The European Commission (the "Commission") has issued, on the 24 January, a Communication containing guidance in view of facilitating the direct application of the General Data Protection Regulation ("GDPR") in all the European Union (the "EU") as of 25 May 2018 (the "Communication"). Simultaneously, the Commission has also published a set of GDPR-related Q&A and an online tool to help companies focusing on SMEs -, citizens and public administrations understand the new rules.
The Communication deemed to lay out (i) the main novelties and opportunities stemming from the GDPR, (ii) the preparatory work undertaken so far at EU level to ensure the application of the Regulation as of 25 May, (iii) what is still to be done at European and national level and (iv) what are the measures the Commission will adopt in the near future.
From the harmonization of the European data protection legal framework, to the strengthening of individuals' rights (with a highlight on the right to data portability), to the protection of individuals against personal data breaches, to the aggravated fining regime, to reinforcing data processor accountability, to the new international data transfer mechanisms, there are several novelties brought by the GDPR which are mentioned in the Communication.
The Commission also refers to the Expert Group it has been gathering for the sharing of expertise in data protection matters and to the ongoing talks with third countries notably, Japan and South Korea - in view of issuing an adequacy decision (which would allow the free flow of personal data towards said countries), as well as to the several Article 29 Working Party Guidelines being finalized, covering topics such as Consent, Transparency, Binding Corporate Rules (article 47 GDPR), data breach notifications and automated individual decision-making.
The Commission notes that, on the date of this notice, only two Member States (Austria and Germany) had adopted the relevant national laws towards adapting their legal systems to the GDPR (in the meantime, other Member-States have initiated this process). The Commission notes that there is some discretion for national legislators in this regard that measures may not undermine the direct, simultaneous and uniform application of the GDPR in all the EU.
The Commission further notes the following:
- The current lack of the national Data Protection Authorities' ("DPAs") financial and human resources may "jeopardize their effectiveness and ultimately the complete independence required under the Regulation", notably in light of their reinforced investigative powers. Thus, the Commission urges the Member States to vest the DPAs with the "human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers. This is without prejudice to the Commission's pledge to award EUR 2 million to the DPAs, in order to assist in with their awareness-raising efforts among SMEs and the general public.
- The importance for SME of mapping the categories of personal data they process, the purposes of said processing and the applicable legal basis for processing, as well as the relevance of revising their contracts with data processors and their international data transfers mechanisms. In regard to the specificities of data processing operations in different sectors, the Commission suggests that companies benefit from the new GDPR instruments, such as codes of conduct or certification by a DPA, as elements towards demonstrating compliance.
- Levels of awareness among citizens concerning their new rights, and of SMEs concerning their new challenges are still low. In light of this, the Commission launches an online tool with useful Q&A for the clarification of frequentlyasked GDPR questions. The tool will be regularly updated on the basis of the feedback received by the Commission and contains information about the legal bases for the processing of special categories of personal data and the available remedies for data subjects when they consider the processing of personal data infringes the GDPR. The tool also provides examples of cases in which companies will have to, inter alia, carry out a Data Protection Impact Assessment ("DPIA") or appoint a Data Protection Officer ("DPO").
Finally, the Commission outlines the next steps it will take to guarantee the effective application of the GDPR, though the possible adoption of implementing or delegated acts (on what concerns, notably, the issue of certification) and the integration of the GDPR into the EEA-Agreement allowing for the free flow of data between the EU, Iceland, Liechtenstein and Norway. Moreover, the Commission notes the enforcement of the GDPR in the United Kingdom until the EU-withdrawal date and notes its intention to follow-up on the first year of GDPR application in May 2019, during an event which will precede the report to be prepared by the Commission in 2020, on the evaluation and review of the GDPR.