Getting ready for the General Data Protection Regulation

Wednesday, 1 of February of 2017

We assume it is already known among companies in the ITC sector, and companies whose services imply the collection and processing of personal data that in 2018 a new Regulation on this issue will enter into force in the European Union: Regulation 2016/679 , also known as the General Data Protection Regulation (GDPR).

The legislative procedure for the adoption of the Regulation was long and burdensome. There were several sensitive issues put on the table by the ICT industry, privacy rights advocates and national governments. It should be recalled that under the existing Directive 95/46 Member States have certain leeway to adapt the rules to their particularities. However, once the Regulation enters into force, the regime will be strictly the same from one Member State to another.

This will certainly increase legal certainty for data controllers and processors. However, due to the hard negotiating process in the different EU institution, the new regime is a very complex one. Just to give you an idea, the new Regulation contains 99 provisions and 173 recitals. Economic operators need to be ready to adopt certain measures to adapt to the new regime but considering the complexity of the new instrument, this will not be an easy task.

Unfortunately, the relevant institutions have not published yet a comprehensive body of guidelines that interested parties may check in order to adopt those measures.

The only guidelines that have been adopted so far are those of the Art. 29 Working Party. But they are refered to very specific aspects:

a) Data portability. This right allows for data subjects to receive the personal data they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller. This first opinion provides data controllers guidance on the way to interpret and implement the right to data portability as introduced by the GDPR.

b) Data protection officers (DPO). Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. The aim of these guidelines is to clarify the relevant provisions in the GDPR in order to help controllers and processors to comply with the law, but also to assist DPOs in their role. The guidelines also provide best practice recommendations, building on the experience gained in some EU Member States.

c) Lead supervisory authorities. The purpose of this guide is to help processors and controllers to Identify the lead supervisory authority. This is only relevant where they carry out cross-border processing of personal data in the sense of Article 4(23)

In addition to these, for those companies whose processing of personal data involves the transferring of that data to third countries, should be aware of the following modification that have been introduced in some Commission Decisions as a consequence of the well-known Schrems Judgement:

a. Amendments to the Decision on the adequate protection of personal data by certain countries

b. Amendments to the Decision on standard contractual clauses for the transfer of personal data to third countries and to processors established in such countries

We’ll keep you informed on any new development that might be of your interest.