GDPR Key Changes

By Evaldas Cerkesas
19/09/2017

General Data Protection Regulation (EU) 2016/679 (GDPR) is going to be applied from 25th May of
2018, therefore, finishing a comprehensive reform of data protection rules in the EU.

The objective of this new set of rules is to give citizens back control over of their personal data and
to simplify the regulatory environment for business. The reform will allow European citizens and
businesses to fully benefit from the digital economy.

I. Extra-territorial applicability

Arguably the biggest change to the regulatory landscape of data privacy comes with the extended
jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects
residing in the Union, regardless of the companys location.

GDPR is applied to the data controllers and processors that process the personal data of data subjects residing in the
Union, regardless of the controllers and processors establishment location

Previously, the territorial applicability of the Directive 95/46/EC was ambiguous and referred to data
process 'in context of an establishment'. This topic has arisen in a number of high-profile court cases.

From now GPDR makes its applicability very clear:

1. it applies to the processing of personal data in the context of the activities of an

establishment of a controller or a processor in EU, regardless of whether the processing
takes place in EU or not;

2. it applies to the processing of personal data of data subjects who are in EU by a controller or
processor not established in EU, where the processing activities are related to:

a) the offering of goods or services, irrespective of whether a payment of the data subject is
required, to such data subjects in EU; or
b) the monitoring of their behaviour as far as their behaviour takes place within EU.

Non-EU businesses processing the data of EU citizens will also have to appoint a representative in
the EU.
 II. Penalties

The new regulation established that infringement of GDPR could be subject to administrative fines
up to 4% of annual global turnover or 20 Million (whichever is greater). This is the maximum fine
that can be imposed for the most serious infringements (e.g. collecting data for illegitimate
purposes, not having customer consent or violating the privacy of data subject).

Sanctions because of GDPR infringements could be applied to both controllers and processors -- meaning 'clouds' will not
be exempt from GDPR enforcement

There is a tiered approach to fines and for minor infringements a company can be fined 2% of annual
global turnover or for 10 Million (whichever is greater) penalty (e.g. unimplemented appropriate
technical and organisational measures, not notifying the supervising authority about a breach of
data processing or not conducting an impact assessment.

It is important to note that these rules apply to both controllers and processors -- meaning 'clouds'
will not be exempt from GDPR enforcement.

III. Consent

The conditions for consent have been strengthened. Under new regulation the companies will no
longer be able to use long illegible terms and conditions full of legalese, the request for consent shall
be presented in a manner which is clearly distinguishable from the other matters. It should be
provided in an intelligible and easily accessible form, using clear and plain language. It must be as
easy to withdraw consent as it is to give it.

IV. The Rights of Data Subjects

a. Right to Access (GDPR Art. 15)

Part of the expanded rights of data subjects established by new regulation is the right for data
subjects to obtain a confirmation from the data controller as to:

a) whether or not personal data concerning them are being processed;

b) for what purpose is processed;
 c) the categories of personal data processed;
d) the recipients of personal data;
e) etc.

Further, the controller shall provide a copy of the personal data undergoing processing, free of
charge, in an electronic format. This change is a dramatic shift to data transparency and
empowerment of data subjects.

b. Right to Be Forgotten (GDPR Art. 17)

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data
controller erase his/her personal data without undue delay.

The conditions for erasure include:

a) the data no longer being relevant to original purposes for processing;

b) a data subjects withdrawing a consent;
c) the personal data have been unlawfully processed;
d) etc.

It should also be noted that this right could not be implemented if processing is necessary for
exercising the right of freedom of expression and information and with several other exemptions.

c. Right to Data Portability (GDPR Art. 20)

The data subject shall have the right to receive the personal data concerning him or her, which he or
she has provided to a controller, in a structured, commonly used and machine-readable format.
Also, the data subject has the right to transmit those data to another controller without hindrance
from the controller to which the personal data have been provided.

V. Breach notification (GDPR Art. 33)

According to GDPR, the breach notification will become mandatory in all member states where a
data breach is likely to result in a risk to the rights and freedoms of natural persons. The supervisory
authority should be informed within 72 hours of first having become aware of the breach.
Whereas when the personal data breach is likely to result in a high risk to the rights and freedoms of
natural persons, the controller shall communicate the personal data breach to the data subject
without undue delay.

VI. Data Protection by Design and by Default (GDPR Art. 23)

a. The data controller shall implement appropriate technical and organisational measures, such
as pseudonymisation, which are designed to implement data-protection principles, such as
data minimisation, in an effective manner and to integrate the necessary safeguards into the
processing in order to meet the requirements of this Regulation and protect the rights of
data subjects.

b. The data controller shall implement appropriate technical and organisational measures for
ensuring that, by default, only personal data which are necessary for each specific purpose
of the processing are processed.

VII. Data Protection Officer (GDPR Art. 37)

Currently, the data controllers are required to notify their data processing activities with local Data
Protection Authorities (DPAs). Such a regulation is pretty burdensome because the most Member
States have different notification requirements.

Under GDPR it will not be necessary to submit notifications to each local DPA of data processing
activities, nor will it be a requirement to notify and obtain approval for transfers based on the Model
Contract Clauses (MCCs). Instead, there will be internal recordkeeping requirements.

DPO shall be designated when the processing is carried out by a public authority or body or the processing operations are
carried out on a large scale or the special categories of data are processed

In connection with above the data controller and the data processor shall designate a data
protection officer (DPO) in any case where:

(a) the processing is carried out by a public authority or body, except for courts acting in their
judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by
virtue of their nature, their scope and/or their purposes, require regular and systematic
monitoring of data subjects on a large scale; or
(c) the core activities of the data controller or the data processor consist of processing on a large
scale of special categories of data revealing:
racial or ethnic origin,
political opinions,
religious or philosophical beliefs,
trade union membership,
the processing of genetic data, biometric data for the purpose of uniquely identifying a
natural person,
data concerning health and
data concerning a natural person's sex life or sexual orientation.

If you need more information, do not hesitate to contact ESAS CONSULTING.