News

×

Warning

JUser: :_load: Unable to load user with ID: 533

Final sprint towards the new Privacy Regulation

Mar 05 2018

Author: Caterina M.V. Mainieri

There was not much time left for companies to comply with the EU Regulation 2016/679 on the protection of personal data (also: "General Data Protection Regulation" and, in short: "GDPR"), the two years from its entry into force expire on May 25, 2018, term from which the new provisions will be immediately applicable.

Some researches have shown that, despite the argument is now all the rage on every magazine, specialized or not, media or web magazine, among SMEs there is a considerable delay in the adjustment process (in April 2017, as much as 80% of companies aware of the GDPR declared "not yet be up to date") and, above all, a lack of knowledge on the actual impact of the new regulation.

Below there is a brief summary of what are the main regulatory changes with which the companies, that have not yet done so, will necessarily have to deal with by May 25, 2018.

New approach to the processing of personal data (“Privacy by design”)

The regulation deals with the protection of personal data, with a new approach characterized by the repeal of the fixed guidelines to which the companies had to comply and to which the accountability of the data controller was preferred, on which also bears the burden of proving that they have taken all the actions and measures required by the GDPR. In order to strengthening the protection of natural persons, the new regulation has adopted the so-called "privacy by design" approach, according to which each processing must be configured by providing the necessary guarantees from the beginning "in order to meet the requirements "of the Regulations and to protect the rights of the data subjects - taking into account the overall context where the processing is located and the risks for the rights and freedoms of the data subjects. Each processing must therefore be subjected to an assessment of the actual risk on the fact that from the specific processing derives negative impacts on the rights and freedoms of the data subjects in light of known or detectable risks and the organizational technical measures that are deemed to be adopted.

Direct and immediate consequences of this changed approach will be: i) the obligation for the controller to implement the measures that make each process carried out as compliant with the provisions of the GDPR; ii) the obligation that the measures adopted provide the guarantee of such conformity; iii) the obligation to base the choice of measures adopted on preventive risk analysis; iv) the obligation that conformity thus guaranteed is also easily demonstrable and, therefore, in fact, a true reporting obligation.

Due to the new approach, the GDPR has also suppressed, starting from May 25, 2018, some institutions provided by the Privacy Code, up to now in force, such as the prior notification of the processing to the supervisory authority and the preliminary verification, which have been replaced by a record of processing by the owner / controller.

Legitimacy of the processing

The GDPR did not modify the pre-existing structure, confirming the requirements already established by the current legislation for the legitimacy of each processing: consent, contractual obligations, vital interests of the data subject or third parties, legal obligations of the controller, public interest or exercise of public powers, the legitimate main interest of the controller or of third parties to whom the data are communicated.

Some clarifications are instead dictated regarding the modalities of the consent that must be free, explicit, unequivocal, specific and informed. The consent cannot therefore be neither tacit nor presumed but must be expressed through an unequivocal positive statement or action. The controller must also be able to demonstrate not only the consent but also the existence of the aforementioned requirements.

It is intuitive to understand how the greater attention with which the GDPR looks at the modalities of request and for the purpose of the consent are destined to have a greater impact for those companies that operate (and request and obtain consent) only online.

The specifications introduced by the GDPR make it advisable for companies to verify that the consents to existing processing operations meet the new requirements. Otherwise, it will be necessary for companies to request new approvals by May 25, 2018.

Privacy Policy

The European legislator has redefined - in greater detail - also the mandatory content of the policy that, at the moment of the consent, the controller must provide the data subjects in writing (also in electronic format), in a concise, transparent, intelligible and easily accessible way as well as with a simple and clear language.

Concerning the manner in which the controller must inform the data subjects at the time of data collection, the GDPR admits, by institutionalizing it, the use of standardized icons that represent the contents of the information in summary form. These icons (to be defined by the European Commission) can only be used together with the policy and, if presented electronically, must be accessible from every device.

In light of the innovations introduced, the data controllers should verify that the information currently used complies with all the criteria introduced by the new regulation so as to adapt them, if necessary, by the deadline of May, 25.

Profiling activity

Article. 4 of the GDPR defines as profiling: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements”. This activity is included in the broader category of "automated decision-making processes", the subject of today's general ban under Article 22, pursuant to which: “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”.

Article 22 of the GDPR in paragraph 2 includes among the exceptions to the general ban the possibility that the fully automated processing is based on the explicit and specific consent of the data subject, that is on a consent expressed through an express statement and not inferred by conduct. In line with the requirement of specificity, the Guidelines issued by the Data Protection Authority in this regard also clarify that the data must be processed for the specific purpose indicated in the request for consent submitted to the data subject, their use being unlawful for a different purpose for which will need to request another specific consent.

With reference to the completely automated processing referred to in art. 22, the GDPR introduces the obligation of the controller to: i) provide the information necessary to guarantee to the data subject the knowledge not only of the automated decision-making process, but also the logic used and the expected consequences of such processing; ii) implement appropriate and reinforced protection measures; iii) guarantee to the data subject the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

Rights of the data subjects

The European legislator has substantially reworked the provisions with which the Privacy Code (which, we remind, will remain in force even after May 25, to the extent that its provisions are not incompatible with the new formula) already regulated the rights of the data subjects to the check, access, oblivion, limitation of the process, opposition to the process.

In addition to what is already in force, the GDPR has introduced the right to data portability, understood as the right of data subjects to receive personal data supplied by them to the data controller, in a structured, commonly used and mechanically readable format and to forward it to a different controller.

Before May 25, the data controllers must therefore adopt the technical and organizational measures necessary to guarantee and encourage the exercise of the rights and the response to the requests presented by the data subjects, which - unlike what is currently foreseen - will have by default the written form (including electronic).

Active subjects of the processing

The last element of this quick and summary examination are the innovations introduced by the GDPR in relation to the active subjects of the process and in particular:

  • The regulation relating to joint controllers - i.e. the possibility that two or more controllers jointly determine the purposes and means of processing, by means of an internal agreement that establishes in a transparent manner the respective responsibilities regarding the compliance with the obligations deriving from the GDPR and that, in its essential contents, it must be made available to data subjects;
  • Greater rigor of the requirements of the act with which the controller can appoint the data controller in charge of which the GDPR establishes specific obligations and different from those charged to the controller himself;
  • The obligation to appoint a Data Protection Officer (DPO) as well as for Public Administrations and public bodies, also for private companies that perform processing that require i) regular and systematic monitoring of large-scale data subjects, or ii) consist in the large-scale processing of sensitive data or data relating to criminal convictions or offenses.

By May 25, the controllers should verify over the existence of any situations of joint controllers that require the drafting of the agreement required by the GDPR also that the acts of appointment of the current controllers and / or appointees meet the requirements now introduced.

Experts with a long range vision, ready to overcome barriers and take on new challenges in new professional environments. Up to date on developments in Italy and abroad.

EXP Contacts

  Via di Ripetta, 141
00186 - Roma

 +39 06 6876917

 This email address is being protected from spambots. You need JavaScript enabled to view it.

Linkedin

Via Fontana, 22
20122 - Milano

+39 02 30573573

 This email address is being protected from spambots. You need JavaScript enabled to view it.

Linkedin

  1000 5th Street, Suite 200
Miami Beach, FL, 33139

 This email address is being protected from spambots. You need JavaScript enabled to view it.

Linkedin