GDPR - What to expect from the new European data protection rules? (part 1)
Almost all e-commerce operators have heard that the European Union has harmonised data protection and data management rules, but what does this mean in practice? In our two-part article, we will explain what rights data subjects will have in relation to their data processing and what obligations data controllers and processors will have.
Please note:The following article does not constitute an official legal position. Each data controller should review the lawfulness of its own data management practices with the assistance of professionals. Although the GDPR regulation is directly applicable, the final form of the Hungarian legal provisions may contain slightly different provisions until 25 May 2018.
WHAT WAS THE EUROPEAN UNION'S AIM IN CREATING A NEW SINGLE EUROPEAN DATA PROTECTION REGULATION?
The existing legislation was no longer fit for the rapidly evolving online environment, having been drafted more than 20 years ago, and the time was ripe for a new, modern data protection law.
An important aspect was to increase the confidence of individuals in online services, thus contributing to the further dynamic development of the industry. This required a more transparent and coherent data protection regime, so that users of online services or online shoppers could be better informed about the fate of the data they provide.
WHEN WILL GDPR COME INTO FORCE AND WHO EXACTLY WILL BE AFFECTED?
The GDPR (General Data Protection Regulation) is already in force, but it will only apply from 25.05.2018, which is when the rules will be in practice. We have until then to prepare our data management to meet the GDPR requirements.
The data protection regulation applies to anyone who processes data of EU citizens, regardless of the company's location. This means that companies based outside Europe are affected by the changes just as much as the domestic SME sector; they are equally obliged to comply.
HOW SHOULD DATA SUBJECTS BE INFORMED OF THE START OF DATA PROCESSING TO COMPLY WITH THE GDPR RULES?
Our current law also requires the data subject's consent to the processing of data. This principle will not change under the GDPR, but it will be more strictly regulated. As regards the conditions of consent, it states that consent is given by a voluntary, specific and unambiguous expression of the data subject's wishes, by which the data subject indicates, by a statement or by an act unambiguously expressing his or her consent, that he or she signifies his or her agreement to the processing of personal data relating to him or her. This implies that the person must be active, i.e. the form "silence = consent" or a tick box with "I agree" ticked in advance is not allowed.
The data subject has the right to be informed of the fact and purpose of the processing. The data subject must be given the opportunity to obtain information about the processing prior to the start of the processing and during the processing until its termination. For reasons of transparency, the information provided to the public or to the data subject should be concise and easily accessible.
WHAT DOES THE 'RIGHT TO BE FORGOTTEN' MEAN IN THE CONTEXT OF THE NEW EUROPEAN DATA PROTECTION REGULATION?
We already have the possibility to modify or delete our data, so this is nothing new. However, the Regulation extends this with a very important provision that if the controller has disclosed personal data but the data subject requests its erasure for whatever reason, the controller must take all reasonable steps (taking into account the available technology and the cost of implementation) to erase the personal data in question and all copies and references to it.
It is important to note, however, that an exception to the "right to be forgotten" is the case where the controller has a different legal basis for processing and managing the data. If the controller can demonstrate that its legitimate interests prevail, it may continue its activities over the objection of the data subject.
WHAT IS THE POSSIBILITY TO OBJECT TO AUTOMATED DECISION-MAKING?
Under the new single European data protection regulation, the data subject also has the right to opt out of decisions based solely on automated processing based on the evaluation of personal aspects relating to him or her (e.g. online credit assessment/employment recruitment). Such processing includes "profiling", in particular with regard to the data subject's performance at work, financial situation, state of health, personal preferences, interests, reliability or behaviour, location, and the analysis and prediction of his or her movements.
This type of processing can only be carried out with appropriate safeguards, including specific information and the right of the data subject to request and obtain an explanation of the decision taken on the basis of such assessment and the right to contest the decision.
WHAT TO DO IN THE EVENT OF A DATA BREACH?
The current legislation in force establishes a record-keeping obligation, which will become a notification obligation under the GDPR. If we become aware of any unlawful processing or handling of personal data, we are obliged to notify the supervisory authority (NAIH) without undue delay, if possible within 72 hours. Exceptions to this notification are cases where the data breach is unlikely to pose a risk to the rights and freedoms of natural persons.
In our forthcoming second part, we will continue to discuss the rights of data subjects and the obligations of data controllers, and outline some ways to prepare for the GDPR.
Sources:
Guidelines for data controllers and processors
Guidance for data protection practitioners and data controllers