What changes in terms of personal data management starting May 2018?
The new General Data Protection Regulation intends to be a friendly instrument that creates a trust and responsibility relationship among the subjects of the processing, the natural persons from which it is processed and the operators collecting, processing or transferring the data rather than some formal means of authority and control.
Through its content, the regulation establishes the field of application, giving it the possibility to be applied at a worldwide level, in order to increase protection of the rights of the targeted individuals from which data is collected and whose data is transferred, favoring an extension of the effects to the data operators/collectors residing outside of the European Union.
The complexity of the Regulation and the newly introduced concepts gravitate around three basic concepts that were consolidated by the Regulation dispositions and whose field of application was extended.
The new Regulation creates a transparent framework for the individuals from whom the data is collected ensuring to the targeted persons a much more active and simplified role in exerting direct instruments such as: instant withdrawal of consent, request for deletion of data and at the same time the possibility to send data from one operator to another.
The new Regulation waives the exacerbated formalism and the bureaucratic barriers imposed to obtain data transfer authorizations, leaving also for the states the possibility to establish the normative framework (guides, application norms) needed to offer an adequate level of protection. This is extremely beneficial for the large international players who wish to have a unitary policy and unique transfer and security procedures, without facing legal obstacles.
Therefore, the transfer notifications and authorizations will become obsolete after 25 May 2018 and will only remain in our memory as rudimental means of transfer.
By simplifying formalism and limiting the role of the national surveillance Authorities the attributions are transferred directly into the charge of the operators and collectors who must strictly fulfill from the very first moment all the legal obligations and also monitor the exactness of the data processing and transfer standards.
While in the first part we stated that the Regulation creates a connection that may potentially be assimilated to a contractual relationship between the main subjects, we have also taken into account that the central element of such connection is consent.
Going to the very core of this relationship as a means of interaction, we notice the reduction of the public authorities’ contribution and their placement in the private sphere from an administrative perspective, where the parties manage their rights, obligations, and interests by themselves, complying entirely with the given consent, which – as a rule – can be revoked at any time. This is also meant to offer a high level of trust among the parties of the relationship.
The operators’ increased responsibility results from the double role that they must play, the fulfillment of their obligations and the permanent monitoring on the one hand and prevention actions and control measures against the potential violations on the other hand.
Field of application
Legal Context
Reason for elaborating the GDPR
Territorial application of GDPR
Exceptions – situations in which GDPR does not apply
Concepts introduced by the GDPR
Transparency and consent
Children’s consent
Pseudonymization
Violation of the personal data security
Extension of the sensitive data concept
Privacy by design, privacy by default
Additional rights for the subjects where the data is collected from
Surveillance authority
Data protection officer
Effects of the GDPR application in Romania
Sanctions