In this article we are completing the article written in March in which we present you extensively the GDPR rules, hoping that you will find the most useful information and that you will follow the steps of the need to implement these security measures.
The GDPR regulation is one of the toughest European norms in terms of using, analyzing, storing or marketing personal data across the European Union.
UE Law 2016/679 of European Parliament from 27 april 2016, GDPR (General Data Protection Regulation), who replace the Directive 95/46/EC, will enter into force on 25 May 2018.
The rules applies if legal entities are based in the EU, or collects an processes personal data of EU residents globally according to GDPREU.ORG
The purpose of the new regulations is to protect the rights and freedoms of individuals with regard to the processing of personal data, but also to regulate the method of obtaining them, as well as the circulation of such data, which is desired in a unitary format.
What means the processing of personal data?
According to the European GDPR normes, data processing consists of any operation or set of operations, such as:
The right to be informed about how personal data will be used;
- Right of access to personal data;
- Right to rectify the data if it is inaccurate or incomplete;
- The Right to Be erased or the Right To Be Forgotten in order not to be included in further communications or processing;
- The right to restrict data processing beyond simple storage;
- Right of data transfer to be available to people as they wish to use on other platforms or other services;
- Right of objection against data usage in marketing campaigns;
- Decision-making in case of profiling and automatic data processing.
What are GDPR personal data?
The new rules extend the practice of the information domain, therefore, they are considered to be “personal data”. All information relating to an identified or identifiable person. Specifically, the person can be identified directly or indirectly by reference to:
What is the consent,regarding GDPR?
Consent consists in any manifestation of the free, specific, informed, and unambiguous will of the person in cause, through which it accepts, through a statement or unequivocal action, that the personal data concerning it to be processed.
The rules for the validity of the consent are:
- It must be a freely expressed expression, namely to be the real choice of the person in cause
- Must be specific, which means that the person in cause,must be informed of the purpose of the data processing and his consent is given for each purpose of the processing;
- Must be informed so that at least the following information is brought to the attention of the person in cause: the identity of the operator, the purpose of the processing, the personal data collected, the existence of the right to withdraw consent, information on the use of data for decisions based solely on automatic processing profile creation) as well as information on the possible risks of data transfer to third countries;
- Must be unambiguous, represent a statement or affirmative action from the person in cause, such as ticking a home when the person visits a site or any other statement or action that clearly indicates in this context the acceptance by the person in cause to process his or her personal data.
What changes in online domain are made regarding to Consent?
New regulations on consent state that it will be explicitly and specifically binding for the processing operation.
The consumer must act for consent, and the agreement will be limited or proportionate to the purpose of the processing so that more data cannot be collected and processed than required for the declared and lawful purpose of the processing.
The GDPR Regulation requires operators to ensure that the agreement can be withdrawn at any time, as easily as it can be given, but not necessarily through the same action. However, in the electronic environment, if consent to data processing is achieved through one single action (click, drag, keystroke, etc.), withdrawal should be possible by the same means. Consent must be explicit and absence of a response, boxes checked beforehand or absence of action should not be a consent. Thus, ads like “Browsing this site requires your consent to …” become illegal.
What should be done before the GDPR Regulation enters into force?
Every online business will have to observe 2 parts of GDPR implementation in Romania, the first part is represented by the technical measures to be implemented at the website level, the online store, the online platform, the news portal, and the second part is the internal measures to be implemented taken in each company, to respect the commitment to the protection of personal data.
Internally, companies need to set up a data log to store an inventory of personal data stored in the company’s business. Article 171 of the GDPR Regulation provides that if personal data previously collected by GDPR norms were obtained on the basis of a consent, then the request for a new agreement is no longer required.
If this consent has not been granted, then the entities that store this personal data must request the user’s consent to keep and / or process these data. In this case, companies can send a notification email to these users requesting permission to use their personal data for marketing, research, statistics,and so on… Such notification must also contain information about which partners or third parties have access to user data and if so, how they will use this information.
What is a Data Protection Officer (DPO) and how it can help my business?
A Data Protection Office (DPO) is a designated person in the company responsible for data protection, being either an employee of that company or a person contracted under a service contract. The responsible person must be designated on the basis of professional qualities and knowledge in data protection practices.
The tasks of the DPO will include monitoring the application of the GDPR Regulation and implementing other European or governmental norms on personal data protection, providing expert support for data protection impact assessment, and ensuring good co-operation with the supervisory authority.
What concrete actions are needed to comply with the new regulations?
In online it is necessary to implement a series of technical and organizational measures, among them:
- For consent, it will be necessary to tick a box or any other statement or action that clearly indicates the acceptance by the target person visiting a site of the processing of his or her personal data;
- To inform and assure users that their agreement can be withdrawn at any time, as easily as it can be given;
- To inform visitors in a clearer way about their identity, what data they collect, why they collect them and how long they keep them;
- To inform visitors about the third part receiving the data and at the same time to check whether the third parts to whom the data might be sent transmit the information outside the EU;
- To restrict the access to customer data only to employees who need those data to perform their job tasks;
- To have a register in which to take account of data processing activities when their activity is not occasional;
- To inform customers about the use of data they provide such as billing and delivery data, as customer information on collected data is mandatory from the time of data collection;
- To delete the data if the request has a legal basis, irrespective of whether this is done by overwriting or definitive deletion, as long as the process is irreversible;
GDPR implementation and personal data processing for an online store:
With this new definition of the phrase “personal data,” GDPR actually enlarges the list of these types of information that sites ask for when subscribing to the newsletter / creating an account / shopping session and so on..
For example, under the rules in force, online identifiers and location information are not considered to be such personal data. Starting May 25, 2018, however, will fall under the new regulation.
Therefore, sites will have to take this into account in preparing for the GDPR regulation and continuing to respect it.
For websites and online stores that already apply a good practice of using and storing personal data, there is no need to repeat the procedures after May 25, 2018.
For example, subscribers to the newsletter do not need to reconsider consent if it has been obtained correctly in advance. Otherwise, any entity owns a database of e-mail addresses, names, physical addresses, CNPs (personal identification number), CUIs (unique registration code), or any other personal data that will be required to request explicit consent from the individuals concerned to keep, or processing this information.
Operators are required to inform users when a security breach has occurred in respect of data collected from them. Violation of security is an act that accidentally or unlawfully leads to:
- destruction of data;
- data loss;
- data modification;
- unauthorized disclosure of data;
- unauthorized access to collected data.
What sanctions risk those who do not comply with the new GDPR rules?
The sanctions are granted on a case-by-case basis, and the following will be taken into account:
- The nature, gravity and duration of the breach, having regard also to the nature or scope and purpose of the processing, as well as the number of persons affected and the damage suffered by them;
- If the breach was committed intentionally or negligently;
- Any previous breaches and liability;
- The level of cooperation with the supervisory authority to remedy the situation and mitigate possible harm;
- The manner in which the violation was brought to the attention of the supervisory authority;
- Which categories of personal data have been affected;
- any other aggravating or attenuating circumstances applicable to the case Such as the financial benefits earned or the losses avoided directly or indirectly by the breach.
Fines can reach up to 20 million euros or 4% of global annual turnover, taking into account the highest value.
More information on the GDPR regulation and its implementation rules can be found at the following sites:
- Data Protection in the European Union
- European Parliament Law 679/2016