GDPR – the clock is ticking (one year to go)

This Regulation replaces the current Directive 95/46/EEC on the processing of personal data, which in Belgium was transposed by the Personal Data Processing Act of 8 December 1992 (also called the "Privacy Act").

In contrast to the Directive, the GDPR has direct effect in all Member States, so in principle no transposition into national law is necessary. The European Parliament is striving in this way to standardise the data protection regulations. On the other hand, the GDPR regulation still requires implementation on a number of points in Belgium.

The GDPR enters into effect on 25 May 2018. We thus still have around one year to go. That may seem comfortably far off, but make no mistake: most companies will need this time in order to bring their data protection policy into conformity with the new rules.

The GDPR maintains the basic principles to a certain extent, yet innovates on a number of points. In this newsflash we explain to you the general outlines and major innovations of the GDPR. In following newsflashes we will go into greater detail on specific issues.

Broader territorial application 

The material scope of application remains unmodified. Just like the current Privacy Act, the GDPR applies to the fully or partially automated processing, as well as to the non-automated processing, of personal data contained in a file (or intended to be included therein).

However, the territorial scope of application is broadened. Not only the controllers that have an establishment in a Member State must comply with the rules of the GDPR. The regulation is equally applicable to controllers or processors outside the European Union when personal data of involved parties in the European Union are processed, for example for the sale of goods or services or for the observance of a certain behaviour of the party involved.

Accountability     

One of the biggest innovations entailed by the GDPR concerns the position of the controller (i.e. the party responsible for the processing). The latter is actively responsible for a data processing that is in conformity with the GDPR and must also be able to demonstrate this compliance. 

Reinforced consent 

A processing of personal data is lawful when the party concerned gives his approval for it. The GDPR does, however, impose stricter conditions on this approval. It must involve a consent that is free, specific, based on information, unequivocal. Implicit consent is no longer allowed. There must be a clear positive action (e.g. the ticking of a box). 

Rights of the involved parties 

Compared to the existing Directive 95/46/EC and the Belgian Privacy Act, the GDPR strengthens the rights of the involved parties and introduces new rights, including the following rights, amongst others: the right to receive information on the data processing of which the party concerned forms the object, the right to access the data that are processed, the right to have inaccurate data corrected and the right to a copy of the personal data that are processed.

A right to the transferability of data (“data portability”) is also provided for. This right must ensure that a person can easily transfer his data to e.g. a different service provider.

The most striking right is the "right to be forgotten". This principle finds its origin in the well-known Google decision of the European Court of Justice. On the basis of this right, a person can, under certain circumstances, ask the controller to immediately delete his personal data.

One-stop shop

The one-stop shop or the single-counter mechanism is another innovation. A controller who is active in several European Member States will, with the entry into force of the GDPR, no longer have to communicate with different supervisory authorities, but only with the lead supervisory authority. This is the authority of the Member State where the controller has its principal place of business, according to the GDPR the place where the central administration is located. 

In all likelihood it is the Privacy Commission in Belgium that will assume the role of supervisory authority, but we are still awaiting the implementing texts for confirmation of this. 

Security of the processings and data leaks

The GDPR devotes a great deal of attention to the security of the processing. This is necessary since, due to the technological developments, personal data are often stored in the cloud and thus are highly vulnerable to violations (e.g. hacking).

The controller must take the appropriate technical and organisational measures so that it can be responsible for a security level that matches the risks. Examples of protective measures are pseudonymisation and encryption. In a number of cases a “data protection impact assessment” will be obligatory.

Report of data breaches within 72 hours

The GDPR obliges the controller to report significant violations relating to personal data (data breaches) to the supervisory authority within 72 hours after it has learned of the violation. If the violation entails no risk for the rights and freedoms of natural persons, this reporting duty does not apply. However, if this violation entails a very high risk for the rights and freedoms of natural persons, they must themselves be informed thereof.

Data protection officer 

As of the entry into force of the GDPR, some controllers and processors will have to appoint a Data Protection Officer (“DPO”). A DPO must be appointed in three cases: (i) the processing is done by a government authority or government body, (ii) the controller or processor is primarily entrusted with large-scale processings of sensitive data and (iii) processing by a controller or processor who has as its essential activity the implementation of processing activities requiring large-scale, regular and systematic observation of involved parties.

The DPO will play a major role in the implementation of the GDPR within these companies. The DPO must be an expert in the area of the data protection laws and practices.

Register of processing activities

One innovation that has been welcomed is the disappearance of the obligation for controllers to report the automated data processings to the Privacy Commission. The Belgian legislation will have to be adapted in this sense. 

As of 25 May 2018, larger controllers and controllers that systematically personal data process must keep a written or electronic register of all processing activities. The supervisory authority will be able to see this register at any time in order to monitor the processing activities. 

Transfer to third countries & binding company regulations 

The forwarding of personal data outside of the European Union is only authorised when the receiving country offers a suitable level of protection or an exemption from the rule applies. The European Commission has recognised a number of countries and regions that offer a suitable level of protection. Examples are Switzerland and the US, at least in so far as the company is affiliated with the EU-US Privacy Shield (successor of the Safe Harbour). If a region/country does not enjoy such a recognition, the controller must provide additional guarantees.   

A first possibility that the GDPR offers is the provision of binding company regulations. These internal codes of conduct are a useful instrument for multinationals that want to set up data streams within their group. These standard operating procedures must be approved by the supervisory authority. 

Another possibility is the affiliation with an approved code of conduct or certification mechanism. Contractual provisions with regard to data protection can also suffice if these are established by the European Commission or by a supervisory authority. One exemption for a specific situation is where the party concerned gave its unambiguous consent for the retransmission to a non-EU country.

Strict sanctions 

The supervisory authority receives the power to impose administrative fines for violations of the GDPR. The administrative fines must be effective, proportional and dissuasive. When imposing a fine, the supervisory authority takes mitigating or aggravating circumstances into account (e.g. earlier violations, intentional negligence). 

The maximum amounts are very high. For a number of violations the fine can amount to 10 million euros or, in the case of a company, to 2% of the total worldwide turnover in the preceding financial year if that figure is higher. For example, this is the case if no register of processing activities is kept, or in event of failure to appoint a data protection officer.

The vast majority of GDPR violations can be sanctioned with a fine of up to 20 million euros, or in the event of a company up to 4% of the total worldwide turnover in the preceding financial year if that figure is higher. For example, this is the case for an unsecured transmission of personal data to third countries or the processing of personal data without there being a legal ground for doing so.