After more than four years of drafts and negotiations, the new EU data protection framework has finally been adopted. It takes the form of a General Data Protection Regulation (the “GDPR”)1 and a Data Protection Directive for Police and Criminal Justice Authorities (the “PCJA Directive”)2, both of them published on 4 May 2016 in the Official Journal of the European Union.
The GDPR shall apply from 25 May 2018 and shall replace the current Directive 95/46/EC of 1995 . The GDPR will be binding in its entirety and directly applicable in all EU Member States, without the need for implementing national legislation. As regards the PCJA Directive, EU Member States have to transpose it into their national law by 6 May 2018.
The GDPR updates the principles set forth two decades ago by the current EU data protection framework and brings additional guarantees to strengthen the right to privacy. The European Commission says that the GDPR is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market.
Among the significant changes brought by the GDPR, the following are to be mentioned:
- One law applicable across the European Union and “one-stop-shop”: the GDPR will establish a single, pan-European law for data protection, replacing the current patchwork of national laws; likewise, the “one-stop-shop” system will allow a company with subsidiaries in several EU Member States to deal only with the data protection authority in the Member State of its main establishment.
- Same rules for EU and non-EU companies: EU data protection rules will apply not only to European companies, but also to foreign companies offering products and services to EU citizens or monitoring their behaviour; this will level the playing field between European and non-European companies.
- Easier access to personal data for data subjects: individuals will have more information on how their personal data is processed and this information should be made available in a clear and understandable way by data controllers; the new right to “data portability” will allow individuals to transfer their personal data between service providers.
- The right to be informed when the security of personal data is breached: companies and organisations must notify the relevant data protection authorities of data breaches which put individuals at risk and communicate to the data subjects all high risk breaches as soon as possible so that users can take appropriate measures.
- An explicit “right to be forgotten”: when an individual no longer wants its data to be processed, and provided that there are no legitimate grounds for retaining it, the data shall be deleted.
- Stronger enforcement of the rules: data protection authorities will be able to fine companies not complying with data protection rules up to 4% of their worldwide annual turnover.
Our work highlights in data protection law include the following:
- Advising a world’s leading high products retailer in connection with the national data protection rules and the transfers of personal data to United States, assessing its customers’ policies and updating the security and confidentiality of its data policies.
- Advising the global leader in heavy-duty suspensions on the data protection issues raised in respect of its Romanian subsidiary under a project seeking the group’s payroll outsourcing to an international provider of business outsourcing solutions.
- Advising an US provider of financial management and accounting software solutions based on a cloud computing platform, on the data protection issues in connection with the setting up of a worldwide employees saving plan opened to the employees of the Romanian subsidiaries.
- Advising the Romanian branch of a European financial institution on data protection issues in connection with the opening of an online trading platform for sophisticated financial products to natural persons.