In order to bring balance between personal data protection and citizens’ rights, the Commission and the European Parliament adopted in 2017 the general data protection regulation (GDPR), which brought changes in the way personal information can be used by companies.
Starting from the 25th of May 2018, all the companies, foreign or European, who process personal information belonging to European Citizens are required to comply to the provisions of the General Data Protection Regulation. Non-compliance can be punished with fines up to 20 million Euros or maximum 4% of company turnover.
What are the new data protection regulations?
- No more preliminary notice to data protection authorities
The previous regulations provided that before processing any personal information from individuals, a company had to notify the national authorities. The new regulation has suppressed this obligation, so starting from 25th of May 2017 the companies are no longer obligated to go through this preliminary process.
- Data Protection Impact Assessment
Before processing any personal information, companies should make an internal document called ‘data protection impact assessment’ (in Ro: “cartografierea datelor cu caracter personal”). This document should be made if the company has more than 250 employees or if it will process personal information considered ‘sensitive’ by law (e.g. health information, profiling information).
- Data protection officer (DPO)
The companies that are required to have a data protection impact assessment also need to appoint a data protection officer, who will keep track of the database incidents. However, the Romanian authorities recommended that all companies should appoint a data protection officer.
- Keeping track of all data breaches
According to the new regulation, every company must keep track of all incidents regarding the loss, misplacement or corruption of the database where personal data is stored.
Keeping track of all the incidents is a key obligation imposed by the new law. If they breach this obligation, companies could be fined up to 4% of the company’s turnover, up to a maximum of 20 million euro.
- Notifying the authorities in max. 72 hours from a data breach
As mentioned above, companies have to keep track of all incidents regarding its data base. However, some breaches could be a major threat for the personal information collected and stored by the company.
So the new data protection regulation requires companies to immediately notify the authorities in case of a data breach, e.g. the database was copied by a third party or an employee left the company with a copy of the database.
Companies have to notify the authorities in maximum 3 days from the moment they should have been aware of the infringement. If the company does not send this notice, it can face a fine of 4% of its total turnover, but no more than 20 million euro.
- Notifying individuals regarding the processing of their personal information
The former Directive provided that European citizens must give their consent before the companies process their personal information. However, most of the companies found ways of getting the consent without the knowledge of the customer, e.g. preselected options on registering on on-line sites, including the consent of processing personal information in contracts.
The new regulation is very clear – the express consent must be taken free of any commercial condition and must be safely kept by the company as proof.
- The right to be forgotten
in Case no. 131/12 Google v. Spain, The European Court of Justice provided that a person who at a point in time gave his agreement to a company to process his personal information can withdraw its consent at any point in time and force the company to delete all the information that it stored during this period.
The new regulations take the decision of the European court and makes it a standard for processing personal data. So any person can ask to be deleted from a company’s database (e.g. never receive newsletter or job offerings in the future), without having to state a reason why it wants to be “forgotten”.