The General Data Protection Regulation (GDPR, RODO) was established by the Regulation of the European Parliament and of the Council of April 27, 2016. This EU legislation contains provisions on the protection of individuals with regard to the processing of personal data and the free movement of such information. The purpose of the Regulation is to harmonize the process of personal data transfer across the EU. After a two-year transitional period, the Regulation will become effective in the Member States from May 25, 2018. The new regulations will be applied directly without the need for their implementation.
What is GDPR?
The text of the Regulation is divided into 11 chapters. Some of them are further subdivided into subsections (in terms of GDPR - Sections). The full list is given below:
Chapter I - General provisions
Chapter II - Principles
Chapter III - Rights of the data subject
Chapter IV - Administrator and processor
Chapter V - Transfers of personal data to third countries or international organizations
Chapter VI - Independent supervisory authorities
Chapter VII - Cooperation and consistency
Chapter VIII - Remedies, liability and penalties
Chapter IX - Provisions relating to specific processing situations
Chapter X - Delegated acts and implementing acts
Chapter XI - Final provisions
It is very important that each of the chapters outlined above regulates separate areas, in other words - serves different purposes. The preamble to the EU Regulation consists of 173 recitals. They are very important for the specific legal requirements described in GDPR. Without their knowledge, the realization, the meaning and purpose of many requirements of the Regulation can lead to numerous errors in the application of specific regulation.
Most frequently discussed issues
One of the pillars of RODO is to emphasize the importance of general principles. The location of the general principles for processing personal data in the initial part of the act - Art. 5 (Chapter II) - emphasizes that the intention of the European legislator was to strengthen the role of the rules for the processing of personal data under the provisions of the Regulation. RODO rules formulate 7 principles of personal data processing. They are:
- Principle of legality, reliability and transparency.
- Principle of limiting the purpose of data processing.
- Principle of data minimization.
- Principle of data regularity.
- Principle of limiting the storage of data.
- Principle of integrity and confidentiality of data
- Principle of accountability.
A very important element of GDPR is the requirement for Data Administrator responsibilities. Basically, the four chapters (Chapter II, III, IV, V) of the Regulation refer to the specific requirements which the Data Administrator must fulfill. The obligations arising are primarily related to the knowledge of the basic principles of processing personal data (Chapter II). The awareness of the rights of individuals regarding the processing of their personal data by specific Data Administrators is regulated by Chapter III. The requirements in the internal sphere of the organization specific to a particular Administrator and the relationships that occur within the context of contacts with external entities are the obligations regulated by Chapter IV. The Fifth Chapter of the Regulation contains requirements for the transfer of personal data to third countries or international organizations.
There are significant changes concerning compensation and high administrative penalties for data processing entities in case of non-compliance. All regulations in this regard are contained in Chapter VIII of RODO. A very controversial matter is the upper limit for sanctions for the protection of personal data. Article 83 of the abovementioned Chapter, depending on the gravity of the infringement, introduces a fine of EUR 10 000 000 or 2% of the total global turnover of the subject for lighter infringements. More serious infringements will involve penalties of EUR 20 000 000 or 4% of the total global turnover. The administrative character of the penalties forces the authority to abandon any investigation of the fault and the extent of the breach, only acknowledging the fact of the breach of the personal data protection law.
The most important change for GDPR is the unification of data protection legislation throughout the European Union (outside Great Britain). Changes resulting from this legislation are of enormous benefit especially to large enterprises. The ability to implement uniform procedures in almost the entire continent will reduce costs and increase profits. Introduction of RODO does not lead to a revolution in the sphere of personal data protection, but rather a natural step towards evolution in the direction of the current solutions. The enormous diligence of the changes and the amount of sanctions show that the entry of RODO into force will force every individual to take a very cautious approach to the security of personal data.