What changes in terms of personal data management starting May 2018?

The new General Data Protection Regulation intends to be a friendly instrument that creates a trust and responsibility relationship among the subjects of the processing, the natural persons from which it is processed and the operators collecting, processing or transferring the data rather than some formal means of authority and control.

Through its content, the regulation establishes the field of application, giving it the possibility to be applied at a worldwide level, in order to increase protection of the rights of the targeted individuals from which data is collected and whose data is transferred, favoring an extension of the effects to the data operators/collectors residing outside of the European Union.

The complexity of the Regulation and the newly introduced concepts gravitate around three basic concepts that were consolidated by the Regulation dispositions and whose field of application was extended.

The new Regulation creates a transparent framework for the individuals from whom the data is collected ensuring to the targeted persons a much more active and simplified role in exerting direct instruments such as: instant withdrawal of consent, request for deletion of data and at the same time the possibility to send data from one operator to another.

The new Regulation waives the exacerbated formalism and the bureaucratic barriers imposed to obtain data transfer authorizations, leaving also for the states the possibility to establish the normative framework (guides, application norms) needed to offer an adequate level of protection. This is extremely beneficial for the large international players who wish to have a unitary policy and unique transfer and security procedures, without facing legal obstacles.

Therefore, the transfer notifications and authorizations will become obsolete after 25 May 2018 and will only remain in our memory as rudimental means of transfer.

By simplifying formalism and limiting the role of the national surveillance Authorities the attributions are transferred directly into the charge of the operators and collectors who must strictly fulfill from the very first moment all the legal obligations and also monitor the exactness of the data processing and transfer standards.

While in the first part we stated that the Regulation creates a connection that may potentially be assimilated to a contractual relationship between the main subjects, we have also taken into account that the central element of such connection is consent.

Going to the very core of this relationship as a means of interaction, we notice the reduction of the public authorities’ contribution and their placement in the private sphere from an administrative perspective, where the parties manage their rights, obligations, and interests by themselves, complying entirely with the given consent, which – as a rule – can be revoked at any time. This is also meant to offer a high level of trust among the parties of the relationship.

The operators’ increased responsibility results from the double role that they must play, the fulfillment of their obligations and the permanent monitoring on the one hand and prevention actions and control measures against the potential violations on the other hand.

Field of application

 Legal Context

• On 27 April 2016 the European Parliament and Council adopted the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;
• Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR), was published in the Official Gazette of the Union L119 of 4 May 2016, and its provisions will be directly applicable in all member states of the European Union, starting from 25 May 2018;
• Regulation (EU) 2016/679 imposes a unique set of rules in the personal data protection matter, replacing Directive 95/46/EC and implicitly the provisions of Law no. 677/2001.

Reason for elaborating the GDPR

• Transparence towards the targeted person and accountability of the data operator related to the way in which they process personal data;
• Establishing a series of specific guarantees in order to protect as efficiently as possible the private life of underage children, especially in the online environment;
• Consolidation of the rights guaranteed to the targeted individuals and introduction of new rights: the right to be forgotten, the right to data portability and the right to processing restriction.
• Tightening of sanctions up to EUR 10 – 20 million or between 2% and 4% of the turnover at worldwide level for the private sector operators.

Territorial application of GDPR

• The personal data processing during activities performed at the headquarters of an operator or a person authorized by the operator on the Union territory, regardless of the fact that the processing takes place on the territory of the Union or not (Weltimmo v Naih – (C-230/14) ; Google Spain SL, Google Inc. v AEPD, Mario Costeja González (C-131/12));
• The processing of the personal data belonging to targeted individuals located in the Union by an operator or a person authorized by the operator who is not residing in the Union, when the processing activities are related to:
• offering goods or services to such persons targeted in the Union, regardless of the fact that the targeted person is required to make a payment or not;
• monitoring their behavior if this manifests within the Union.
• The processing of the personal data by an operator not residing in the Union, but in a place where the internal law applies on grounds of the international public law.

Exceptions – situations in which GDPR does not apply

• GDPR does not apply to the personal data processing:
• In relation to the activities that are not subject to the EU legislation (such as activities concerning national security);
• In relation to the EU external and common security policy;
• By the competent authorities in order to prevent, investigate, detect or prosecute crimes and associated aspects;
• By the EU institutions, if Regulation 45/2001 / EC applies instead of GDPR. The present regulation must be updated in order to ensure consistency with GDPR;
• By a natural person, as part of a “purely personal or domestic use person ex: Bodil Lindqvist (C-101/01).

