A FEW FACTS YOU NEED TO KNOW ABOUT THE GDPR

GDPR-cropped.jpg

As many may know, starting from 25 May 2018, the 2016/679 EU Regulation, known as GDPR (General Data Protection Regulation) - relating to the protection perosnal data will be directly applicable in all Member States.

 

 

 

 

In a nutshell, the GDPR:

  • introduces clearer rules on information and consent;
  • defines the limits to the automated processing of personal data;
  • lays the foundation for the exercise of new rights;
  • establishes strict criteria for the transfer of these outside the EU;
  • sets strict rules for data breach cases.

Theses rules also apply to companies located outside the European Union that offer services or products within the EU market. All companies, wherever established, will therefore have to respect the new rules. Companies and institutions will have more responsibility and case of non-compliance with the rules risk heavy penalties.

The "One Stop Shop"

To solve any difficulties, the "one stop shop" rule has been introduced, which will simplify the management of treatments and guarantee a uniform approach. Companies operating in several EU countries may contact the Privacy Guarantor of the country where they have their headquarters.

Data portability

The regulation introduces the right to "portability" of personal data to transfer them from one data controller to another. The rule is an exception in cases where the data are contained in archives of public interest, such as the registry offices. In this case, the right can not be exercised, as is the transfer of personal data to non-EU countries or international organizations that do not meet the security standards for protection.

The principle of "accountability"

There are other important elements of novelty. In fact, the accountability of the data controllers (accountability) has been introduced and an approach that takes into greater consideration the risks that a particular processing of personal data may entail for the rights and freedoms of the interested parties. This new right will facilitate the transition from one service provider to another, facilitating the creation of new services, in line with the Digital Single Market strategy.

Data breach

The data controller must report any violation of personal data to the Guarantor. Responding effectively to a data breach requires a multidisciplinary and integrated approach and greater cooperation at EU level. The current approach has numerous flaws that need to be corrected. It is not simple but it is necessary to do so in order not to lose the opportunity provided by the GDPR. The first fulfillment to be put in place for Italian companies is certainly the adoption of the Register of processing of personal data, but even before the bureaucratic queries, the company must understand the importance and value of the data, as well as the huge economic damage due to a loss of information If the data breach poses a threat to people's rights and freedoms:

The owner must inform all interested parties in a clear, simple and immediate manner and offer indications on how he intends to limit the damages;

You may decide not to inform interested parties if you believe that the violation does not pose a high risk for their rights or if they demonstrate that they have already taken security measures; or, finally, in the eventuality in which to inform the interested ones could involve a disproportionate effort to the risk. In this last case it will have to provide with a public communication;

The Guarantor Authority may in any case require the data controller to inform the data subjects on the basis of an assessment of the risks related to the violation committed.

The figure of the DPO (Data Protection Officer)

It is no coincidence that the figure of the "Data Protection Officer" (Data Protection Officer or DPO) was set up, responsible for ensuring the correct management of personal data in companies and institutions and identified according to professional qualities and specialized knowledge of the legislation and data protection practice.

The Data Protection Office reports directly to the company’s summit and is independent, as it does not receive instructions regarding the execution of the tasks.

In reality there are still too many doubts on the figure of the DPO is. It is a relevant figure, but certainly it is not the "center" of the system established by the GDPR, which in the new system is always the Data Controller. The DPO must have a specific competence "of the regulations and practices concerning personal data as well as the administrative rules and procedures that characterize the sector". It is no less important, however, that it also has "professional qualities appropriate to the complexity of the task to be performed" and, especially with reference to sensitive sectors such as health, can also demonstrate specific competences with respect to the types of treatment put in place to the holder. The decision-making autonomy and the extraneousness of the DPO with respect to the determination of the purposes and methods of data processing is equally important if we want to return to those affected that sovereignty over the circulation of their data.

Are you Ready for the EU New Privacy and Data Protection Rules?

The Data Protection Authority has published the new Guidelines concerning the implementation of the new European General Data Protection Regulation 2016/679, issued by the European Parliament in April 2016, to enable public entities, institutions, natural person and private companies to know and correctly apply the new provisions on this matter. The Regulation, which will become fully effective from 18/05/25, will be operational in all EU countries without any other transposition procedure and it will replace the current Privacy Code, which was adopted instead with the Legislative Decree n. 196 of 2003 in the implementation of a previous European Directive. Within a year, data protection national laws will be unified in a single discipline. The system set up by the European Union consists of two parts: a regulation concerning people, companies and administrations and a more specific Directive concerning the use of personal data in the field of security and police or justice activity. This second part will have to be transposed by a national law. The Data Protection Authority's Guidelines deal with the issues of the first part of the legislation, dividing it into six groups (lawfulness of processing, disclosure, data subjects’ rights, processing responsible, risk-based approach and accountability measures of holders and responsible, international data transfers) and addressing its innovation and possible issues. In particular, some of the changes introduced by the Regulation are in the interest of data owner. First of all, the disclosure eventually signed by the data owner must be clear, brief, intelligible and easily accessible. In addition, the owner may decide to transfer his data from one subject to another, with the possibility of changing the manager without losing the information provided. Only for non-European countries or for international organizations not having an adequate privacy policy it will require an explicit consent to the transfer of personal data. On the other hand, the Regulation promotes the accountability of data holders and the adoption of approaches and policies that constantly take into account the risk that may occur in the data processing. Finally, another important innovation is the introduction of the Data Protection Officer, a professional manager for managing and controlling the privacy policies of companies and public entities. Thus, in a year we will discover the effects of this reform and how personal data management will change in all of European Union.