While some people never stopped believing that the General Data Protection Regulation ("GDPR") would one day become a reality, others had started to despair as more and more time passed. Indeed, the European Commission's initial proposal dates back to 25 January 2012! Finally, however, almost four years later, the European institutions have agreed on a final text.
It goes without saying that the GDPR is a lengthy document, and it will take some time to examine the practical implications for businesses. In order not to spoil your - and our - holidays, we've decided to wait until next year to provide you with an in-depth analysis and have limited this newsflash to 10 key points:
- NO, you don't have to cancel your Christmas plans in order to start implementing the GDPR within your organisation right away. In fact, once the GDPR is published in the Official Journal of the European Union, in early 2016, it will not apply for another two years.
- NO, data processing activities will not be regulated by the GDPR alone. Member States will still be able to lay down specific rules in their national law.
- NO, you will no longer need to notify your data processing activities to the national data protection authority. Instead, certain processing activities will be subject to a data protection impact assessment ("DPIA"). The national data protection authorities will prepare lists of processing activities for which a DPIA is required.
- NO, you will not be obliged to appoint a data protection officer unless your core activities require regular, systematic monitoring of data subjects on a large scale or entail the processing of sensitive data on a large scale.
- YES, you will need to keep records of all processing activities and be able to provide them to the data protection authorities upon request. An exception applies to organisations with fewer than 250 employees provided (i) the processing is not likely to give rise to a risk to the rights and freedoms of the data subjects, (ii) the processing is occasional, and (iii) no sensitive data are processed.
- YES, you will need to review your privacy policies and fair processing notices to ensure they are drafted in clear and plain language and contain all required information. The GDPR indeed requires that more information be provided to data subjects than is currently the case under the Data Protection Directive (95/46) (e.g. the legitimate interests pursued, if the processing is based on this ground, the retention period, etc.).
- YES, if, in the context of offering information society services (eg video on demand, chatrooms, online sales), you process the personal data of children below the age of 16 on the basis of consent, such consent must be given or authorised by their parents. Member States may lower this age threshold to 13.
- YES, you will need to review your data processing agreements to ensure that they contain all required information. The GDPR indeed requires that more information be included in data processing agreements than is currently the case under the Data Protection Directive (95/46) (e.g. conditions for enlisting sub-processors).
- YES, you will need to notify any data breaches to the data protection authority within 72 hours after becoming aware of them; in some cases, the data subjects must also be informed.
- Last but not least, YES, violations of the GDPR will be severely sanctioned, with fines of up to EUR 20,000,000 or, for legal entities, up to 4% of the company's total worldwide annual turnover for the preceding financial year, whichever is greater.