In about four months, on 25 May 2018, the European General Data Protection Regulation (GDPR) will enter into force. The new law will not only apply to European companies but also to Non-European companies acting on the EU market. Besides a number of new obligations and adapted requirements, the GDPR comes with a considerably strengthened system of sanctions. With our series “Countdown to GDPR” published in our upcoming B&B Bulletin issues, we want to provide an overview on the most relevant changes in the new law as a basis for a timely review of data protection compliance.
25 May 2018 is a date that should be marked in the calendar of all companies collecting and using personal data within the European Union. On this date the existing data protection rules in all EU Member States will be replaced by the new General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR). The GDPR will apply to practically all acts of data processing taking place within the EU or aiming at EU subjects and therefore is of relevance for European Union as well as Non-European Union companies.
Companies are faced with a considerable need for adaption, and anyone who has not previously had data protection compliance on the agenda should do so by now at the latest. As the GDPR does not provide for a transitional period, all data processing operations must comply with the new law as of 25 May 2018.
In this article we will outline some important aspects and new provisions. In the next newsletter issues, under the heading “Countdown to GDPR”, we will focus on specific topics that should be considered and addressed by all companies before 25 May 2018.
New data protection law
lawThe new data protection law is based on Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), which will be applied uniformly in all EU Member States from 25 May 2018.
What will remain? What will change?
Many of the data protection mechanisms and principles that are known from the existing data protection law will also apply under the GDPR. In particular, the basic principle that all use of personal data is prohibited unless covered either by the consent of the person concerned or by a specific statutory permission was adopted in the GDPR.
However, the new data protection law also entails a whole series of changes:
The GDPR is not only binding to entities based in the EU, but is also applicable to any non-European data processors where data of EU citizens is concerned and where data processing is related to the provision of goods or services or to the observation of the behavior of EU citizens. For example, a US-based company that collects and processes data of EU citizens (e.g. running an online-shop) will in future be subject to EU data protection legislation
As of the end of May 2018, companies will have an increased degree of accountability when handling personal data. Companies have a non-delegable liability for compliance with the GDPR. Their accountability, however, does not only include legal compliance but also obligatory documentation of compliance measures within the framework of a real accountability towards authorities. In the future, companies will have to keep directories of all data processing operations with legally prescribed information and, under certain conditions, carry out so-called data protection impact assessments (DPIA).
Processing on behalf of a Controller
A common constellation, especially in the digital environment, is that one company (controller) commissions another company (contractor) to process personal data in accordance with its instructions. The applications are diverse and include, for example, hosting contracts, IT maintenance contracts, HR services and payment services. Practically every company that works with external service providers faces the constellation of commissioned data processing.
Commissioned data processing will also be available under the GDPR and will even be available to contractors outside the EU. Although the principal of responsibility for compliance with data protection regulations will continue to lie primarily with the controller, the GDPR imposes an increased liability on the contractor, and also introduces the new concept of a joint liability which does not exist under the current law.
These changes thus affect the contractual relationship and therefore require reviewing and adjusting the existing contracts with external service providers such as hosting providers, payment providers etc.
The GDPR comes with a considerable strengthening of potential sanctions. Violations of the GDPR can result in fines of up to EUR 20 million or, in the case of companies, up to 4 % of the global annual turnover of the previous financial year. This is intended to encourage also large corporations to comply with data protection regulations and it is expected that data protection authorities will use their new instruments to make sure that industries comply with the regulations.
The time remaining
remainingThere are still about four months to go before the GDPR will take effect. This time should be used to review, adjust and document the internal data protection concepts and processes for compliance with the GDPR. Furthermore, existing contracts with external service providers and / or customers should be reviewed and adjusted if needed.
In view of the considerable increase in the risk of sanctions and / or warning notices from competitors, we strongly recommend commencing this review process immediately and to provide your company‘s data protection officers with the required resources for timely compliance measures.
If you have any legal questions on the subject of data protection, please contact our data protection team.