European regulations GDPR & Privacy
Always more often we hear about European Regulations EU 2016/679 in the field of privacy.
The new European regulations introduce clearer rules about the privacy policy, they define limits to the automated processing of personal data and lay the foundations to exercise new rights, like the right to oblivion. They also establish strict criteria for data transfer outside the European Union and for personal data breach.
The Regulations is directly applicable and binding in all member states of the European Union and it does not require its own national law thanks to the one-stop shop, which simplifies the management of treatments and guarantees a uniform approach. Except for specific cases, the companies established in several member states or that offer products and services in various countries of the European Union, to solve possible problems about application and compliance of the Regulations they can contact only one interlocutor.
What has changed and what has not:
"Privacy Consent" - What Changes
- for sensitive data the consent must be “explicit” (art. 9); the same for decisions based on automated processing (profiling included – art. 22);
- the owner (art. 7.1) must be able to demonstrate that the data subject has consented to a specific treatment;
- the consent of the minors is valid from 16 years (the age limit can be lowered up to 13 years by national legislation);
"Privacy Consent" - What does not change
- it must be, in all cases, free, specific and unequivocal; tacit consent or alleged is not permitted (no to pre-selected boxes on a form);
- it must be expressed through a "declaration or unequivocal positive action”;
"Privacy Policy" - What Changes
- the owner must always specify the contact details of RPD-DPO if it exists, the legal basis of the treatment, as well as the possible transfer of personal data to third countries;
- in the case of personal data not collected directly (art. 14), it must be provided no later than one month after collection;
- the privacy policy is given, in principle, in writing and preferably in electronic format (see art. 12, paragraph 1);
"Privacy Policy" - What does not change
- the privacy policy (art. 13 and 14 of regulations) must be provided to the interested party before collecting data;
"Right to limit the treatment (art. 18)" - What Changes
- This is a more extensive right than the treatment "block" of art. 7, subsection 3 of the code: it can be exercised not only in case of violation of the conditions of the treatment, but also if the interested part requests the correction of the data or opposes their treatment;
The Regulation promotes the responsibility of the owners and the adoption of approaches and policies that constantly consider the risk that a specific personal data treatment involve for rights and freedoms of party concerned.
The key principle of the new regulation is based on the concept of the «privacy by design», ie guaranteeing data protection right from the design and planning stage of a treatment and adopt behaviors that allow to prevent possible problems. For example, there is an obligation to make impact assessments before proceeding to a data treatment that presents high risks for the rights of persons.
“Administrative penalties”
The president for GDPR Italian Authority, Antonello Soro, states in an interview on 05/21/2018 of “italiaoggi” that administrative sanctions are only part of the possible “reactions” to the offense.
Some figures about administrative penalties:
- up to 20 million for individuals;
- up to 4% of worldwide annual total turnover for the companies;
Download here the official regulation of the European parliament updated to the corrections published in the Official Journal of the European Union 127 of 23 May 2018.
Runscode and a team of professional experts in the field of privacy are always available.
For any information do not hesitate to contact us.
