GENERAL DATA PROTECTION REGULATION SUPPORT
The General Data Protection Regulation (GDPR) is a new European data protection regulation adopted by the EU Commission. It replaces the EU Data Protection Directive, also known as Directive 95/46/EC. The GDPR became effective on May 25, 2018 and will strengthen security of and regulate personal data in the broadest sense. The GDPR applies to both individuals and businesses and regulates the way in which personal data of citizens in the European Union should be handled. We would like to provide you with answers to some of the questions that we hear time and time again from our customers. We also want to provide an update on what GELD DATA d.o.o. has done to ensure that You will be ready for GDPR and what services we offer to our customers to help them meet their compliance obligations.
GELD DATA team combines business, technical and legal expertise and experience to provide best in class IT risk and compliance services to it’s clients.
International transfers of personal data
When personal data is transferred outside the European Economic Area, special safeguards are foreseen to ensure that the protection travels with the data.
The reform of EU data protection legislation adopted in 2016 offers a diversified toolkit of mechanisms to transfer data to third countries: adequacy decisions, standard contractual rules, binding corporate rules, certification mechanism, codes of conduct, so-called "derogations" etc.
01. EU-US Privacy Shield
The EU-US Privacy Shield decision was adopted on 12 July 2016 and the Privacy Shield framework became operational on 1 August 2016. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. The framework also brings legal clarity for businesses relying on transatlantic data transfers.
02. Adequacy decisions
The European Commission has the power to determine, on the basis of article 45 of Regulation (EU) 2016/679 whether a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into.
03. International data transfers using model contracts
The European Commission can decide that standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationally. It has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA). It has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA
04. What are Data Protection Authorities (DPAs)?
DPAs are independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the General Data Protection Regulation and the relevant national laws. There is one in each EU Member State. Generally speaking, the main contact point for questions on data protection is the DPA in the EU Member State where your company/organisation is based. However, if your company/organisation processes data in different EU Member States or is part of a group of companies established in different EU Member States, that main contact point may be a DPA in another EU Member State.
05. What are binding corporate rules?
Binding corporate rules are internal rules for data transfers within multinational companies. Binding corporate rules are like a code of conduct. They allow multinational companies to transfer personal data internationally within the same corporate group to countries that do not provide an adequate level of protection. Binding corporate rules ensure that all data transfers within a corporate group are safe.
06. What is happening across the world?
The GDPR is now the strongest data protection regime in the world, leading many to hope that it will set a ‘gold standard’ for other jurisdictions. Globally, there is an increasing growth in data protection laws, many of which have been modelled on comprehensive guidelines or regulation such as the EU Directive mentioned above, or the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data3 .According to UNCTAD data protection tracker 4, over 100 countries around the world now have data protection laws in place.
The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.
The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
Yes. If you offer your goods or services to any EU residents, then you must comply with GDPR.
DATA CONTENT is here to provide you with more information, answer any question you may have and create an effective solution for your needs.
10000 Zagreb, Croatia