Through targeted implementation, our consultants and solutions can support you with both basic and essential aspects of your EU Data Protection Regulation processes. Relevant solutions from our portfolio include SecurityInsider, iDNA Foundation and iDNA for Email, MarvelClient, ConnectionsExpert and ApplicationInsights.
Watch the on demand webinar with Florian Vogler in which he summarizes the most important legislative changes of the upcoming European Union’s “General Data Protection Regulation” (GDPR).
The new European General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. However, it also brings new challenges for companies outside the European Union (EU). The legal regulation for data protection applies worldwide and for any cooperation with EU citizens.
We have summarized the most important regulations including the respective articles in the legal text for you (click to expand article)
It is particularly delicate that companies themselves carry the entire burden of proof in complying to the regulations. As such, we believe the following excerpts from the GDPR are extremely important:
- According to Article 15, every person has the right to be informed about any data concerning them.
- According to Article 12, the information must be provided in a “specific, transparent, understandable and easily accessible form and expressed in a clear and simple language”.
- According to Articles 13 and 14, when collecting data, each person must be provided with comprehensive information on the purpose, content, recipients and controller of the data processing, duration of the data storage and use of the data for profiling purposes.
- If the purpose of collected data changes, the affected person should be actively informed.
- According to Article 16, the person concerned has a right to the correction of false data and, under Article 18, a right to restrict (‘block’) the processing of data if the accuracy or basis of the data processing is disputed.
- An important element of the GDPR requirements is the definition of a comprehensible process that allows personal data to be completely deleted (Article 19).
Right to be forgotten:
The right to be forgotten, which is expressly referred to in the title of Article 17, is one of the central rights of the GDPR. It includes, on the one hand, that the person concerned (for example: customers, former employees, applicants, etc.) has the right to request the deletion of all data concerning them, if the reasons for the data storage are no longer relevant. Furthermore, the processor itself must actively delete the data when there is no longer any reason for storage and processing.
The most important measures according to obligations described in Article 22:
- Technical-organizational measures of data security
- Risk analysis (referenced data protection impact assessments)
- Clearly defined processes for implementing requirements for regulatory approvals or consultations.
- The appointment of a data protection officer
Sanctions for violation:
Much higher fines apply to effectively enforce the data protection regulations. For regulatory offenses, the fine is limited to 20 million Euros or up to four percent of the global annual turnover.
Member States may also enforce for further sanctions. According to recital (119) for example, it may be proposed to claim profits on account of breaching the GDPR.
Read the entire legal text on https://www.eugdpr.org.