The European Privacy Act – What does HR need to know?
The new General Data Protection Regulation (GDPR) will take effect in the European Union (EU) on 25 May 2018.
The sense of EU-wide privacy legislation
Technological developments do not take place at national level, but at international level. The EU has a fragmented whole of privacy legislation. The EU harmonized the protection of personal data through the European Data Protection Directive in 1995 already. This directive provides for rules for the processing of personal data. The Member States were obliged to transpose the directive into national legislation (implementation) within three years.
The beginning of the 21st century was a time when social media still played a rather insignificant role. Through the founding of Facebook in 2004 and Twitter in 2006, the directive has become obsolete. The personal data of EU citizens had to be better protected. The EU therefore designed a proposal for new legislation in 2012, which was eventually adopted in April 2016: Regulation 2016/679, or the General Data Protection Regulation/GDPR.
The advantage of a regulation over a directive is that a regulation has direct effect in all Member States and a directive must first be transposed into a national law. A directive and a regulation determine the frameworks for rights and obligations of, on the one hand, persons from whom data is collected and processed, and, on the other hand, companies and government institutions that collect and process personal data.
What the actual protection looks like, in addition to the statutory frameworks, also depends on the further development and interpretation that is given and the way in which enforcement takes place. The law and regulations in the field of privacy and the protection of personal data has many open standards. This has the great advantage that the rules remain useful for longer as the technology develops.
Citizens, businesses and governments had two years to prepare for the new GDPR rules, which will take effect on 25 May 2018.
GDPR will therefore now put an end to the fragmented privacy legislation within the EU and, among other things, ensure:
- Strengthening and extending privacy rights. For example, organizations must receive valid permission from people to process their personal data. In addition to the existing right to ask an organization to remove their personal data, people also have the right to demand that the organization pass on the removal to all other organizations that have received this data from this organization;
- More obligations and responsibilities for organizations that process personal data. The emphasis is on the responsibility of organizations to be able to demonstrate that they comply with the law;
- The same authority for all European privacy regulators, such as the authority to impose fines of up to twenty million euros.
All companies and bodies that own or process personal data are subject to the rules laid down in the General Data Protection Regulation. The GDPR applies to the automated processing of personal data. Organizations are obliged to provide information to persons whose personal data they use. Also, under this law, organizations have to inform people what personal data they use and for what purpose. They must also provide information about their identity (name and address of the organization) and whether they provide the data to other organizations.
The GDPR is, however, more concrete about the obligation to provide information. Organizations must provide at least the following information:
- the identity and contact details of the controller;
- the contact details of the data protection officer;
- the purposes and legal basis for the use of the data;
- the legitimate interests of the controller, if the processing is based on the legitimate interest;
- the recipients or categories of recipients of the personal data; and
- whether the data will be passed on to a country outside the EU.
In addition to the above information, organizations must provide the following additional information to ensure proper and transparent processing:
- the retention period of the data;
- that the person concerned has the right to inspect and rectify or delete the data, or limit the processing concerning him/her, and also the right to object to the processing and the right to data transferability;
- that the person concerned has the right to withdraw his/her permission;
- that the person concerned has the right to submit a complaint to the controller;
- whether the provision of personal data is a legal or contractual obligation or a necessary condition for concluding an agreement, and whether the data subject is obliged to provide the personal data and what the possible consequences are when this data is not provided;
- the existence of ‘profiling’ or automated decision-making;
- if the data is not obtained from the person concerned, the source from which the personal data originated.
The GDPR further stipulates that prior information must be easily accessible and written in clear and simple language.
Data Protection Officer
One of the new rules of the GDPR is that many organizations are obliged to appoint a so-called data protection officer (DPO). The data protection officer supervises compliance with the privacy regulations in an organization.
The appointment of a data protection officer is only mandatory on 25 May 2018 for organizations that, on account of their nature or size, process personal data on a large scale and with government departments, with the exception of judicial authorities.
The most important duties of a data protection officer are:
- collecting inventories of data processing;
- the development of internal regulations;
- keeping track of reports of data processing;
- treatment of questions and complaints from employees, customers, patients;
- advise on technology and security.
Small and medium-sized businesses
The GDPR will apply to all organizations that process personal data, including small and medium-sized businesses and freelancers who process data, such as keeping track of customer appointments, customer phone numbers or personnel information. SMEs must also appoint a data protection officer when the core activities require the processing of sensitive data on a large scale. SMEs are also obliged to keep a register of the data they collect when these activities are structural and involve a high risk for privacy.
If an organization violates the AVG after 25 May 2018, the Dutch Data Protection Authority can impose a fine of up to twenty million euros, or a fine of four percent of the worldwide annual turnover, should that amount be higher.
It is time to evaluate your readiness, build a plan, and then implement the plan.