1. Introduction
This article aims to highlight some of the main impacts of the General Data Protection Regulation (GDPR). The objective of the GDPR, due to take effect on 25 May 2018, is to reinforce EU citizens’ rights when their personal data is processed.
The GDPR encompasses individuals (natural persons), who are data subjects, and companies that process user data, i.e. controllers or processors. Controllers and processors are even required to set up an independent supervisory position, known as the data protection officer, who will oversee the processing of personal data in accordance with the GDPR.
2. Personal data
The GDPR takes personal data to mean any information concerning an identified or identifiable natural person about whom such data is collected.
This data includes names, gender, age, date of birth, marital status, email address, IP address, telephone number and photographs.
The GDPR also covers special categories of personal data, such as racial or ethnic origin, political opinion, religion or beliefs, trade union membership, health status, sexual orientation, criminal offences and convictions.
Much like the Czech Personal Data Protection Act, the GDPR makes a distinction between personal and sensitive data.
Sensitive data includes genetic data, biometric data and the personal data of children. The processing of such data is subject to stricter procedure.
3. Obligations of processors and controllers
The GDPR introduces the new obligation for all data controllers and processors (irrespective of their size or number of employees) to implement technical, organisational and procedural measures to prove compliance with the principles of the GDPR. This is the “accountability principle”.
Areas covered by this obligation include:
(i) the production of data protection impact assessments (DPIA);
(ii) data pseudonymisation;
(iii) the obligation to delegate a data protection Officer (DPO);
(iv) record-keeping on processing activities;
(v) consultation with a supervisory authority, etc.
The above obligation to produce DPIAs applies to banks, insurance companies, security agencies, hospitals, telecommunications service providers, and many other data controllers and processors.
Pseudonymisation requires the separate retention of additional information that could enable data subjects to be specifically identified. In other words, data must now be processed in a way that makes it impossible to identify a specific data entity unless additional information – retained separately – is used.
All controllers and processors will have to keep detailed records of their processing activities. They will also be required to disclose these records to the supervisory authority so that they can be checked. Exemptions will apply only to controllers/processors employing fewer than 250 persons, provided that (i) they do not process sensitive data; (ii) personal data processing is not their main activity; and (iii) there is no risk that they will undermine personal rights and freedoms.
4. Rights of data subjects
The GDPR also endows all data subjects with very robust rights that they have not previously held, including the right (i) of access; (ii) to rectification; (iii) to erasure; (iv) to be forgotten; (v) to data portability; and (vi) to object.
- Right of access. The right of access enables all data subjects to verify that their data is processed legally. This right may be restricted in the interests of national and public security. All data subjects therefore have the right to know, for example, the period over which the data will be retained, and to know who receives their personal data.
- Right to rectification. If errors are found during the exercise of the right of access, the data subject may request rectification. The controller should provide conditions so that it is possible to submit requests for rectification online, especially if personal data is processed electronically.
- Right to erasure. The GDPR also gives data subjects the right to ask a controller to erase all of their personal data from the controller’s records without undue delay. However, this right may only be exercised if certain conditions are met (such an analysis would extend beyond the bounds of this article).
- Right to be forgotten. Besides the right to erasure, the GDPR also introduces the right to be forgotten, enabling data subjects to demand that a controller arrange for the erasure of all references to the applicant’s personal data and copies thereof. Again, this right is subject to compliance with certain conditions (and such an analysis would extend beyond the bounds of this article).
- Right to object. Furthermore, under the GDPR all data subjects are entitled to raise objections about the method or scope of processing of their personal data, and the controller is required to resolve any such objections.
- Right to portability. This right may be exercised if (i) data processing is contractual or subject to the data subject’s consent; and (ii) the processing is carried out by automated means. When this right is exercised, the controller must provide data subjects with all of the information processed about them in a structured, commonly used and machine-readable format. The data thus obtained can then be provided to another controller, hence its “portability”.
5. Penalties
The GDPR lays down relatively high penalties for breaches of the controller and processor obligations defined above.
The amount of fines depends, naturally, on the seriousness of the offence or misdemeanour (the seriousness and duration of the breach, the number of victims, the amount of damage, etc.). The maximum fine under the GDPR will be either EUR 20 million or 4% of the total annual turnover of the control/processor, whichever is higher.
According to the GDPR, such a high penalty may even be imposed on a relatively small company, which would essentially be a death sentence for its business.
6. Conclusion
The GDPR will affect large numbers of subjects and, for personal data controllers and processors, it will result in higher administrative costs in order to comply with all obligations, under the threat of exceptionally high penalties (see paragraph 5 above).
All controllers and processors will be required to keep records documenting compliance with GDPR rules and demonstrably submit them for inspection throughout the duration of processing.
Data subjects, for their part, will enjoy new rights that they can exercise in relation to controllers and processors. These rights are discussed in detail in paragraph 4 above. All data subjects will now have the right to be informed in detail about the extent and method of personal data processing, run checks on this processing and, should they so wish, significantly affect that processing.
A completely new fundamental right is the right to erasure and its expansion to the right to be forgotten, enabling people to demand the erasure of their personal data without undue delay, provided that there are no legal grounds for the further processing of such data.
The definition of personal data has also been expanded to include email addresses, IP addresses, and cookies in user devices.
In addition, the GDPR lays down further obligations, such as the obligation of the controller/processor to report data leaks to an inspection body within 72 hours of discovering such an incident. Regrettably, a more detailed analysis of the GDPR is not possible in this article.
If you are affected by the GDPR, we recommend seeking qualified legal assistance in order to come up with a solution on how to adapt to the GDPR and avoid very high penalties.
For more information, please contact our office’s partner, Mgr. Jiří Kučera, e-mail:jkucera@kuceralegal.cz ; tel.: +420604242241.