Concepts introduced by the GDPR

Transparency and consent

• the organizations must provide individuals with extended information related to the processing of their personal data;
• concise, transparent, understandable and easily accessible supply of information;
• the use of pictograms to signal high-interest information;
• prohibiting the insertion of fields filled in by default to grant consent;
• the processing of the employee’s personal data is not done simply based on his consent, but based on a legitimate interest invoked by the employer at the time of collecting them; the position imbalance between employee and employer leads to the presumption that the employee does not have free consent, so that the grounds of the processing must be different.

Children’s consent

• it is forbidden to process data from children below 13 years old;
• offering online services directly to a child, which implies processing the child’s data, is legal if the child is at least 16 years old;
• if the child is below 16 years old, the respective processing is legal only if and to the extent that the said consent is granted or authorized by the parent or the person in charge, exerting rights over the child.

Pseudonymization

• implies the processing of personal data so that they can’t be attributed to a certain person without using additional information;
• the aforementioned additional information must be stored separately and must make the object of technical and organizational measures that would ensure the lack of connection between them and the targeted person;
• it is a factor that must be considered when determining whether the processing is “incompatible” with the purposes for which the personal data was collected and processed initially;
• it is included as example of a technique that may be fulfilling the requirements for the application of the privacy by design, privacy by default concepts;
• it may contribute to fulfilling the GDPR data security (see the section on the violation of the personal data and notification);
• it is necessary for the organizations that wish to use personal data as open data for historical or scientific research or for statistical purposes.

Violation of the personal data security

• GDPR introduces a new framework for all data operators, regardless of their field of activity;
• the notification obligation appears when a personal data security violation takes place. This way, the operator notifies it to the competent surveillance authority.

Extension of the sensitive data concept

• genetic data – represents the personal data regarding a natural person’s inherited or acquired genetic data, which offers unique information related to the physiology or health of that person and which results especially from the analysis of a biological material sample taken from the respective person;
• biometric data – represents the personal data resulting from some specific processing techniques related to physical, physiological or behavioral characteristics of a natural person which allows or confirms the unique identification of the person, such as facial images or fingerprint data.

Privacy by design, privacy by default

• privacy by design – the operator’s obligation to create an infrastructure that would ensure from the very development stage the fact that his application will comply with the rules and principles established by GDPR;
• privacy by default – must ensure that the initial factory settings will allow the users to maintain control over their private life, over what they post or share with other users.

Additional rights for the subjects where the data is collected from

• the right to be forgotten – deletion of data if it is processed illegally, without consent or if the data is no longer necessary for the purpose of their initial processing;
• the right to data portability – there is more freedom in favor of the subjects where the data is processed from. The data transmission from one operator to another can be selected.

Surveillance authority

• monitors the application of the present regulation, in order to protect the rights and fundamental liberties of natural persons in terms of processing;
• it facilitates the free circulation of personal data inside the Union;
• acts as interlocutor and point of contact when the data operator resides in a different state.

Data protection officer

• the appointment of a DPO at the data operator level represents one of the measures taken to hold data operators accountable. The DPO provides the necessary consultancy to the operator for the fulfillment of all the latter’s obligations and to ensure the necessary transparency towards the targeted persons.

Effects of the GDPR application in Romania

• eliminating formalism – the notification of the National Personal Data Processing Surveillance Authority is no longer necessary;
• making the data operators accountable through the obligations to ensure the observance of the GDPR dispositions via the appointed persons, and in special cases the appointment of a personal data officer;
• for the data transfer abroad – obtaining the transfer authorization is no longer needed, yet the necessary documentation must be submitted (BCR standard clause contract);
• the operator is bound to ensure the fulfillment of the obligations regarding the clear and unequivocal information of the individuals from which the data is processed and to obtain their consent in order to use the data.

Sanctions

• Administrative fines of maximum EUR 20,000,000 will be applied for the violation of an order issued by the surveillance authority or, in case of a company, of maximum 4 % of the total annual worldwide turnover corresponding to the previous fiscal year, taking into account the highest value.