The General Data Protection Regulation (EU) 2016/679 was adopted by the European Parliament on April 27, 2016, and its provisions are applicable from May 25, 2018.
Since then, the national laws of the Member States of the European Community Area regarding personal data have been repealed.
Following that, the USA adopted the California Consumer Privacy Act, which will be applicable from January 01, 2020. India has adopted the Personal Data Protection Bill, and other countries follow up on this updating trend.
The purpose of these new laws and regulations is to create much more powerful tools for individuals to control their own personal data, to block data leaks, to control how data is transferred, and to severely sanction the violation of the rights of individuals. This means, in essence, the following:
- Much more rights in favor of individuals;
- Much more powerful control exercised by the authorities on the way of operation and use of personal data by companies;
- Much more obligations and restrictions for companies that collect and process personal data;
- Much harsher sanctions in case of non-compliance with the legislation in force;
All companies in the world that operate with personal data of the citizens of the European Community Area, regardless of the country in which they have their headquarters, will be subject to the same set of rules. The big challenge of the new legal context is: how to handle this considerable series of new obligations correctly, efficiently and safely.
Why is it a challenge? Because, for example, there is an exhaustive but relevant list of the new rights of natural persons:
- The right to be informed about the data collection and the express agreement in this regard;
- The right to update the data when it is no longer compliant or when incomplete;
- The right to oppose the use of data for advertising/marketing purposes;
- The right to request a report on the way and history of the use of personal data;
- The right to request the deletion of your personal data;
- The right of data transfer to another operator;
- The right to be notified in the event of security breaches;
- and so on;
It is necessary to mention that each new right mentioned above, in favor of individuals, corresponds correlatively to a new legal obligation imposed by the legislator on companies. But these are not the only new obligations of the companies, but here are a series of additional obligations imposed on them:
- Obligation to ensure the security of the database with personal data;
- Obligation to appoint, under certain conditions, a DPO (Data Protection Officer);
- Obligation to report to the relevant authorities the data requested by them;
- The obligation to report to the authorities the security breaches within 72 hours from their identification;
- Obligation to delete, when a predefined term is fulfilled, the personal data from the database;
- The obligation to have a clear record of the persons who have access to personal data, and when working with third-party organizations that collect or process data, to carefully monitor how it is managed;