In May 2018, Europe switched to the updated rules of personal data processing established by the General Data Protection Regulation (EU Regulation 2016/679 of 27 April 2016 or the GDPR). This regulation, which has direct effect in all 28 EU countries, replaced the Data Protection Directive 95/46/EC of 24 October 1995.
The GDPR’s extraterritorial principle of the new European rules for processing personal data is very important, so you should pay attention to them if the services that your company provides are focused on the European or international market.
The new regulation provides EU residents with the tools for full control over their personal data. Since May 2018, the responsibility for violation of the rules of personal data processing has been toughened: sometimes fines reach 20 million euros, which is 4% of the annual income of GDPR. In this article, we have analyzed the new rules of personal data processing in the EU and formulated recommendations for companies on how to comply with the GDPR.
Which companies are covered by the GDPR?
The GDPR has an extraterritorial effect and applies to all companies processing personal data of EU residents and citizens, regardless of the location of such a company. Of course, branches, representative offices of non-residents in the EU will have to meet the new requirements.
In which cases do companies have to comply with all GDPR requirements? When:
- Their services/products are adapted to local languages of the EU residents;
- Their services/goods are paid in the local EU currencies;
- Their services/goods are provided on national top-level domains of the EU countries.
This means that organizations that handle the personal data of Europeans in the United States in the implementation of online sales (for example, Railways, airlines, hotels, hostels, and others), are subject to the GDPR and must comply with the new European regulation on the processing of personal data. In addition to the processing of personal data, the GDPR uses the concept of monitoring the behavior of data subjects, that's why another category of subjects falls under the GDPR.
The GDPR applies to organizations established outside the EU if they (as controller or processor) control the behavior of the EU residents (to the extent that such behavior takes place in the EU). Businesses from now on will need to comply fully with these standards and if this doesn’t happen they will face strict penalties which may affect their future work.
Monitoring may include:
- monitoring of a resident in the EU on the Internet;
- using data processing techniques to profile individuals, their behavior, or their relationship to something (for example, to analyze or predict personal preferences).
What is meant by personal data in the GDPR?
Personal data is any information relating to an identified or identifiable natural person (data subject) on which it can be determined directly or indirectly. Different pieces of information, which are collected together can lead to identifying a particular person and constitute personal data. It is important to note that there are certain types of personal data. In addition, this information includes genetic, biometric data used to identify individuals, data on health status, information concerning sex life or sexual orientation.
How does data processing work in the GDPR
Personal data gets processed lawfully, fairly, and transparently. Any information about the purposes, methods, and volumes of personal data processing should be presented as accessible and simple as possible. The data shall be collected and used only for the purposes stated by the company (online service). Data may not be collected to a greater extent and should be stored in a form that allows the identification of data subjects for no longer than it is necessary for processing purposes. Personal data that is inaccurate must be deleted or corrected (at the request of the user). All companies are required to protect personal data from unauthorized or illegal processing, destruction and damage.
Cases of violation of the GDPR
Companies are required to notify regulators (and data subjects in some cases) of any breach of personal data within 72 hours of the discovery of such breach. A list of national personal data regulators for all EU countries is available on this website. There is also a Pan-European regulator, Working part 29 or working group on article 29. However, once the GDPR enters into force, the new body will replace the working group on article 29 - the European Data Protection Board (EDPB).
Rights of the data subject (individual)
The GDPR significantly extends the rights of EU citizens and residents to control their personal data. Europeans have the right to request any type of information about the processing of their data and demand its correction. Moreover, the user has the right to demand the termination of his data processing. The GDPR also provides for the right to be forgotten (right to erasure, right to be forgotten), which enables Europeans to delete their data on request in order to avoid their dissemination or transfer to third parties.