The new General Data Protection Regulation (“GDPR”) come into force on 25th May 2018, and the excitement rises about what needs to be done. Currently you can find a lot of ‘Check’ and ‘To-Do’ lists on the internet (ours included) as every data controller (whether companies, freelancer or NGO) is afraid of the financial penalties.
Of course, this is not a reason for data controllers to restructure their companies or put extra data protection measures in place. But they must learn about processed data, check the purpose of processing, and be dutiful and responsible about the way they handle data.
Background: Accountability Principle
At the moment, the rule is that any data protection violation has to be proven by the data protection authority during an audit. Due to the understaffing of the data protection authority in Romania, the risk of an audit is manageable; and the imposed sanctions are kept within limits which barely make an impact on business operations.
The new GDPR puts in place the ‘accountability principle’, according to which every data controller is obliged to prove its fulfilment of the legal requirements based on internal paperwork. It is now the data controller who has to show proof to the data protection authority, and not the other way around. From now on, there must be arguments and written records to support conformity to GDPR principles, prepared in advance. This, of course, requires that the data controller knows both the principles and the internal procedures.
Data Protection Principles
Even though the data protection principles established in the new GDPR do not differ significantly from the previous legal status, they now have to be proven in writing. For example, if the rules state that any processing of personal data ought to be done for a specified purpose, fairly and transparently, this has to be proven on a case-by-case basis. The same applies under the principle stating that data must be stored exclusively for the duration of the processing and its purpose. After this period, technical solutions have to be available to delete the data.
Record of processing activities
In the light of the above statements, art. 30 of the GDPR obliges the data controllers to keep a record of all processing activities: ie a paper file (as well as an electronic record) containing (inter alia) the categories of personal data, their recipients, the purpose of processing, associated technical measures, and duration of processing.
In general, such an obligation applies only to companies with more than 250 employees, unless the processing it carries out is “likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data (…) or personal data relating to criminal convictions and offences (…)”.
In practice, this exception applying to companies with less than 250 employees will rarely take effect, particularly as there are so few cases in which there is no regular processing (at least for a company’s own employees) or the processing bears no risk for the rights and freedoms of the data subjects. We also expect that at least some special data categories like health data (in the form of sick days or disabilities) will be processed for a company’s own employees. Therefore, we assume that all companies, irrespective of their number of employees will have to keep such record.
Liability for representatives
If data is not processed directly, because it is assigned to a contractual partner, this does not lead to a complete passing-on of duties to the partner. A data controller is liable, together with his representative, as soon as the privacy rights of their own customers are disregarded. So it is advisable to take a closer look at all contracts with subcontractors to include liability restrictions.
The topic of data protection causes more and more concern the closer the application date approaches. Data controllers have until 25th May 2018 to get familiar with the data protection principles and prove compliance in writing, ie. with good records, to avoid heavy financial penalties. The new accountability principle says that they must provide evidence for legally flawless data processing both for their own company and for their representatives.