Certain provisions of the new Law on the Protection of Personal Data (the "Data Protection Law"), including administrative fines and criminal penalties, will enter into force on October 7, 2016. As we informed you in one of our earlier alerts, the Data Protection Law became effective on April 7, 2016, but allowed for a transition period to ensure proper compliance with the newly introduced rules and standards. The following rules and standards will become effective on October 7, 2016:
- Individuals’ rights of access to personal data, including the obligation to notify individuals of their rights.
- Processes for handling individuals' complaints and requests.
- Transfer of personal data to third parties and foreign jurisdictions.
- Registration with the Data Protection Authority.
- Imposition of sanctions, including criminal and administrative fines.
The Data Protection Law envisages that the Data Protection Authority be established by October 7, 2016, which raises uncertainty as to the manner in which some of these rules will be applied and practiced by the same date; some of these rules require additional action by the Data Protection Authority prior to its implementation. For example, the enforcement of international transfer rules will, in most cases, be dependent on the as-yet-undefined list of jurisdictions the Data Protection Authority deems to possess adequate protection for personal data.
Actions to consider
While the finer points of certain rules will be defined in the coming months, companies are strongly advised to take immediate action on rules that do not require the Data Protection Authority to take any action prior to their implementation. These include:
- Notification to data subjects about their rights of access to data under the Data Protection Law and how they can exercise them. The data subjects include all individuals, including customers and employees. Appropriate and informative privacy policies and notices are expected to be the most used method to notify data subjects; and
- Setting up processes for handling data subjects' complaints and requests; the Data Protection Law requires companies to respond to data subjects within 30 days. Although companies can take immediate actions in these two areas, companies with extensive data processing activities are nevertheless still be advised to conduct a comprehensive review of their practices to identify the areas which will require them to take action once the Data Protection Law, with all of its transitional rules, fully enters into force.