New General Data Protection Regulation
After four years of negotiation, the final text of the General Data Protection Regulation (“GDPR”) was agreed and became effective on May 24th. The GDPR is particular in many ways: the EU has never had a data protection regulation that is directly applicable in all EU countries, and the GDPR is especially strict. The EU Member States and the companies have 2 years to comply with the provisions. But what innovations are expected?
- Extended scope: the GDPR applies even to companies from third countries if they wish to provide services in the EU.
- Every user must be entitled to have their personal data deleted, if they do not intend to use the services anymore.
- Clear consent must be obtained for the data processing, even from the parents in the case of children under age 16.
- Applying Binding Corporate Rules (“BCR”) has become an expressly recognizable way to support intra-group international data transfers.
- Attacks by hackers trying to steal or succeeding in stealing personal data from your server? Personal data breaches now have to be reported to the users. Data protection authorities (“DPAs”) must also be notified about breaches without delay.
- The amount of an administrative fine can reach 4 % of the total worldwide annual turnover of the preceding financial year, compared to today’s maximum HUF 20,000,000 fine.
- The data processors must designate a data protection officer (“DPO”), if the data processor is a public authority, or the core activities of the company require regular and systematic data monitoring, or the data it is monitoring includes special categories of data. The DPO must have special knowledge.
- Companies have the right to have their cases dealt by authorities based in the countries of their parent companies, this is the “one-stop shop” principle.
We at Noerr willingly help you with:
- reviewing your present data protection regulations,
- providing you with legal advice about the GDPR,
- drafting data protection regulations for complying with the GDPR provisions.