The European Council (the Council) published its text of the proposed general data protection Regulation (the Regulation) on 15 June 2015. Negotiations have now commenced between the European Commission, the European Parliament and the Council. We expect agreement to be reached, and the final text published, during late 2015/early 2016 with a two year implementation period.

  • The Regulation not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects
  • The Regulation will make it easier for data controllers to rely on 'legitimate business interests' as a lawful ground to process personal data where there is a relevant and appropriate connection between the data controller and the data subject
  • Data processing agreements between data controllers and data processors will be required to contain extensive mandatory data protection clauses; for example, controllers' right to audit its processors and obligations on processors to assist with subject access requests and personal data breaches
  • Member states may provide for additional special conditions for the processing of personal data for specific sectors and for the processing of special categories of data
  • Codes of Conduct and Certifications will be developed to assist data controllers and processors demonstrate their compliance with the Regulation and also as a means to legitimise international data transfers
  • Multinationals will benefit from a one stop shop, where the data protection authority in the member state where the controller or processor has their main establishment will be the lead authority in relation to data processing undertaken by that controller or processor
  • Organisations may, or where required by applicable member state law, appoint a Data Protection Officer
  • Data controllers and processors will be required to maintain a record of all of their data processing activities which must be made available for inspection
  • Serious data breaches must be notified to the DPA, in most cases within 72 hours; data breaches may also need to be notified to the affected individuals who may have the right to claim compensation
  • The application for Binding Corporate Rules as a means to transfer personal data intra-group will be simplified
  • Fines of up to 2% of annual worldwide turnover of the preceding annual year or EUR 1million may be imposed for non-compliance; DPAs will also have the power to carry out data protection audits

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.