In 2018, it seems that the month of May will be a little different from what we are used to. The time will come to implement the GDPR, which is a complex and serious topic. If everything is to go smoothly and in accordance with the law, it is high time for companies to prepare now. The training of responsible workers and the introduction of processes require time, and there is no time left until May.
What is GDPR and what led to its creation?
Rapid technological development and globalization have brought with them new challenges in the field of personal data protection. The scope of obtaining and sharing personal data has increased significantly. One of the most important legislative changes in the business environment in 2018 is the new EU regulation no. 2016/679 so-called GDPR (General Data Protection Regulation), which will enter into force throughout the EU from 25.05.2018. The primary goal of the GDPR is to ensure a high level of protection of personal data of natural persons, regardless of where and under what circumstances the data is processed.
GDPR considers personal data information that can directly or indirectly identify a specific natural person. Typically, personal data are first and last name, birth number, ID number. Some data, such as e-mail and phone number, may or may not be personal data. It depends on whether, on the basis of them, or their combination, it is possible to find out directly or indirectly (with the help of a third party) what kind of person it is. The category of personal data also includes various pseudonymized data, in which there is a possibility of identifying a person through third parties. Other personal data may be:
- The photo,
- Account number,
- Location data
- other data of a technical nature, such as IP address or cookie files
While some personal data are processed on the basis of the law or within the framework of the fulfillment of contractual obligations, other data are obtained by entrepreneurs based on the consent of the person concerned. This According to the GDPR, the consent must be specific, free, informed and unambiguous (that is, it cannot be part of the terms and conditions), while the entrepreneur must be able to demonstrate at any time that consent to the processing of personal data was actually granted.
While fines according to the original Personal Data Protection Act reach max. 200,000 EUR, The GDPR stipulates fines of up to EUR 20,000,000, or up to 4 % of worldwide annual turnover, for breach of obligations in the protection of personal data.
Directive 95/46/EC of the European Parliament and of the Council ( 3 ) applies to all processing of personal data in member states, both in the public and private sectors. However, it does not apply to the processing of personal data as part of activities that are outside the scope of Community law, such as activities in the field of judicial cooperation in criminal matters and in the field of police cooperation.