December 20th 2017
From 25 May 2018 in all member states of the European Union regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection regulation) shall apply. The regulation entered into force in 2016, however the European Union has provided its Member States some time to introduce an appropriate regulation that will remain in conformity with the Regulation. The purpose of the Regulation is to harmonize the provisions concerning the protection of personal data of individuals in all Member States. The protection of individuals with regard to the processing of personal data is one of the fundamental rights enshrined in the Charter of Fundamental Rights of the European Union. As underlined in the recitals of the abovementioned Regulation, the source of its inception were the new challenges in the field of protection of personal data in connection with the rapid changes in technology and the process of globalization. The development of technology allows private enterprises and public bodies to use personal information on an unprecedented scale. The technology should provide the highest degree of protection of personal data.
These changes and the development of the information society, enforce a stable and coherent framework for data protection in the European Union. At the same time it is necessary to ensure the means that allow for effective and strong enforcement. One also cannot forget that individuals should have real control over their own personal data.
The Regulation leaves the Member States the possibility of introducing more detailed provisions that would ensure the protection of the rights and freedoms in the case of processing data of e.g. employees. This solution allows for an even more effective protection of personal data at the level of individual Member States.
In addition this act introduces a definition of personal data, specifying that this is the information identifying any natural person such as e.g. the name, identification number, location data, online ID, or any of the factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
This act establishes severe penalties for entrepreneurs who infringe the principle of the protection of personal data. The maximum level of penalty imposed on entrepreneurs may reach even EUR 20 000 000 or 4% of the total annual entrepreneur's turnover from the previous financial year.
In addition the entrepreneurs will have numerous informational obligations. Any natural person, whose data is being processed, should be informed, who the administrator of personal data is, which entities the data will be made available to, or on the rights of the exercise such as withdrawal of consent for the processing of data, the right of access and correction. Additionally, these persons must be informed of the use of the data in the process of profiling.
It should be noted that the Regulation introduces a very important entitlement for persons, whose data is processed, namely the right to delete the data, the so-called "right to be forgotten". This entitlement can be used in particular when personal data is no longer required for the purposes for which it was collected or when the person has withdrawn their consent for the processing of the data.
This act introduces many changes that are not listed here, and which the Member States should impose until May 2018. These changes are the response to the new challenges connected with growth of the information society or the progress of technology. Their introduction will positively arrange the legal systems of the Member States and will bring it to the highest safety standards.