying both the rights of the data subject and the obligations corresponding to those rights, which fall within the responsibility of the controller.
Consequently, we start with the first right provided by the Regulation, namely the right to information on personal data. If a data subject whose personal data has been processed wishes to know what information has been collected by the controller, then, on the basis of a request addressed to the controller, the following data will be made available to him / her7:
STEP 6. In this step, we will highlight some of the controller’s obligations in order to better clarify the relationship between the rights of the data subject and the obligations of the controller who carries out the processing of personal data.
As a result, among the obligations listed in the Regulation is the controller’s responsibility and this means the controller’s duty to implement appropriate technical and organizational measures that guarantee and are able to demonstrate that the processing is carried out in accordance with the Regulation15.
The second obligation the controller has is to ensure data protection from the moment the processing is established, as well as during the processing of personal data itself, by all means required by the Regulation, regardless of the implementation costs. Appropriate technical and organizational measures must be taken to effectively implement the data protection principles and significantly reduce the risk of security breaches. These measures ensure that personal data cannot be accessed, without the person’s intervention, by an unlimited number of persons16.
The third obligation of the controller is to keep records of the processing activities carried out by the controller itself or its representative. The records shall be made in writing, including in electronic form.
These records include the following information17:
STEP 7. In this final step, we will briefly outline how the controller’s liability can be assumed and what sanctions may be imposed on this if it does not comply with the provisions of the Regulation.
Among the rights that the data subject has is the right to file a complaint with a surveillance authority or the right to seek a legal remedy at law, without prejudice to any other administrative, judicial or non-judicial remedies at law available to the data subject, whereby he / she may dispose of freely.
In so doing, the data subject has the right to file a complaint with a surveillance authority in the Member State where he / she resides or where his / her place of work is or where the alleged violation occurred. The surveillance authority to which the complaint was filed shall inform the complainant of the progress and outcome of the complaint, including the possibility of resorting to a legal remedy at law18. Each data subject shall also have the right to a legal remedy at law if the surveillance authority does not deal with a complaint or does not inform the data subject within 3 months of the progress made or the settlement of the complaint.
The rights of the data subject also include the right to be represented by a non-profit organization, organization or body whose statutory objectives are of public interest and which is active in the protection of the rights and freedoms of data subjects with respect to their personal data. These representatives may file the complaint on behalf of the data subject and exercise his / her rights before the competent institutions, including the collection of damages deserved.
Any person who has been injured as a result of a breach of the Regulation and who has suffered damages shall be entitled to compensation from the controller or the person empowered by the controller. As explained above, the controller or person empowered by the controller is responsible for breaches of the provisions of the Regulation, not only before the data subject, but also before the surveillance authority. The pecuniary liability before the surveillance authority is overwhelming for the controller or the person empowered by the latter due to these administrative fines ranging between EUR 10,000,000 or 2% of the company’s worldwide annual turnover, taking into account whichever is higher, and EUR 20,000,000 or 4% of the company’s worldwide annual turnover, taking into account whichever is higher19.
Concluding, even if, at first glance, getting to know the provisions of the GDPR may seem a daunting perspective, following, in the first phase, the above described steps is meant to raise the vail of intangibility that has come over this regulation, and to ensure that its application not only enhances the security of the personal data collected, while also having the collateral effect of bringing us closer to our customers.
Each of us has gone through a relationship that, although it had all the premises of a successful confluence, lamentably failed when we let the judgment be shaded by reactions to the detriment of reason. How many times did we not come out of a conversation slamming the door behind us due the unannounced arrival of the noisy friends of our half spoke to the invasion of our conjugal home, of our intimacy? That fear only needed the pretext of a badly understood reply to lead us irrationally into a tirade of observations that inevitably have shaken that relationship.
As in the case of United Kingdom, the European Union Referendum Act of 2015, which allowed the vote on leaving or leaving the European Union (“EU”) of United Kingdom, was the pretext that led to the verbalization of the deepest fears of the British population on immigrants, on the contributions paid to the EU budget, on the occupation of the local vacant jobs by people other than those holding British citizenship. And given this opportunity, the citizens chose reactions rather than reason. They chose to slam the door of the edifice built in 1972, when the United Kingdom signed the Accession Treaty, following which it joined the Treaties of the European Communities on January 1st 1973, an edifice that was built by intellectual, diplomatic effort and guaranteed membership to a single market, if not to a community.
The citizens could not accept that the EU is a living, interacting, exchanging entity that can undergo transformations, but, like other EU Member States, the United Kingdom could remain open to this ever growing entity. The institutional equivalent of the way of thinking of “I’ll pack my bags and go” or “my way or the highway” has, as we can see, to the least disruptive consequences at the level of British society:
The United Kingdom Supreme Court analysed, for three days, between December 5th and 8th 2016, the issue of the Government’s transmission of a notification based on Article 50 of the Treaty on the European Union on the United Kingdom’s intention to withdraw from the European Union, without an act by the Parliament to give it the prior authorization to do so, following to publicly disclose the decision in the beginning of 2017. This analysis arises in the context in which the High Court of Justice has already decided on November 16th 2016 that the Government needs the approval of the British Parliament in order to trigger the exit procedure from the European Union1.
The British citizens are worried about their right to free movement, just like EU companies wishing to do business in the United Kingdom after it’s leaving the EU. At the same time, the citizens of the other EU Member States wonder whether they will need to get a visa to visit this country as a result of its decision to leave the EU2.
Hence, here is how a moment reaction, based on reactions can destroy a future showing development potential. If immigration was one of the fears, why weren’t internal measures taken to accommodate the newcomers? Would the implementation of the idiomatic expression “throwing the baby out with the bathwater” bring more benefits to both the British and the rest of the European Union? It seems that the whole system was rejected, due to some elements that were not fully understood 3.
If in the case of inter-human relationships, one can wipe out the episode of the stormy outflow of the scene of one of the protagonists hunted down by reactions, with calm, reason and understanding, trusting the real possibilities of being able to be fulfilled with someone else, the discontinued connection may be re-established, then in the case of the United Kingdom this is only possible with the application of Art. 49 of the Treaty on the European Union4.
Pending the decision of the Supreme Court of Justice, the United Kingdom Government is planning to trigger the EU exit procedure by the end of March 20175, which will initiate some two-year rounds of talks that will address the conditions for Britain’s withdrawal from the EU. In these two years, negotiators will use their intellect to safeguard the rights and freedoms guaranteed to any EU Member State, so that the British citizens will be affected as little as possible by this process. What guarantees are there in the sense of keeping the status-quo? None. Let us consider ourselves lucky that the interpersonal relationships have the chance to restore themselves more easily.