With its entry into force on 25th May 2018, the new Privacy regulation of the EU intends to strengthen and unify data protection for all citizens and residents of the European Union, within and also outside the territory of the European Union.
The harmonisation of the different EU regulations on privacy started with the previous directives on Privacy. However, the European Union this time opted to make the regulation in this area even more homogeneous by choosing the most incisive legislative instrument, a Regulation, which applies directly throughout the territory of the EU without any need for transposition.
The Regulation will facilitate compliance for both European and non-European companies. The compliance incentive is determined by a regime that sets out strict disciplinary measures.
In an economy in which data is the new “gold” and in which big data companies are quoted higher than those in the petrochemical sector it is essential to provide strict data security measures for citizens, who generally are not aware of the value they have.
Introducing a new set of ‘digital rights’, the GDPR is focusing on strengthening the protection of personal data.
The regulation will have an ‘extraterritorial applicability’ by which it is clear that it will apply to the processing of personal data by controllers and processors with registered seats in the EU, regardless of whether the processing takes place in the EU or outside of the territory of the EU.
New, independent Supervisory Authorities will operate along with Data Protection Officers in each member state in order to establish a ‘one-stop-shop’ system in order to decrease the likelihood of forum shopping by data controllers with broad processing activities.
The regulation requires data processors and controllers to control data according to the principles of:
limiting the legal justifications for processing data to an exhaustive list of 6 legal bases, and it also limits the conditions for lawful consent.
The justifications are:
1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. Processing is necessary for compliance with a legal obligation to which the controller is subject;
4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
It will be mandatory when designing a new system, process, service, etc. that processes personal data, to make sure that data protection considerations are taken into account starting from the early stages of the design process.
Furthermore, when the system, process, service, etc. to be designed includes choices for the individual on how much personal data he shares with others, the default setting will be the most privacy friendly one, so the one that says to not share any information at all.
The GDPR joins competition law and anti-bribery regulations imposing sanctions (Art. 83 and 84) up to 4% of the annual worldwide turnover or €20 Million (whichever is greater).
This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of ‘Privacy by Design’ concepts.
Additionally, the regulation makes it easier for individuals to bring private claims against data controllers and processors.
The GDPR will contribute widely to the development of the EU Digital Single Market, implementing various measures protecting digital data and ultimately offering digital opportunities for people and business and enhance Europe’s position as a world leader in the digital economy.
How Italy will adhere to the new European Regulation and modifies its national laws remains to be seen and assessed.
For any further information please contact us.