27 April 2016, the European Parliament and Council Regulation (EU) 2016/679 (hereinafter - the "Regulation") on the protection of processing of personal data and free movement of personal data repealing Directive 95/46 / EC was adopted.

The Regulation upgrades rules for personal data processing in the EU. The Regulation is directly applicable and bound to legal entities and individuals, as well as public authorities. The Regulation provides new rights for data subject and responsibilities of data controllers regarding employees and customer data processing. It also provides severe penalties for non-compliance with requirements of the Regulation.

The most important news introduced by the Regulation

  • the data controller is obliged to maintain an internal data register of operations processed;
  • volume of information to be provided to data subject before the start of data processing is increased;
  • strict requirements regarding consent by individuals for data processing (a Consent Form, opportunity to take a decision by a person based of free will etc);
  • the rights of data subject to request transfer of his/her data fully, "to be forgotten", rights to data processing;
  • the data controller is obliged to ensure technical set-up for recording personal data in digital format, transfer of data and erasure upon request of data subject;
  • guidelines and standard clauses for personal data processing and transmission are implemented;
  • in certain cases, the data controller should appoint a data protection officer before start of data processing;
  • rights of data subject to claim material and moral compensation from data controller;
  • evaluation of the impact of performance on data protection in some cases will be compulsory;
  • to relieve data controller from the liability, it has to prove compliance with the requirements of Regulation (as per internal provisions of the Regulation);
  • new requirements for rights of data controller to co-operate with data processors, providing as well contract between data controller and data processor;
  • new requirements for the transfer of data to third countries;
  • the European Data Protection Board is new monitoring and the competent authority for reporting of violation of data processing.

Penalties for non-compliance

  • Administrative penalty for failure to comply with requirements set out in Regulation may be defined to 4% of turnover derived worldwide in previous accounting year of the person or up to EUR 20 million, depending which amount is higher (currently up to 14 000 EUR).

Taking into account the considerable changes, the Regulation will be applicable from 25 May 2018 thus enabling data controllers and processors to a preparatory period to ensure compliance with data processing requirements of the Regulation. Curranty, less than one year is left until applicability of the Regulation. Thus, persons engaged in processing of personal data and not having evaluated conformity with the Regulation of operations performed, we recommend to do it immediately to ensure the compliance and avoid severe penalties.