New EU Regulation on data protection has been published

New EU Regulation on data protection has been published

The new General Data Protection May 4, 2016. It imposes – compared to the currently existing rules – stricter obligations on data controllers and on data processors as well, expands the rights of data subjects, in particular by increasing the transparency of the procedure of data controlling. In this Newsletter we summarize the major novelties of the Regulation for our Clients, and make recommendations in connection with preparing for its eventual application.

Scope and application

The Regulation has entered into force on the 20th day following its publication, however it will only be applied from May 25, 2018. Formerly, data protection in the EU was regulated with a directive (Directive 95/46/EC), which had to be implemented with national laws; this means the Information Act (Act CXII. of 2011. on the right of information self-determination and freedom of information) in Hungary.

The Regulation, as opposed to the directive, shall be applied directly, without national laws, which means that after May 25, 2018, the provisions of the Information Act will prevail only to the extent that the Regulation does not rule or it gives the opportunity for national laws to vary from the Regulation, with such deviations complying with the fundamental values of data protection and necessary and proportionate at the same time. This Member State competence consists of controlling e.g. genetic, biometric data or data concerning health.

Extended jurisdiction

Application of the Regulation depends on both a territorial and a personal basis, which means it will be applicable not only in respect of data controllers and data processors having a place of business in the EU, but also in any other cases in which EU citizens’ data is being processed in connection with selling goods, offering services or monitoring behaviour of EU citizens within the territory of EU.

This means that organizations having no EU nationality are included in the scope of Regulation – in such cases the organization concerned shall designate a representative within the territory of EU.

Information and consent

For data subjects, the range of information to be disclosed to prior to data controlling extends slightly. In case of data controlling based on data subjects’ consent, the legal requirements pertaining to the consent declaration have become much more detailed and severe compared to the previous regulation,

Regarding informing the data subject concerning data controlling, comprehensibility is classified as a top priority: any information shall be given concisely, transparently, in a form which is understandable and easily accessible, clearly and stated comprehensively. „Activity” arises as a new component concerning giving consent, consequently consent shall not be given lawfully in a „non-active” way e.g. by a pre-ticked check-box.

The regulation addresses consent of children given online as a special problem: children below the age of thirteen could give no consent for data controlling necessary for taking online services in any cases, between the age of thirteen and sixteen a parental consent or authorization is needed, above the age of sixteen consent may be given individually.

Rights of data subjects – „right to be forgotten”

The Regulation defines the rights of data subjects wider than the current directive, for example right of data portability is also included. This means data subjects may request the service providers they have given data before, that data shall be transferred to another service provider, provided, it is technically possible.

Codification of the „right to be forgotten” constitutes one of the greatest novelties; the principle was elaborated by the European Court of Justice (ECJ) in a judgement in connection with Google Search history results. This means that a data subject may request data controller to erase all the data connected to him, however this is no absolute right, it is bounded by the technological potential of the data controller and other various legal titles relating data controlling.

Impact assessment – data protection officer – codes of conduct – register

It can be established, in general, that the Regulation wishes data controllers to play a much more proactive role, and their obligations are extended along this line. These obligations consist of not only complying with provisions of Regulation, but also verifying such compliance.

The Regulation defines cases in which, prior to the data controlling, an impact assessment shall be done by data controllers, which – if appropriate – may mean a consultation with the supervisory authority in parallel as well. Such a case could be using new data controlling technologies with a higher probable risk for example.

In case of data controlling with high risk, it will be compulsory to practice prior consultation with the supervisory authority, and in cases listed in the Regulation, designating a data protection officer at a data controller will also be an obligation. The Regulation supports and urges elaborating codes of conduct and certifying mechanisms; undertaking and performing these, a data controller could prove its compliance for Regulation.

The Regulation contains quite detailed provisions in terms of the content of the data processing contract concluded between data controllers and data processors; data controllers and data processors shall keep a register on their data controlling/data processing practises.

Transferring data – What replaces Safe Harbor

A Judgement of the ECJ has resulted in a storm of controversy recently, when the presumptive legality of the widely applied Safe Harbor system in respect of transferring data has been practically terminated. Accordingly, this is no longer a part of the Regulation, though states on the list of European Commission (EC), updated continuously, are deemed to provide appropriate level of protection.

In this scope, the Regulation introduces the concept of Binding Corporate Rules (BCR), although this legal institution has already been incorporated into Act of Information in 2015, so this shall be no novelty for Hungarian legislation.

Personal data breach – sanctions of infringement – tightening fines

The Regulation introduces the concept of “personal data breach”, which means breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. The data controller shall directly notify the supervisory authority and – if appropriate – the data subjects as well.

In respect of compensation for damages caused to the data subject concerning data controlling (data processing), and liability for causing damages, the Regulation defines detailed rules and introduces the rule of joint and several liability.

In case of breach of provisions regarding data controlling, the Regulation specifies more diverse rules than current ones – Member States could define further sanctions – from which higher attention should be paid to severe data protection breaches sanctioned with so-called administrative fine. The amount of the fine – depending upon the type of the infringement – could reach 2% or 4% of total worldwide turnover of preceding financial year. This may mean a particularly significant increase compared to the currently applicable fines in Hungary, which have a HUF 20.000.000,- limit.

“One-stop shop” – cooperation between Member State authorities

The Regulation does not establish a new, pan-European data protection authority, although creates closer cooperation between Member State authorities, which could make administration simpler at the same time. Currently data controlling being undertaken in more than one Member State shall be registered with all Member State data protection authorities, but from now on – based on the Regulation – any data controlling process will have one leading authority, which will be determined by the main establishment of the data controller.

Summary and recommendations

As it is written in this Newsletter, the Regulation means novelties in many points for legal entities, typically extending obligations of data controlling organizations and making the risks more significant by raising fines. These will surely need more prudent internal data protection norms and the consequent application of those.

Taking the extent of information to be provided concerning data subject and altered circumstances regarding declarations of consent into account, modifying formerly used internal documentation might be necessary at many data controllers. Increased severity of registering as well as reporting obligations will come up as additional obligations.

New provisions of the Regulation however offers opportunities for prepared and well-informed data controllers for reducing risks: a BCR with adequate content, prior impact assessment, consultation with data protection authority or designating intern data protection officers could be such measures which might make a manageable environment for data controllers, keeping the risks within a reasonable framework.

Should you have any questions regarding the above, feel free to contact our Office, which possesses widespread expertise, theoretical and practical experience regarding data protection law and has the ability of drawing up practice- and client-oriented solutions.

Phone: +36 1 279 3330

E-mail: office@germus.hu

Address: H-1013 Budapest, Pauler utca 11.