In May 2018 the European Union will adopt up-to-date rules for personal data processing implemented by General Data Protection Regulation (ЕС 2016/67 of 27 April, 2016) ("GDPR"). The above Regulation, which comes into direct effect in all 28 Member States of the EU will replace the Directive of the European Parliament and of the Council of 24 October, 1995 on the protection of individuals with regard to processing of personal data and on the free movement of such data (Directive 95/46/EC).
Although the objectives of Directive 95/46/EC will remain in force, it should be noted that it was unable to prevent legal uncertainty and remove sufficient risks with respect to protection of the personal data of individuals. In addition, differences in levels of personal data protection and processing in the various Member States constitute an obstacle for performing economic activities in the EU. All the above features have raised the necessity to adopt the new EU data protection directive.
GDPR will take effect on 25 May, 2018. An important peculiarity of the Regulation is the extraterritorial effect throughout the EU and beyond. In other words, the effect of GDPR is not limited by the EU's borders but extends to all commercial entities which deal with personal data of EU citizens and residents (hereinafter – "EU citizens") wherever such entities may be incorporated or perform their activities. The main goal of GDPR is to guarantee protection of EU citizens without reference to the place of processing and storage of such data.
Which entities will GDPR apply to?
The Regulation shall be applied to three categories of entities:
- Entities which were established within the EU and process the personal data of EU citizens or control such processing within its activities irrespective of the processing of such data.
- Other entities which collect and process the personal data of EU citizens in connection with the sale of its goods and services. There must be an express option for EU citizens to purchase related services and goods, which entail an option to choose one of the European languages, or direct indication of EU citizens on the web-site, or an option to accept payments in EU currencies or use targeted advertising aimed at EU citizens. Online shops and services which perform delivery of services and goods to the territory of the EU will definitely fall within this category of entities.
- Other entities which monitor the conduct of EU citizens. Such monitoring includes "tracking" of their "behavior" on the Internet for all purposes (for instance, in order to complete "social portraits" to study and forecast their consumer choices).
What does personal data under GDPR guidance include?
Personal data includes any information related to an individual. According to GDPR "personal data" means any information relating to an identified or identifiable individual person ("data subject"); an identifiable individual person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual person (par. 1 art.4). The definition is obviously extended, and it should be stressed that it even includes the IP addresses of individuals.
It shall be noted that GDPR provides special types of personal data classified as special and confidential personal data referred to racial or ethnic origin, political opinion, personal medical details, genetic and biometrical data, religious or philosophical beliefs and participation in labour union organizations, sex life and sexual orientation. Collection and processing of this type of data is generally prohibited with some exceptions explicitly set out by GDPR rules. For instance, the processing of the above-mentioned data if the approval for these actions was expressly given by the data subject for one or more specified purposes; when processing is required for protection of vital interests of the data subject or another individual where the data subject is physically or legally incapable of giving the appropriate related consent; processing is required by public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, etc. The full list may be found in Article 9 of GDPR.
Which key changes to the policy of the personal data protection were implemented with adoption of GDPR?
1. Extension of rights of data subjects.
GDPR significantly extends the rights of data subjects (i.e. EU citizens and residents) as to control of their own personal data. European customers have a right to request the confirmation of their personal data processing and information with respect to the place and purpose of such processing and to which third parties the personal data will be disclosed; period of processing; to clarify the source of obtainment of personal data and require to amend them; to require the termination of such processing, etc.
GDPR also provides the right to erasure ("right to be forgotten"), which means that personal data shall in some circumstances be erased without undue delay in order to prevent their disclosure and distribution at the request of the data subject (for instance, when such data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; or personal data was unlawfully processed, etc.)
The right to data portability is a novelty implemented by GDPR to policy on personal data processing. This right allows individuals to obtain and reuse their personal data across different services (to move, copy or transfer personal data from one company to another in a secure and safe way).
2. Implementation of strict penalties for breach of GDPR requirements (GDPR fines).
Such penalties shall in each case be "effective, proportionate and dissuasive" and are applied in addition to (or instead of) other measures as envisaged by GDPR.
- The first level of administrative fines is an amount of up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of total worldwide annual turnover of the preceding financial year (whichever is higher) will be applied in case of breach of obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43 (for instance, in case of breach of the responsibilities of a data protection officer or in case of breach of conditions applicable to a child's consent).
- The second level of administrative fines in an amount of up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher) will be applied in case of breach of basic GDPR principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; data subjects' rights pursuant to Articles 12 to 22; infringement of transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49,
3. Extension of the "consent" concept
GDPR sets out strict rules with respect to obtainment of consent to personal data processing. Such consent shall be expressed as a direct confirmation by making an active choice. The consent will not be recognised as appropriate where a customer was unable to make a choice or to revoke its consent, or if such consent has a form of implied assent or inactivity. An option to give or revoke consent must be easily found on the web-site of the provider of goods or services.
Other amendments include the necessity of appointment of data protection officers in some particular cases; reporting requirements; intended use of personal data etc.
Please take into account that the above-mentioned information serves exclusively as a general overview of European data protection legal requirements implemented by the new 2018 Data Protection Regulation. Our firm will provide you with appropriate legal advice and assist you in complying with the requirements set out by data protection legislation of Cyprus in general and applicable EU directives in particular.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.