According to the Charter of Fundamental Rights of the European Union, the protection of natural persons with regard to the processing of personal data is a fundamental right. However, rapid technological change and globalisation have posed new challenges in this area. The scale of the collection and exchange of personal data has increased significantly, and technology now enables both private companies and public authorities to use personal data on an unprecedented scale in carrying on their activities. At the same time, awareness of personal information is growing, and there is clearly a growing concern for security, privacy and the protection of personal data.
There is an increasing need to ensure a consistent level of protection of personal data throughout the European Union to prevent divergences that hinder the free movement of personal data within the internal market, since the proper functioning of the market requires the free movement of personal data not to be restricted or prohibited. Legislation is therefore needed to provide legal certainty and transparency for economic operators, to offer the same level of rights to natural persons in all Member States, to require the same level of responsibilities and obligations from data controllers and processors, and to ensure consistent supervision of the processing of personal data (with equivalent sanctions in all Member States and effective cooperation between the supervisory authorities of the various countries).
The new European data protection legislation responds to this: “Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of such Data”, better known as the General Data Protection Regulation (GDPR), which repeals the old regulation (Directive 95/46/EC) and entered into force on 25 May.
Impact on people
The new legislation requires greater protection and extends the rights of citizens in terms of the processing of their personal data, granting the following rights to any person residing in the EU or who has transferred data to a company operating in any EU country:
- Right of Access: the owner of the data may obtain information about whether the personal data being processed concern them or not and, in that case, they will have the right to obtain information about their personal data that is being processed.
- Right of Correction: to correct errors and modify inaccurate or incomplete data.
- Right of Opposition: data subjects may object to the processing of their data.
- Right of Deletion: data may be deleted and cease to be processed, unless there is a legal obligation to retain it and/or if there are no other legitimate reasons to process it.
- Right of Limitation: under the conditions legally established, processing of data may be ceased, thereby preventing their further use by the controller, which may then only be kept for carrying out or defending claims.
- Right of Portability: the data subject can receive their personal data and transfer them directly to another controller in a structured, commonly-used, machine-readable format.
Impact on businesses
The greater protection of personal data required by the GDPR has meant that companies have to comply with rules such as the duty to inform data subjects of the circumstances relating to the processing of their data, to establish greater security measures, to carry out risk analyses, etc. These obligations include most notably compliance with certain principles, which require the data to be:
- Processed in a lawful, fair and transparent manner in relation to the data subject (lawful, loyal and transparent)
- Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).
- Accurate and, if necessary, up to date: all reasonable steps must be taken to ensure that personal data which are inaccurate in relation to the purposes for which they are processed is deleted or rectified without delay (accuracy).
- Preserved in such a way as to allow the identification of data subjects for no longer than is necessary for the purposes of processing the personal data (limitation of the retention period).
- Processed in such a way as to ensure adequate personal data security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, through the implementation of appropriate technical or organisational measures (integrity and confidentiality). In addition, the data controller shall be responsible for compliance with these principles and must be able to demonstrate this (proactive responsibility).
However, this more demanding regulation should not be viewed by companies as an obstacle to carrying on their activities, but rather as an opportunity to offer more adequate services to their clients and to create a company image that is adaptable to changes and committed to compliance with legislation. In an increasingly regulated and competitive environment, where penalties for non-compliance are increasingly severe, only the most agile companies, capable of modernising and adapting quickly to change, will be able to achieve excellence in the sector.