New EU rules for personal data protection finally adopted

After 4 years of political discussions, the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data (the GDPR) was finally adopted on 27 April 2016.

The GDPR came into force on 24 May 2016 and replaces Directive 95/46/EC. A transitional period of 2 years is provided until the GDPR becomes fully enforceable in the Member States, which brings us to 25 May 2018.

The GDPR will be directly applicable in all Member States without the need for implementing national legislation.

The GDPR shall pursue the objective of ensuring a consistent and high level of protection of natural persons, and will address the following fundamental issues:

- reinforcing individuals' rights,

- strengthening the EU internal market,

- ensuring stronger enforcement of the rules,

- streamlining international transfers of personal data, and

- setting global data protection standards.

In order to ensure compliance with those changes to the European data protection legislation, companies will have to follow ever greater data protection standards and may also have to adopt new internal procedures.

What are the major aspects to be taken into account for businesses?

  • No more prior notifications to the national data protection authorities

The GDPR removes the requirement to notify and obtain authorization from the national data protection authority in many circumstances. This will remove a huge administrative and financial burden that EU businesses have been facing in different EU countries. Instead of notifications, the data controllers will have to implement the principle of data protection by design and default, to maintain certain internal documentation regarding the different types of data processing carried as well as to conduct a data protection impact assessment for data processing that involves high risks (notably involving new technologies and large scale processing).

  • Territorial scope of data protection rules is extended

Another major new aspect introduced by the GDPR concerns the applicability of the EU data protection rules to data controllers and processors that are not established in the EU, but that process personal data of data subjects residing in the EU, notably whose processing activities relate to the offering of goods or services to or monitoring of behavior of EU data subjects. This will imply an obligation on non- EU companies, notably those engaged in e-commerce, to comply with the new EU data protection rules.

  • Direct applicability of rules to data processors

The GDPR establishes direct obligations on data processors (i.e. persons acting on behalf of data controllers) which has not been the case under the Directive 95/46/EC. The direct requirements for data processors will include technical and organization measures, notifying the data controller of data breaches without undue delay and appointing data protection officers. This will in particular impact upon IT companies usually acting as data processors on behalf of their clients.

  • Increased sanctions

Under the present Luxembourg data protection law, any failure to comply with data processing requirements established by the law may be subject to:

- imprisonment from a period of 8 days to a period of 1 year; and/or
- a fine of up to EUR 125.000.

The new GDPR establishes financial fines that may go up to 4% of annual worldwide turnover. The increased sanctions will certainly have an impact on business approach towards data processing questions.

  • Data protection officer

Under certain circumstances, the appointment of a data protection officer (the DPO) will be mandatory, which is not the case under the present Directive 95/46/EC.

The GDPR establishes an obligation to appoint a DPO when (i) the processing is carried out by a public authority, (ii) the core activities of the data controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale, and (iii) the core activities consist of processing on a large scale of special categories of data.

The DPO will either be employed or operate under a service contract.