Changes to data protection rules were introduced from 15 April 2014, affecting almost all controllers of information systems as well as data processors. 

Key practical changes  

  • Making it optional to adopting administratively and financially demanding safety guidelines.
  • Extending until 1 July 2015 the timeframe within which data controllers must bring all contracts with data processors into compliance with the Data Protection Act.
  • Removing all restrictions on the copying/scanning of official documents in processes related to conclusion of employment (or similar) relationships.
  • Providing for the data protection authority to issue a list of the information systems it expects to be notified of by companies.
  • An overall reduction in the administrative burden for most companies.

Key technical changes

  • The definition of a person authorised by the data controller to come into contact with personal data has been extended to include not only employees but any individual who works under an agreement to perform work or engage in work activity.
  • The penalties and civil fines for some less serious violations are now discretionary rather than automatic: these will be determined according to the gravity, scope and duration, consequences and recurrence of the violation, and the extent of the threat to the private and family life of individuals and the number of the persons affected.
  • The upper band of individual penalties and fines has been lowered, reflecting a more lenient approach.
  • The instructions given by a data controller to an authorised person may now be given by email or other electronic means, and their scope is reduced to what is required by EU law (Directive 95/46/EC).
  • Data controllers no longer have to be notified by the data processor of data protection violations, data processors are no longer responsible for the damages caused by the violation of data controllers not reported to the data protection authority by the data processors.
  • Authorised persons no longer have to notify the data protection authority where the data controller fails to remedy a data protection violation established by a data subject.
  • Data controllers no longer have to appoint a data protection officer; the post may now be filled by a company’s statutory representative providing they are officially certified and authorised for the position.
  • There is no longer a requirement to document all safety measures in a safety guideline.
  • The data protection authority is no longer able to impose a sanction directly on authorized persons or data officers.
  • Replacing the requirement to register an information system with a free online notification requirement.