1. The scope of the Regulation

Material scope

The provisions of the Regulation have to be applied on data processing of personal data, which are implemented wholly or partially by using automatized method. Furthermore, the provisions of the Regulation are also applicable on data processing implemented by not automatized method, if the processed data is a part of a registration system or is intended to be part of a registration system.

The Regulation applies a fairly broad definition of the personal data, according to which personal data means all information relating to an identified or identifiable natural person (“data subject”).

Territorial scope

In principal, the Regulation have to be applied on data processing implemented in relation with the activity of the data controllers and data processors having a place of business in the European Union, regardless of whether the processing takes place in the Union or not.

 2. Lawfulness of processing

Legal ground of data processing

Pursuant to the Regulation, the processing will be lawful only if and to the extent that at least one of the following applies:

a)      the data subject has given consent to the processing of his or her personal data,

b)      processing is necessary for the performance of a contract  or legal obligation,

c)      processing is necessary for compliance with a legal obligation to which the controller is subject,

d)      processing is necessary in order to protect the vital interests of the data subject or of another natural person,

e)      processing serves the public interest,

f)       processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller,

g)      processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

One of the most common legal grounds for data processing is the consent of the data subject. In principal, giving the consent in written form is still not mandatory, however the data controller has to be able to prove, that the data subject gave his or her consent to the data processing of his or her personal data, therefore it is highly advisable to the data controller to obtain the written consent of the data subject prior to the data processing based on a consent. The consent has to be voluntary and revocable.

According to the principle of accountability, the data controller is liable for the compliance with the principles of data processing and furthermore, it has to be able to properly prove such compliance. Based on that, the data controller is obliged to fully document the lawfulness of the data processing.

3. The rights of the data subject

Information, rectification, limitation, erasure

The person whose personal information is processed is entitled to request information on the processed data, he or she may request rectification and – if the conditions set forth in the Regulation are met – the erasure of those data, as well as the limitation of the data processing.

Pursuant to the newly established provisions of the Regulation, if the conditions set forth in the Regulation are met, the data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her (“profiling”), which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her (such as automatic refusal of an online credit application or e-recruiting practices).

Right to data portability

The data subject have the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and he or she is also entitled to transmit those data to another controller, provided that the conditions set forth in the Regulation are met.

4. The obligations of data controllerS and DATA processorS

Record of processing activities

In principle, the data controllers and data processors are obliged to keep an internal data protection record on their data processing activities with the content prescribed by the Regulation. If the conditions set forth in the Regulation are met, business enterprises having less than 250 employees may be exempted from this obligation.

Data protection impact assessment

If the data processing would be presumed to be at high risk to the rights and freedoms of persons concerned, then prior to the data processing, the data controller is obliged to carry out a data protection impact assessment, which has to include the impact of the envisaged processing operations on the protection of personal data. The Regulation may prescribe the obligatory consultation with the data protection authority, in relation with the data protection impact assessment.

Data protection officer

The data controllers and the data processors have to appoint a data protection officer, if the main activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale. Furthermore, data protection officer has to be appointed, if the data controller processes sensitive data (i.e. personal data in relation with racial or ethnic origin, political opinions, religious or philosophical convictions or trade union membership).

Information obligation

The data controller is subject to a strict information obligation to the data subject for the circumstances of the data processing. In case of failure to comply with that obligation, the data processing may be considered as unlawful.

Personal data breach

One of the major innovations of the Regulation that in case of the occurrence of a personal data breach, the data controller has to notify the data protection authority about such breach, not later than 72 hours after having become aware of it. Pursuant to the Regulation, personal data breach means a situation leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Joint data controlling

If two or more data controllers jointly determine the purposes and means of processing, they are considered as joint data controllers. The joint data controllers defines together, whether how will they fulfil their data protection obligations, however the natural person data subjects may exercise their rights towards any data controller.

Fines

In the event of a violation of the data protection obligations, serious fines may be imposed upon the data controllers or the data processors. The maximal amount of the fine is EUR 10.000.000 or up to 2% of the total annual world market turnover for the previous financial year for business enterprises. In case of grave violation of law, those amounts may be increased to EUR 20.000.000 or up to 4% of the total annual world market turnover for the previous financial year.

*

The newsletter contains general information, its content may not be regarded as professional advice or comprehensive information for decision-making.

 Should you have any further question, we remain at your disposal.