GDPR - What to expect from the new European data protection rules? (part 2)

Please note: The following article does not constitute an official legal position. It is not an official statement of legal advice. Although the GDPR regulation is directly applicable, the final form of the Hungarian legal provisions may contain slightly different provisions until 25 May 2018.

What is the right to data portability?

We have already written about the right to "be forgotten" in the first part of our article on the Single European Data Protection, but perhaps one of the most important new features has not yet been mentioned: the right to data portability. Under this right, the data subject has the right to receive personal data provided to a controller in machine-readable format and to transmit these data to another controller. The right to erasure is not sufficient for processing on the internet, where data are not only recorded by one controller but also by many other data carriers.

How does the GDPR interpret children's rights?

The EU General Data Protection Regulation also puts emphasis on the conditions of consent given by children. Perhaps the most important rule here is that in no case should a child under the age of 13 consent to use online services be accepted. This means that for social networking sites, email accounts and other internet sites, children under the age of 13 cannot give valid consent and therefore cannot use them. Valid consent can be given by a person over the age of 16, and between the two age limits, parental consent is required for the legal processing of a child's data.

What are the penalties for breaking the rules?

If the controller or processor causes damage to the data subject, he or she may be liable to pay compensation. You can only be exempted from this if you can prove that you are not responsible for the damage. However, where several controllers or processors are involved in a single processing operation, each controller or processor is liable for the entire damage. It goes without saying that if one of them pays the damage in full, it may then bring a counterclaim against the other controllers or processors involved in the same processing.

As of the implementation of the GDPR (25.05.2018), companies that do not comply with the Regulation can expect to be fined and compensated. The fines are determined as follows:

A maximum fine of €10 million or 2% of a company's global turnover (whichever is higher) may be imposed for breaches of the provisions applicable to data controllers or processors.

A maximum fine of €20 million or 4% of the company's global turnover, whichever is the higher, may be imposed for breaches of the principles of data processing (e.g. consent), the rights of the data subject or the approved data transfer mechanisms.

How can "pseudonymisation" help you comply with the SFD?

The GDPR also includes a new concept of pseudonymisation. The processing of data in such a way that, in the absence of additional information, it is no longer possible to determine to which specific person the data belong is called pseudonymisation under the GDPR. Pseudonymisation is lawful if the additional information necessary to identify the natural person is stored separately and technical and organisational measures are taken to ensure that this personal data cannot be linked to identified or identifiable data subjects. This procedure can be useful in many cases, for example when collecting statistical data or even when someone wants to have a higher level of security in his own system. The Regulation mentions pseudonymisation in several places as a legitimate and appropriate data management solution. In addition, pseudonymisation has the positive effect of reducing the risk for data subjects, who may be more willing to consent to data processing.

When is a prior data protection impact assessment worthwhile and necessary?

The GDPR also provides that in certain cases, the controller must carry out a data protection impact assessment before the processing starts. In high-risk processing operations, it may be appropriate for the controller to carry out a pre-processing impact assessment on how the planned processing operations will affect the protection of personal data in order to ensure that the right to information self-determination is properly enforced.

These can be high-risk data processing operations: large numbers of data subjects, large amounts of personal data, processing of children, profiling, tracking of behaviour or movements.

Which companies will be required to appoint a DPO?

The GDPR will make the appointment of an internal data protection officer mandatory for a wider range of data controllers than the Hungarian Data Protection Act currently in force. For public authorities and bodies with public tasks, criminal records and processing bodies, the appointment of an internal data protection officer is mandatory. In addition, this may be justified even for companies where the main activities involve data processing operations which, by their nature, scope or purposes, require regular and extensive monitoring of data subjects.

What does the EU expect from the introduction of a single data protection regime?

The European Union expects (and expects) a much higher level of awareness on the part of data controllers and processors as a result of the GDPR, which will help to prevent or more easily and quickly deal with abuses. This is why such high fines have been set, so that everyone from the largest international multinationals to medium and small enterprises have a strong enough argument to implement and continuously monitor security measures.

We trust that by the end of this article, we have managed to highlight the obligations that data controllers will have from 25 May 2018, so that your company can comply with the Regulation.

Sources:

https://www.naih.hu/felkeszueles-az-adatvedelmi-rendelet-alkalmazasara.html

Law Journal 2016/4.

https://jogaszvilag.hu/rovatok/szakma/2018-tol-jon-a-modernebb-de-szigorubb-adatvedelem