Since May 25, 2018, important changes will be made to the legislation on personal data protection in Europe with the entry into force of Regulation (EU) 679/2016, known as the General Regulation on the Protection of Personal Data.
Romanian companies such as hospitals, insurance companies, public transport companies, banks or Internet and telephony providers, will have to designate a person responsible for personal data protection, provides for a European normative act that will apply directly to all Member States of the European Union EU), so also in Romania, starting in May 2018. The responsible person will be either someone who is already in the company or someone contracted from outside for data protection only, and his absence can be drastically sanctioned.
In most cases, Romanian companies process, in one form or another, personal data whether they do this on their own behalf or do it in the interest of other companies. The concept of personal data is so wide that it is almost impossible for an entity not to process such data. Whether we are talking about employee data processing, customer data for marketing purposes, or sensitive customer data (health data, fiscal or judicial records, etc.), all these situations turn the company into a GDPR subject.
The General Data Protection Regulation applies not only to companies based in the European Union but also to companies based in other countries of the world, in so far as they process personal data of persons in the European Union.
- Data Protection Officer – Public institutions, companies whose main activity consists of processing operations requiring regular and systematic monitoring of the targeted persons on a large scale, as well as companies processing large-scale special categories of data (origin racial or ethnic origin, political opinions, religious confession or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sexually related data or sexual orientation) or data on criminal convictions and offenses will be required to engage a Data Protection Officer (DPO).
- Portability of personal data– In addition to the rights already regulated, the data subjects will have some new rights, including the right to data portability. Individuals will have the right to receive their data in a structured format, which is currently used and can be read automatically – one of the most challenging news for digital businesses (directly or through another designated operator).
- New Rules for Consent – Consent to processing, one of the possible legitimate grounds, will have a much more restrictive regime. Thus, the request for the agreement must be intelligible and easily accessible, using clear and simple language; if several aspects are included, the request for the agreement must be clearly differentiated from the other aspects; the withdrawal of consent must be as simple as it was given; and, above all, consenting (for example, conditioning a service or delivering a good to a data processing agreement for direct marketing) is not allowed.
- An extended transparency – At present, the processing of personal data must be brought to the attention of the data subjects, but the General Data Protection Regulation rules apply a number of additional elements, such as who is responsible for data protection, the basis of the processing, if profiling is used, data, etc.
- Very high fines for failure to comply with the General Data Protection Regulation and may entail several types of sanctions, including fines of up to € 20 million or 4% of global turnover, whichever is the greater. In addition, if they have suffered damage, the persons concerned may obtain compensation to cover the amount of such damage, and their rights may also be represented by collective bodies.
- Breach notification – Operators are required to keep a log of incidents under the data (safety and integrity) that could have been compromised. In some cases, there is an obligation to report these incidents to authorities and consumers within 72 hours.