On 15 December 2015 the European Commission, the Parliament and the Council reached an agreement on the General Data Protection Regulation (GDPR) and the European data protection reform after years of negotiations. The final texts will be formally adopted by the Parliament and Council at the beginning 2016, and the GDPR will become applicable in early 2018.
Key changes include the following:
- Territorial scope: The GDPR applies regardless of whether the processing takes place in the EU/EEA or not, and regardless of where the company processing data is established, if it offers goods or services in the EU/EEA or monitors the behaviour of data subjects in the EU/EEA.
- Accountability: Those controlling and processing data will be responsible for and have to be able to demonstrate compliance with the GDPR.
- Consent: Consent needs to be explicit. The data controller must be able to demonstrate upon demand that consent was given by the data subject to the processing of their personal data. If the service is provided on the condition that the data subject gives his/her consent and the processing of data is not necessary for the actual performance of the contract, consent will not be valid.
- Child’s consent: The processing of personal data of a child below the age of 16 years (or if a Member State regulates a lower age limit which may not be below 13 years) will only be lawful with parental approval.
- Data breach notifications: Notification of a personal data breach must be made to the supervisory authority within 72 hours of the breach if the personal data breach is likely to result in a risk for the rights and freedoms of individuals.
- Data portability: Data subjects will have the right to access his/her data and the right to transmit the data from one controller to another.
- DPOs: Companies will be required to appoint a Data Protection Officer if i.e. data processing is a core activity or if sensitive data is processed on a large scale.
- Sanctions for non-compliance: up to 4 per cent of the total worldwide annual turnover of the company.
- Enforcement powers: The data protection authorities will have stronger enforcement powers.
- SMEs: The GDPR includes a number of derogations for the small and medium-sized enterprises, unless data processing is a core business activity.
The agreement on the GDPR was put to a confirmation vote in the Civil Liberties Committee which approved the text on Thursday 17 December 2015.