We believe in
Collaboration, Future
and Innovation.

GDPR Key Changes

In this article, Gurcan Partners Founding Partner Att. Bedrettin Gürcan will mention GDPR Key Changes, which will come into force on 25th May 2018.

The existing data regulation, Data Protection Directive 95/46/EC, has entered into force on October 24th, 1995 regulates the processing of personal data in EU. However, from 25 May 2018 new data protection regulation, GDPR (General Data Protection Regulation) shall apply.

This Regulation shall be binding in its entirety and directly applicable in all Member States of European Member.

This regulation is designed after several disputes about data. Some verdicts of the European Court of Justice lead the preparation of it. Slovakia-Hungary Case was one of the good examples of how data protection was the grey area.

Slovakia-Hungary Case Before GDPR

In 1st October 2015, the European Court of Justice concluded that a Slovakian property website was established in Hungary and therefore subject to Hungarian data protection law. In the judgment, the court stated that Slovakia cannot impose penalties on the basis of the law of that Member State on the controller with respect to the processing of those data that are not established in the Slovakian territory.[1]

Increased Territorial Scope (EXTRA-TERRITORIAL APPLICABILITY)

GDPR extends the jurisdiction as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.

It means that GDPR applies the activities relate to offering goods or services to EU citizens and the monitoring of behaviour that takes place within the European Union. GDPR even does not look at the payment for these goods or services.

So far we have assisted over 400 companies.

Whether there is a payment or not, GDPR shall apply all activities relate to offering goods or services to EU residents. It means even free selling will be responsible for GDPR.

Penalties

Revenue-based fines will be the biggest impact of GDPR after entering into force when 25 May 2018. GDPR aims to take control of Member States’citizens’ personal data, especially from tech giant companies such as Google Inc. or Facebook Inc.

It is a reason behind revenue-based fines of up to 4% of the annual worldwide turnover of these companies or € 20 Million. (Whichever is greater)

This fine can be imposed for most serious infringements like not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.

The important factor is these fines will apply to both controllers and processors. (Even cloud companies)

CONSENT

The companies should use clear and easily understandable terms of conditions. Moreover, consent must be as easy to withdraw consent as it is to give it.

GDPR will capture more overseas companies than the current Directive.

Data Subject Rights

  1. Breach Notification

Notification will become mandatory in all member states where a data breach is likely to result in a risk to the rights and freedoms of individuals according to GDPR. This notification must be done within 72 hours of first having become aware of the data breach. Data processor also should warn their customers, and controllers, without undue delay.

  1. Right to Access

GDPR aims to create transparency and empowerment of data subjects. GDPR expanded the rights of data control. The data controller shall share how and for which personal data are processed where and for what purpose. Moreover, they should share a copy of personal data free of charge, in an electronic format.

  1. Right To Be Forgotten

Another call for a right to forget is the right of erasure. In 2014, The European Court of Justice ruled in the case of Google Spain SL, Google Inc., and Agencia Española de Protección de Datos, Mario Costeja González, Internet search engine operator, Google is responsible for the processing that it carries out of personal information which appears on web pages published by third parties.[2]

It was foreseen of this article and GDPR regulates the right to be forgotten.

To apply for this right:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • In case there is no other legal ground for the processing;
  • there are no overriding legitimate grounds for the processing,

In these conditions, data erasure shall not apply to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.
  1. Data Portability

Data portability is introduced by the GDPR. The right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine-readable format’ and have the right to transmit that data to another controller.

It is a totally new clause, that comes with GDPR.

  1. Privacy By Design

It is not a new concept coming with GDPR. However, GDPR regulates it as:

‘’ the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.’’

Settlement of the data should be done carefully and implement appropriate technical and organizational measures and procedures from the outset to ensure that processing complies with GDPR and protects the rights of the data subjects.

  1. Data Protection Officers

Under the Data Protection Directive 95/46/EC, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, is a very bureaucratic way with most Member States having different notification requirements. GDPR solve these bureaucratic processes. GDPR shall bring internal recordkeeping requirements.