On 4 May 2016 the EU has published the General Data Protection Regulation (GDPR). The GDPR will be applicable as from 25 May 2018. Based on the GDPR the same data protection laws will apply in all EU Member States, save for some specific issues that the individual EU Member States may decide on or substantiate themselves.
In this newsletter we intend to give you a brief overview of some of the issues of the GDPR.
Under the GDPR stricter rules apply to the processing of personal data. Personal data refers to any information relating to an identified or identifiable natural person.
One of the major changes of the GDPR is the territorial scope of the new laws. The GDPR is applicable to all organizations which process personal data of natural persons (Data Subjects) residing in one of the EU Member States, even if the processor of the personal data (Controller) is located outside the EU.
Under the GDPR, processing of personal data must be lawful. Processing is lawful when it is done on one of the limited legal grounds. The legal grounds mentioned in Article 6 (1) GDPR are:
- the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the Controller is subject;
- processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the data subject is a child.
The consent must be given out of the free will of the Data Subject. When the Data Subject is dependent on the Controller, for example in case of an employment relationship, the consent is not presumed to be given out of free will. When the Controller depends the performance of a contract on consent of the Data Subject to a processing not related to the contract, free will is also not presumed to be given. The consent must be specifically given by an informed data subject, which means that the Controller must inform the Data Subject on the aim of the processing, the way the processing is done, with who the data will be shared, the term of storage of the data and whether the data will be transferred outside the EU. Further, the consent must be given unequivocally. A system whereby the data subject must opt out, i.e. when the system is designed in such way that the checkmark is on and the data subject must click to switch it off, is not compliant. The data subject must actively give his consent. The burden of proof that consent has been given lies with the Controller. The Data Subject has the opportunity to withdraw his consent at all times, which must be communicated to the Data Subject before he gives consent. Withdrawing of the consent must be as easy for the Data Subject as giving consent.
Data may be processed when the processing is needed for the performance of a contract. In order it to be lawful to process data based on this legal ground the data subject must be a party to the contract. Also, in the phase before a contract is actually entered into it might be lawful to process data required for the Controller to perform acts requested by the Data Subject.
An example of a legal obligation is the obligation for banks to keep certain information in their files in order to comply with certain Customer Due Diligence requirements.
In case of a data breach the controller must notify the breach to the supervisory authority within 72 hours after having become aware of the breach. The controller must further inform the data subject as soon as possible on the breach.
Under the GDPR Data Subjects have more control over their personal data. Data Subjects have a right of access, which means that upon the request of a Data Subject the Controller must confirm whether it processes personal data and, if so, grant access to the personal data and provide amongst other the information on the purposes of the processing, the recipients to whom the personal data have been or will be disclosed, the term of storage of the personal data and the right to rectify or erase the personal data. The Data Subjects further have a right to have their data erased in certain cases including when the personal data are no longer necessary for the purposes for which they were processed and after the consent has been withdrawn when there is no other legal ground to process the personal data. Another right of the Data Subjects under the GDPR is the right to data portability. This is the right to receive the personal data in a structured, commonly used and machine-readable format and the right to transmit those data to another Controller.
It is of great importance that Controllers deal with personal data in an accurate manner. A breach of the GDPR could have a great negative impact on the reputation of an organization. Further, if a Controller breaches the GDPR, it can be fined up to the higher of 4% of the annual global turnover or EUR 20 mio. It is if utmost importance that Controllers implement the GDPR in their organizations. Upon your request, we can refer you to specialists in this field.
- Schermer, Hagenauw en Falot, Handleiding Algemene verordening gegevensbescherming, Ministerie van justitie en Veiligheid, 2018