Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) will enter into force on 25 May 2018.
The existing Directive 95/46/EC is repealed upon the entry into force of the Regulation (GDPR). The Directive envisages the establishment of national regimes for personal data protection, emphasizing on the registration of controllers of personal data processing and their activities. Since more often than not data processing is cross-border, the legislative solution to leave the ways to attain its objectives to the discretion of the Member States has proved to be ineffective. Therefore it has become necessary to adopt a regulation introducing specific binding rules for the whole EU territory as from the fixed date of entry into force, i.e. 25 May 2018.
The new legal framework will require from every person processing personal data to prove the compliance with the GDPR rules, including the implementation of adequate technological and organizational measures to ensure security of information. National personal data protection authorities – this is the Personal Data Protection Commission in Bulgaria – are vested with substantial new powers.
Infringements of the GDPR are subject to fines up to EUR 20 million or up to 4 % of the annual turnover of the undertaking. Furthermore, the Regulation introduces the obligation to transfer processed personal data only to persons who also comply with the provisions of the new legislation. This implies an indirect sanction, as any infringement of the Regulation would lead to loss of business counterparties of the relevant undertaking.
The GDPR provides also for the right of the data subject to claim compensation in the case of violation of the data subject rights through unauthorized collection of or access to data.
The major differences between the GDPR and Directive 95/46/EC which will be effective until 25 May 2018 can be traced out along several lines. Personal data controllers will be no longer required to register before they begin collecting data. However, any person may be inspected by the national data protection authority and, in case personal data processing is carried out, the person will have to prove compliance with all statutory requirements.
The main provisions of the new Regulation are intended to safeguard the lawfulness of personal data processing. The first requirement to this effect is to have grounds for the collection of personal data; in fact, any data-related activity should either be necessary for the performance of a contract or for compliance with a legal obligation. For instance, it would be lawful to collect data on the bank account of the data subject provided that a payment is to be effected to this account under a contract. The specific condition laid down in the Regulation is that such information should not be used subsequently for purposes that than those for which the data were initially collected. Data processing is lawful also when the data subject gives his or her explicit consent. But this consent should have been given freely; otherwise even when the consent of the data subject is available, data protection authorities could and would impose sanctions.
Another requirement is limiting data processing to a strict minimum, i.e. only the data needed for the specific purpose. Any collection or storage of personal data beyond this framework, e.g. collection of health data for the purposes of signing a contract for the provision of telecommunication services, would constitute an infringement under the Regulation. There are restrictions on the subsequent storage and processing of personal data as such activities would be allowed only for the purposes for which the data were initially collected.
Further restrictions apply to the transfer of data to third parties, notably that third parties should also comply with the Regulation, regardless of their location. Hence the Regulation applies not only to personal data controllers established within the EU but also to all persons processing personal data of EU citizens.
Furthermore, each personal data controller should undertake adequate organizational and technical measures to ensure the protection of the personal data made available to such controller. These measures include the introduction of specific obligations of the controller’s employees and the introduction of software applications which enable continuous control of the access to the personal data stored. For this purpose, internal inspection procedures should be put in place and the controller is required to inform the relevant national authority (the Personal Data Protection Commission in Bulgaria) forthwith of any identified personal data breach so that to mitigate the potential adverse effects for the data subjects. A specific organizational measure to be undertaken by controllers processing personal data on a large scale is the appointment of a data protection officer on the basis of either an employment contract or a services agreement.
The Regulation envisages several specific rights of data subjects, for which controllers have to introduce the relevant procedures ensuring the exercise of these right. For instance, any data subject has the right of access to the personal data which have been collected concerning him or her and the right to demand rectification of data which are inaccurate. Data subjects are entitled to demand deletion of the stored data concerning him or her or limited processing (processing for fewer purposes or processing of less information).
The General Data Protection Regulation introduces substantial changes of personal data processing rules. Actually, it applies to almost every undertaking with regard to the data it stores, be it data concerning its own employees or its clients. However, these rules are only part of the EU legislative measures proposed in relation to the development of the digital single market. The EU strategy in this sphere includes also the proposed Regulation on Privacy and Electronic Communications (E-privacy) to be applied together with and in addition to the personal data protection regime. The discussion of the proposal has already started. The new rules will cover the security of data in electronic communications and end-users’ devices ranging from telephones to industrial equipment. At present, the scope of the amendments covers such issues as the automatic software updating, the communication of information on the operation of the relevant device, and the processing of such information.