Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”) was approved by the EU Parliament in 2016 and will be directly applicable in all EU Member States as of 25 May 2018.
The GDPR aims at creating a high and uniform level of data protection throughout the EU fit for the digital era. It will give individuals greater control over their personal data as well as additional information on how their data is processed.
The GDPR includes provisions regarding:
– a “right to be forgotten” (when an individual no longer wants his data to be processed, the data may be deleted);
– clear and affirmative consent to the processing of private data by the person concerned;
– Personal data breach notification (obligation for a business to report personal data breaches to the
supervisory authority and, in some cases, to the data subjects);
– “Privacy by design” (obligation to consider privacy and data protection in the initial phases of designing
products, systems or processes involving processing personal data) and “privacy by default” (obligation to ensure that, by default, only personal data which is necessary for the specific purpose of the processing is processed);
– significant sanctions (e.g. fines of up to 4% of firms’ global annual turnover) to deter violations of the GDPR.