European legislation on privacy and processing of personal data will be rigorously revised. After the creation of the European framework in the Privacy Directive 95/46/EG (the “Privacy Directive”) two decades ago, on 27 April 2016, the European Parliament and Council of the European Union adopted the General Data Protection Regulation (the “Privacy Regulation”). The Privacy Regulation came into force on 25 May 2016 and will apply to the processing of personal data within the European Union from 25 May 2018 onwards. Hence, companies have until 25 May 2018 to comply with the Privacy Regulation. This newsflash elaborates on its requirements.
Currently: the Privacy Directive
The Privacy Directive was adopted in 1995. A directive does not have a direct effect, but instructs Member States on the requirements of their national legislation. In the Netherlands, the Privacy Directive was implemented in (amongst others) the Dutch Data Protection Act (
As of May 2018: the Privacy Regulation
In 2012, the European Committee announced its intention to harmonise privacy law in the European Union by means of a regulation. Contrary to a directive, a regulation is directly applicable in all Member States. In December 2015, the Member States agreed upon the regulation’s text. In April 2016, the European Parliament and the Council of the European Union adopted the Privacy Regulation. On 25 May 2016, the Privacy Regulation came into force. To allow all parties concerned ample opportunity to comply with the new requirements, a two-year transition period was adopted. Therefore, the legal regime of the Privacy Regulation will start applying per 25 May 2018. As of that date, only one privacy law will apply in all of the EU, instead of 28 different national laws. Until that time, in the Netherlands, the Wbp stays in place.
The Dutch implementation act
On a number of important topics, the Privacy Regulation still offers its Member States some leeway to draft their own rules. Also, the regulation includes many open concepts and norms that need to be shaped and sharpened in practice: this too requires national legislation. To this extent, the Ministry of Safety and Justice made the Implementation Act for the General Data Protection Regulation available for
Scope Privacy Regulation
The territorial scope of the Privacy Regulation is larger than that of the Privacy Directive. The territorial scope of the regulation has been expanded to beyond the EU, and the regulation is also applicable to processors. The Privacy Regulation applies to the processing of personal data in the context of activities of an EU based entity, either by a
What does the Privacy Regulation expect from you?
The Privacy Regulation emphasizes on organisations’ responsibility to abide with the law and to demonstrate their compliance to the law (‘accountability’). To this extent, the Privacy Regulation dictates a set of binding measures all companies (in their capacity of controller) must implement. Some important obligations:
- Obligations to demonstrate compliance and to register: as of 25 May 2018, entities are no longer required to notify the national regulator when processing personal data. Instead, the obligation to demonstrate compliance will apply: every entity has to demonstrate it has taken all necessary organisational and technical measures to comply with the Privacy Regulation. Moreover, the entity has to set up a register mentioning processed personal data, and maintain this register. This register should also include the purpose and retention period of said processing.
- Consent: in certain instances, processing personal data requires the data subject’s consent. The Privacy Regulation emphasizes on the rules on consent. For example, an entity has to be able to demonstrate that the consent was given validly. Moreover, it has to be as easy to withdraw, as it is to give one’s consent.
- Data Protection Officer: under the Directive, it was already possible to appoint an officer to supervise the processing of personal data. This person is, among other things, responsible for inventory data processing and for recording of all reports of data processing. Moreover, the officer is the contact person for all complaints and questions in- and outside the organisation. Under the Privacy Regulation, some companies are obliged to appoint a data protection officer. This applies to, amongst others, entities that process vast amounts of special personal data (such as medical data).
- Privacy Impact Assessment (PIA): should a company intend to apply a specific type of processing (where new technologies are being used), the company can be obliged to perform a privacy impact assessment (“PIA”) beforehand. This is the case when the processing entails a serious privacy-risk for the data subjects concerned. During the PIA the impact of the project planned is evaluated, as well as the accompanying potential risks and less risky alternatives that lead to the same results.
- Extensive privacy statement: it is mandatory for companies to publish a privacy statement. The Privacy Regulation sets requirements to the content and form of this statement. One of the requirements includes the necessity to draft the statement in comprehensible language.
Are you ready?
It is important to prepare your company for the obligations the Privacy Regulation imposes. Ovidius is happy to help!