The European Regulation on Data Protection unifies and modernizes European legislation regarding data protection, allowing citizens to have better control of their personal data and businesses to maximize the opportunities of a digital single market, reducing bureaucracy and benefiting of an increased consumer confidence.
Next to this rule, the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 (LAW 6638/2016) has been published. It is regarding the protection of individuals in the processing of personal data by competent authorities with the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, as well as the free movement of such data and for which the Framework Decision 2008/977/JAI of the Council DOUEL 04-05-2016 119C has been repealed.
According to Article 99, Regulation “shall enter into force on the twentieth day following its publication in the Official Journal of the European Union.” However, it will only apply “from 25 May 2018“. According to the Regulations of the Union and, as set in its final phrase, “it shall be binding in its entirety and directly applicable in all Member States”.
Therefore, the new regulation is based on the following points:
- A “right to oblivion”: When a person no longer wants his data to be processed, and provided there are no legitimate reasons to retain it, the data will be deleted. It is about protecting the privacy of individuals, not about deleting old events or restricting press freedom.
- An easier access to an individual’s data: individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will be easier for people who want to transmit personal data between service providers.
- The right to know when an individual’s data has been cut: Businesses and organizations have to notify the national supervisory authority of data breaches that put individuals at risk as well as communicate to stakeholders all high risk violations as soon as possible so that users can take the necessary measures.
- Greater respect for the rules: the data protection authorities will be able to fine companies that do not comply with EU standards up to 4% of its overall annual turnover volume.
- The “freely given, specific, informed and unequivocal” consent to the processing of data: the controller of the data must be able to prove that the owner “agreed the processing of his data.” Therefore, under the principle of responsibility, the controller shall implement appropriate measures to demonstrate that the consent was given in the appropriate way.