Privacy policy: strict criteria and more rights

On 25th May 2018, the European Union Regulation number 679 of 2016, so called “GDPR” enters into force in all Member States. It applies to companies and professionals processing personal data of natural persons.

Rules also apply to companies that offer services or products inside EU market that are located outside the European Union.

Very briefly with GDPR:

  • clearer rules are introduced about privacy policy and consent;
  • limits to the automated processing of personal data are defined;
  • bases are established for the exercise of new rights;
  • strict criteria are established for their transfer outside EU;
  • strict rules are set for data breaches.

Privacy policy requirements for data subjects remain and are expanded. They must include the retention time of personal data and Data protection officer’s details must be provided.

The right to contest automated decisions, including profiling, as well as the”right to be forgotten” and the data portability are introduced.

  • A valid consent must be explicitly given for data collection and for purposes for which they are used. Therefore, if the request is included in other declarations, it must be distinguished and formulated in a simple and clear language. A condition for a valid consent is that the purposes for which it is requested are explicit, legitimate, adequate and relevant. In case consent for the processing of personal data for one or more specific purposes has been expressed by minors, it is valid only if the minor is at least 16 years old. The age is reduced to 13 years only if the Member State has planned a different age but not less than this. If the child is under the age of 16 or 13, consent must be given by a parent or by the person exercising parental authority, and must be verifiable.

There are also new requirements for controllers and processors:

  • Accountability, is the adoption of proactive behaviors such as to demonstrate the concrete adoption of measures due to the application of regulation.
  • Data protection by default and by design, is the necessity to constitute the profiling by providing the necessary guarantees “in order to meet the requirements” of the regulation and to protect data subjects’ rights.
  • All controllers and processors, except companies with less than 250 employees, must keep a record of processing operations, an indispensable tool for any assessment and risk analysis.
  • All controllers must notify to Authority any “data breach” within 72 hours, but only if they consider that from the breach arise risks for data subjects.
  • All data controllers must document the breach of personal data received, even if not notified to the Authority and not communicated to data subjects.

A new role joins the company: the DPO (Data protection officer).

He is responsible for ensuring the correct personal data management inside companies and institutions and he is identified according to the professional qualities and specialized knowledge of data protection legislation and practice.

It is the person responsible for the application and compliance with the privacy legislation inside controllers’ structures. He works as an interface between the controller and data subjects. He reports directly to the Board of Directors, but is independent from it.

Finally, it should be noted that failure to comply with the obligations provided by GDPR means the application of penalties going from a written warning up to 20 million euro or up to 4% of annual turnover.