By Marcin Gabryszak, Pałucki Trusiński Prawo i Podatki sp.j., Trainee Advocate, IT Law Specialist
Undoubtedly, 2016 is the year of an important turning point with respect to obligations concerning personal data processing. A new EU regulation is to replace Directive 95/46/EC. Due to the wide scope of the planned changes, uniform provisions of law will not be in effect in all European Union countries until 2018. Even though, due to its nature, the regulation will be directly applicable, it is already obvious that the legislator will have to put a lot of work into reviewing and changing a number of legal acts that continue to function in their current form.
The main aim of the introduction of uniform regulations within the European community is to increase the already high level of personal data protection. Another important aim of the regulation is to eliminate costs and reduce the administrative load by simplifying the regulatory environment as fully as possible. This aim is to be achieved at the expense of significantly increased responsibility for data controllers and entities that process personal data. In particular, personal data controllers will be obliged to select and then implement solutions which will protect personal data in the most complete manner possible.
Moreover, personal data controllers will be obliged to inform the Inspector General for Personal Data Protection (GIODO) about a personal data protection breach in the company no later than 72 hours after the event. The only exception will be the situation in which the breach does not result in negative consequences with respect to the rights or freedoms of the person in question.
Legal sanctions imposed on personal data controllers will definitely be more severe. The GIODO will have the right to impose administrative fines of up to EUR 20,000,000, or 4 percent of a company’s annual turnover, whichever is higher.
Furthermore, a cooperation procedure will be introduced concerning the collaboration of inspectors for personal data protection from each of the 28 European Union member states. This will allow for the strengthening of cooperation, which is currently significantly limited. This synergy should also result in better personal data protection and facilitate making use of the experience of inspectors from individual European Union countries. The introduction of a uniform system will also allow for filing a complaint with any GIODO, irrespective of the country of the breaching entity. In other words, we will have the right to complain to the German GIODO about a Polish company.
Data controllers will also be obliged to use the simplest and most easily understandable language possible when communicating the manner and purpose of data collection, as well as when providing information on who the data controller is. The regulation is also to ensure that citizens have better access to information on how their data is processed. In addition, the procedure of personal data transfer to other entities (providers), including foreign ones, will be easier.
The ability to use modern marketing techniques, especially profiling, will be limited. According to the regulation, each citizen will have the right to give consent with respect to the use of a fully automated data processing system if such processing is to produce legal effects or otherwise influence the situation of a given citizen. Moreover, profiling will be allowed only when the controller has the legal basis for such actions; generally, this will require the explicit consent of the person whom the data concerns.
Clearly, a number of changes are ahead of us and we should be well prepared for them. The new regulations will require increased involvement of entrepreneurs in personal data protection. It is obvious that the implementation of this regulation will start a new chapter in personal data processing inspections, which may intensify. Consequently, one should follow the legislative processes and adjust current activity to the new reality.