Contents

New EU data protection law - Fines up to EUR 20 million

The General Data Protection Regulation (GDPR) adopted by the EU Parliament in 2016 provides a higher standard of protection of personal data for EU citizens. The GDPR will have direct effect in all member states as of May 25, 2018 and it will affect businesses all around the world that are engaged in activities with individuals in the EU.

The new regulation intends to secure all EU citizens a higher level of control over their personal data in today’s digital world. “Personal data” means any information relating to an identified or identifiable natural person.

Expanded duties and liability

Under the new rules, enhanced data security is required. To ensure adequate data protection appropriate technical and organizational measures must be implemented, such as appropriate IT solutions, privacy policy, internal audit of processing activities, staff training etc. In many cases data processing activities must be thoroughly documented. Furthermore, conditions of consent to processing have been strengthened, consent by silence or preticked boxes is no longer available. Certain data breaches must be reported to the relevant data protection authority. Also, specific organizations are required to appoint a data protection officer (public authorities, banks, insurance companies, telecommunications service providers, hospitals, medical centres etc).

Every business is affected

Everyone shall be aware and prepared. Data protection law applies to every organization, since all of them necessarily process personal data. Processing means any operation performed on personal data. The typical data processing activities include the management of personal data of employees/customers, receiving job applications, sending newsletters, issuance of fidelity cards, operating CCTV, operating an online shop, company presence on social media platforms, organizing lotteries, maintaining electronic admissions systems etc.

Also businesses from outside the EU that offer goods or services to or monitor the behaviour of EU citizens if that behaviour takes place within the EU are affected and shall comply with the new regulation. For the conclusion that goods or services were offered the mere accessibility of a non-EU website by EU citizens is not sufficient. Monitoring the behaviour of individuals in particular covers the tracking of natural persons on the internet for the purposes of profiling, analysing or predicting personal preferences or attitudes.

The so-called flexibility clauses of the GDPR allow each EU member state to enact its own national law in specific fields of data protection. Austria and Germany have already adopted their new national legislation, respectively, in other countries of our alliance the new law is still to come.

Non-compliance is not an option

Any organization that will not be adequately prepared and is found in non-compliance after May 25, 2018 could expose itself to massive fines and potential serious litigations. Under the new law fines may be imposed up to EUR 20 million, or 4 % of the global annual turnover in the preceding financial year. The national data protection authorities are expected to increase their activities and align their practice to impose fines at harmonized rates for similar breaches across the EU. Individuals may claim damages and courts are expected to deliver judgments with heavier figures.

With severe fines, the threat of lawsuits for violations and loss of good reputation, organizations simply cannot afford not to comply with GDPR.

Should you need a customized assessment, please do not hesitate to contact one of our specialists in SDZLEGAL SCHINDHELM: Legal advisor Tomasz Szarek, Legal advisor Aleksandra Baranowska-Górecka, Legal advisor Anna Materla.