Personal data protection: Are you ready for GDPR compliance?
On 25 May 2018, the legislation on personal data protection will change due to entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).
The Regulation changes, among others, the scope of personal data which are subject to the protection. The practice of profiling persons will also be regulated. The catalogue of sensitive data will be extended by genetic data, biometric data and data concerning health. The consent to the processing of data will have to specify the purpose for which data are processed. One general statement used so far will not suffice. When the purpose of the processing is to be changed, the data controller will have to seek additional consent from the data subject.
Each data controller will have an obligation to bring any personal data breach to the attention of the supervisory authority as well as notify accordingly the affected data subject.
The Regulation also clarifies its territorial scope by applying it to the services rendered within the European Union. The current wording of the Regulation imposes an obligation to comply with the new Regulation also on global players such as Facebook or Linkedin.
GDPR also regulates the protection of personal data of persons without capacity for legal acts. Using online services, including social networks, by children below the age of 16 years, will only be lawful if the consent is given by parents or legal guardians of
a child. GDPR provides, though, that member states may provide a lower age for those purposes as long as such lower age is not below 13 years. Poland is likely to take advantage of this opportunity as the draft personal data protection law drawn up by the Ministry of Digital Affairs provides for the mandatory consent of a parent or a guardian for the processing of personal data of
a person below the age of 13 years.
The status of the entity supervising the personal data on behalf of the controller will also be changed. Once GDPR enters into force, the data will be supervised by Data Protection Officer who will enjoy greater powers that those of the Information Security Administrator. The Regulation provides also for the appointment of the European Data Protection Supervisor and the establishment of the European Data Protection Board.
An important novelty for all data controllers is the possibility of imposing penalties by the supervisory authority for a failure to implement the regulations on personal data protection. Depending on the type of infringement, the fines may be up to EUR 10 or 20 million or equivalent of 2 % or 4% of the total annual turnover. Entry into force of GDPR on 25 May 2018 means that as of that day all activities of personal data processors must be compliant with it. Such was the purpose of a 2-year period of vacation legis. That is why so many businesses now focus on getting to know the new law and achieving full compliance by 25 May 2018.
Legal adviser/Junior Associate