Personal data: new rules in the European Union
The new rules on personal data protection (GDPR) were approved on April 14, 2016 and come into force allegedly in May 2018. These rules will apply not only to European companies, but also to companies from other countries that offer goods and services in the European Union.
These rules supersede the European Union Directive adopted in 1995, which is in force today. What will be new in the field of personal data in Europe?
First, regulation can now extend to companies outside the EU. The rules must comply with any companies that process personal data in order to offer goods or services in the EU (including free ones) or which monitor the behavior of citizens in the EU. Offering goods and services in a specific EU country is considered to be the use of the language or currency used in that country, and the ability to order goods or services in that country. And monitoring is considered the use of special technologies that allow the use of data about the user to influence his choice or determine his preferences. So companies that are physically located outside the EU, but virtually affecting users in the EU, are subject to the new rules.
Secondly, the regulation provides for the need to obtain the consent of users to the processing of their personal data. And at the same time for the processing of data for different purposes will need separate consent. Such consent must be free, conscious and specific and may be withdrawn at any time. Consent will not be considered free if the user is forced to give such consent in order to gain access to the site, program or application. Exceptions are cases where personal user data is required to execute an agreement. And in cases where personal data is collected and processed for marketing purposes, the user must be able to disagree with the collection and processing of his data. And it will be necessary to separately draw the user's attention to the fact that he has such a right.
')
Thirdly, companies working with personal data will have new responsibilities. They will have to keep records of transactions with personal data (the type of data and the purposes for which they are processed), as well as conduct an internal audit. And projects related to the use of personal data will have to provide for the performance of certain duties by companies. For example, the duty to minimize the use of data in accordance with the principle of data protection by design (i.e., to limit the use of data only to certain goals, to use impersonal data whenever possible). All companies will have to adopt internal documents regarding measures to be taken in case of violation of the procedure for handling personal data.
Fourth, companies should notify regulatory authorities within 72 hours of any violations related to personal data. You will also need to keep an internal register of violations.
Some provisions of the new document relate to the cross-border transfer of personal data. When transferring data outside the EU, you will need to inform users about the risks involved. Cross-border transfer of personal data within companies of the same group is possible, but at the same time all companies belonging to the group must have mandatory corporate rules regarding the protection of personal data.
Finally, it is necessary to note an increase in the size of responsibility for violations. The maximum fine will now be either 20 million euros, or 4% of the annual global business turnover.
Discussing the new changes, European lawyers point out that companies working with personal data will have to conduct a large number of events in order for their activities to follow the new rules. For example, develop new internal documents, conduct an internal audit, check existing agreements with users, conduct personnel training and appoint responsible persons in the company.
These rules supersede the European Union Directive adopted in 1995, which is in force today. What will be new in the field of personal data in Europe?
First, regulation can now extend to companies outside the EU. The rules must comply with any companies that process personal data in order to offer goods or services in the EU (including free ones) or which monitor the behavior of citizens in the EU. Offering goods and services in a specific EU country is considered to be the use of the language or currency used in that country, and the ability to order goods or services in that country. And monitoring is considered the use of special technologies that allow the use of data about the user to influence his choice or determine his preferences. So companies that are physically located outside the EU, but virtually affecting users in the EU, are subject to the new rules.
Secondly, the regulation provides for the need to obtain the consent of users to the processing of their personal data. And at the same time for the processing of data for different purposes will need separate consent. Such consent must be free, conscious and specific and may be withdrawn at any time. Consent will not be considered free if the user is forced to give such consent in order to gain access to the site, program or application. Exceptions are cases where personal user data is required to execute an agreement. And in cases where personal data is collected and processed for marketing purposes, the user must be able to disagree with the collection and processing of his data. And it will be necessary to separately draw the user's attention to the fact that he has such a right.
')
Thirdly, companies working with personal data will have new responsibilities. They will have to keep records of transactions with personal data (the type of data and the purposes for which they are processed), as well as conduct an internal audit. And projects related to the use of personal data will have to provide for the performance of certain duties by companies. For example, the duty to minimize the use of data in accordance with the principle of data protection by design (i.e., to limit the use of data only to certain goals, to use impersonal data whenever possible). All companies will have to adopt internal documents regarding measures to be taken in case of violation of the procedure for handling personal data.
Fourth, companies should notify regulatory authorities within 72 hours of any violations related to personal data. You will also need to keep an internal register of violations.
Some provisions of the new document relate to the cross-border transfer of personal data. When transferring data outside the EU, you will need to inform users about the risks involved. Cross-border transfer of personal data within companies of the same group is possible, but at the same time all companies belonging to the group must have mandatory corporate rules regarding the protection of personal data.
Finally, it is necessary to note an increase in the size of responsibility for violations. The maximum fine will now be either 20 million euros, or 4% of the annual global business turnover.
Discussing the new changes, European lawyers point out that companies working with personal data will have to conduct a large number of events in order for their activities to follow the new rules. For example, develop new internal documents, conduct an internal audit, check existing agreements with users, conduct personnel training and appoint responsible persons in the company.
Source: https://habr.com/ru/post/300348/
All Articles