In this article, Gurcan Partners Founding Partner Att. Bedrettin Gürcan will mention about GDPR Key Changes, which will come into force from 25th May 2018.
GDPR Key Changes
The existing data regulation, Data Protection Directive 95/46/EC, has entered into force on October 24th, 1995 regulates the processing of personal data in EU. However, from 25 May 2018 new data protection regulation, GDPR (General Data Protection Regulation) shall apply.
This Regulation shall be binding in its entirety and directly applicable in all Member States of European Member.
This regulation is designed after several disputes about data. Some verdicts of the European Court of Justice lead the preparation of it. Slovakia-Hungary Case was one of the good examples of how data protection was the grey area.
Slovakia-Hungary Case Before GDPR
In 1st October 2015, the European Court of Justice concluded that a Slovakian property website was established in Hungary and therefore subject to Hungarian data protection law. In the judgment, the court stated that Slovakia cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data who is not established in the Slovakian territory.
An overview of the main changes under GPDR and how they differ from the previous directive:
(GDPR Key Changes)
Increased Territorial Scope (extra-territorial applicability)
GDPR extends the jurisdiction as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
It means that GDPR applies the activities relate to offering goods or services to EU citizens and the monitoring of behavior that takes place within the European Union. GDPR even does not look at payment of these goods or services.
Whether there is a payment or not, GDPR shall apply all activities relate to offering good or services to EU residents. It means even free selling will be responsible for GDPR.
Revenue-based fines will be the biggest impact of GDPR after entering into force when 25 May 2018. GDPR aims to take control of Member State’s citizen’s personal data especially from the tech giant companies as Google Inc. or Facebook Inc.
It is a reason behind revenue-based fines of up to 4% of the annual worldwide turnover of these companies or € 20 Million. (Whichever is greater)
This fine can be imposed for most serious infringements like a not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
The important factor is these fines will apply to both controllers and processors. (Even cloud companies)
The companies should use clear and easily understandable terms of conditions. Moreover, consent must be as easy to withdraw consent as it is to give it.
GDPR will capture more overseas companies than the current Directive.
Please contact us via email. You can check our offices in the five EU Countries.
We endeavor to respond within 24 hours.
Or Call Us
+49 211 976 35 818 (English)
Data Subject Rights
1) Breach Notification
Notification will become mandatory in all member states where a data breach is likely to result in a risk for the rights and freedoms of individuals according to GDPR. This notification must be done within 72 hours of first having become aware of the data breach. Data processor also should warn their customers, controllers, without undue delay.
2) Right to Access
GDPR aims to create transparent and empowerment of data subjects. GDPR expanded rights of data control. The data controller shall share how and which personal data are processed where and what purpose. Moreover, they should share a copy of personal data free of charge, in an electronic format.
3) Right to be Forgotten
Another call for a right to forgottan is right of erasure. In 2014, The European Court of Justice ruled in the case of Google Spain SL, Google Inc., and Agencia Española de Protección de Datos, Mario Costeja González, Internet search engine operator, Google is responsible for the processing that it carries out of personal information which appears on web pages published by third parties.
It was the foreseen of this article and GDPR regulates right to be forgotten.
To apply for this right:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- In case there is no other legal ground for the processing;
- there are no overriding legitimate grounds for the processing,
In these conditions, data erasure shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defense of legal claims.
4) Data Portability
Data portability is introduced by the GDPR. The right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine-readable format’ and have the right to transmit that data to another controller.
It is a totally new clause, come with GDPR.
5) Privacy by Design
It is not a new concept coming with GDPR. However, GDPR regulates it as:
‘’ the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.’’
Settlement of the data should be done carefully and implement appropriate technical and organizational measures and procedures from the outset to ensure that processing complies with GDPR and protects the rights of the data subjects.
6) Data Protection Officers
Under the Data Protection Directive 95/46/EC, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, which is a very bureaucratic way with most Member States having different notification requirements. GDPR solve these bureaucratic processes. GDPR shall bring internal recordkeeping requirements.
To check other details of GDPR Key Changes, please look: GDPR Full Text
Check out Gurcan Journal for more articles in 13 languages. Schedule your online meeting below.
To read our other articles:
- Company Formation in Germany
- Company Formation in Europe
- Company Formation in the Czech Republic
- Company Formation in Hungary
- Company Formation in Serbia
- Company Formation in Estonia
- Company Formation in Kuwait
Att. Bedrettin Gürcan I Partner
Gurcan Partners Europe
The article: GDPR Key Changes
All rights reserved. All rights of GDPR Key Changes article belong to Gurcan Partners. The author has no responsibilities from the information in this article. This article is prepared just to inform.
 (Accessed 19 April 2018) http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d2dc30dd9a52251ae8ba490d8f5cccc91dfdbfc3.e34KaxiLc3qMb40Rch0SaxyNbN90?text=&docid=168944&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=4607
 (Accessed 19 April 2018) http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
Please contact us for accounting service in Germany.
We will back to you within 24 hours.
Or Call Us
+49 211 976 35 818 (English)