Changes in the area of personal data protection effective from 25 May 2018 pursuant to Regulation 2016/679
1 / tightening the proof of consent
The consent cannot be part of the terms of the contract nor be derived from speculation or inactivity
2 / For children under 16 years of age the obligation of consent of the legal representative
The condition of the legal representative’s consent has been enforced, which will have to be met by the appropriate means – whether by confirming that such consent has been given if the person is younger or a statement that the service is not intended for younger persons.
3 / Duty to Provide a Responsible Person (Data Protection Officer)
Public subjects, processors of special category personal data and those who are largely monitoring the persons concerned will have to establish a so-called responsible person who must be professionally qualified for this activity. For violation of the obligation, or for the appointment of responsible person only “pro forma”, the fine is up to 10 Million EUR.
It can be an employee or an external contractor where a simplified procurement procedure without an electronic marketplace is possible. A disadvantage of the employee is his limited liability for damage; in the case of an external supplier, the insurance is the advantage for the same reason.
Towns and other community subjects governed by public law may also determine a jointly responsible person for the purpose of cost savings.
The basic tasks of this person include counseling, supervision and communication and the Office.
Responsible person must be involved in all internal procedures and must be subordinated directly to the statutory body.
Obligation to keep alerts and safety incident information
Who employs at least 250 employees or processes specific category data must keep records covering the scope, purpose of the data processing, transmission to third countries, erasure periods, security measures, and so on.
In case of security breach or leakage, it is necessary to report it to the Office within 72 hours and also to the affected persons if there is a serious breach of their rights.
Obligation to process the Data Protection Impact Assessment
If a particular type of processing of personal data entails a high risk for the persons concerned – health information, biometric data, etc., the operator is required to develop an impact assessment for the protection of personal data and, if the risk is confirmed, to ask the Office for Consultation.
Right to delete and transfer data
Everyone will be able to request that their data be deleted from search engines, for this purpose Google, Yahoo … and other operators will have access to the necessary forms on the site. There will also be an entitlement to receive and transfer data to another operator free of charge.
Sanctions – A fine of up to € 20 million EUR may be imposed for violation, or 4% of annual turnover.
The first step to keep the company’s internal environment compliant with the regulation should be to analyze documents and procedures (contracts, business documents and correspondence, web, internal regulations, etc.) in cooperation with a lawyer or other expert to determine where changes need to be made.