European General Data Protection Regulation (GDPR)
The EU parliament approved on 14 of April 2016 the new General Data Protection Regulation (the “GDPR”) on the personal data protection which comes into force on 25th of May 2018 and will be directly applicable to all Member States.
As per the definition of the European Commission “personal data” is any information relating to an individual, whether it relates to his or her private, professional or public life and it can be his name, address, a photograph, an email address, bank details, medical information, or an IP address etc.
The GDPR is designed to harmonize the data privacy laws all over Europe and replaces the previous inadequate Data Protection Directive. The rapid technological developments demand for a better protection of physical persons in relation to the processing of their personal data and the GDPR intents to provide adequate protection for data processed both by automated means as well as data stored in manual systems.
Basic changes from the previous Data Protection Directive:
- Extended jurisdiction of the GDPR
The most important change relates to the extended jurisdiction of GDPR which applies to all companies processing personal data of persons residing in the EU regardless of the company’s location.
The GDPR applies to the processing of personal data by:
- Controllers inside and outside the EU
- Processors inside and outside the EU
The GDPR applies regardless whether the control or processing itself takes place inside EU or not. It also applies to the processing of personal data of EU persons regardless if the controllers or processors of the data are situated outside EU.
The GDPR provides that the non-compliant organizations can be fined up to 4% of annual global turnover or €20 million (whichever is greater).
The consent must be now given in an intelligible and easily accessible form which must include the purpose of data processing. The consents must be clearly distinguishable from other matters and must use a clear and plain language and they must provide for withdrawal of consent as well.
In general, the GDPR aims to protect individuals from privacy and data breaches. It also ensures that controllers and processors will be safe custodians of data as all organizations must evaluate the way they process personal data and arrange for set procedures to be followed in compliance with the GDPR.
Links used as sources for the Article: