The protection of personal data will have new rules. The fines for companies that do not comply are heavy, possibly extending to the 20 millions of euros.
The legislative package that will bring new obligations and duties for companies (and rights for citizens) the level of personal data protection was approved in April by the European Parliament and each country now has to 2018 to adopt the new rules. Tire 10 doubts.
What is the deadline for the rules to be transposed into national law?
It is anticipated that the rules imposed by Regulation are transposed into Member States no later than 2 years, making it mandatory for the same period.
Who is that new rules apply?
Emerging rules approved by the EP Regulation shall apply to all companies, the public or private sector, dealing with personal data either directly or through subcontracting and providing products and services to European consumers, regardless of whether they fall within or outside the European Union.
What rights are recognized to the holder of personal data?
Several, notably right of access; right of correction; right to deletion of data ("Right to be forgotten"); right to limitation of treatment; right to data portability; right of objection.
What safety measures should adopt responsible for processing the data and the subcontractor?
The controller and the processor shall implement appropriate technical and organizational measures which they consider adjusted to ensure a level of security appropriate to the risk, including pseudonymisation and encryption of personal data; the ability to ensure the confidentiality, integrity, permanent availability and resiliency of systems and treatment services; the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; a process for testing, enjoy and regularly evaluate the effectiveness of technical and organizational measures to ensure the security of processing.
What to do in case of violation of personal data?
When the personal data breach is likely to involve a high risk to the rights and freedoms of individuals, the controller communicates, in clear and simple language, the personal data breach to the data subject without undue delay.
What is the impact assessment?
When a certain type of treatment, in particular using new technologies and taking into account the nature, scope, context and purpose, is likely to involve a high risk to the rights and freedoms of individuals, the controller proceeds, before starting treatment, an assessment of the impact of processing operations provided on the protection of personal data. Carrying out an impact assessment on data protection is required in particular if:
- systematic and comprehensive evaluation of personal aspects relating to individuals, based on the automated processing, including profiling, It is based it adopted decisions having legal consequences for the person or that affect similarly significantly;
- processing operations in large-scale special categories of data or personal data relating to criminal convictions and offenses;
- systematic control of areas accessible to the public on a large scale.
It will be necessary a delegate to data protection. But what does this mean?
The new rules require the existence of a data protection delegate who may be a worker belonging to the company's board or a service provider, with professional qualities, particular expertise in the field of law and data protection practices and ability to perform the functions that are distributed, designated by the company for data protection.
Who is required to designate one of these delegates?
Each responsible for data processing is obliged to appoint a Delegate for Data Protection, whenever:
a) The treatment is made by an authority or a public body, with the exception of courts;
b) The main activities of the controller or the processor consist of processing operations, because of their nature, under and / or purpose, require regular and systematic monitoring of data subjects on a large scale;
c) the main activities of the controller or the processor consist of processing large-scale special categories of data and personal data relating to convictions and offenses operations.
What role will this delegate?
The delegate functions to the Data Protection consist, essentially, to inform and advise the controller of data on its obligations under the Data Protection Regulation; check the conformity of the company's performances with Regulation, including through the allocation of responsibilities, and awareness training of persons involved in the processing; provide advice with regard to the impact assessment on data protection; cooperate with the supervisory authority; e) point of contact to serve with the supervisory authority on issues related to treatment.
There are consequences for those who do not abide by these rules? Which are they?
In case of violation of these rules, It is expected to fines that could amount to 20 millions of euros.
* Answers prepared with the collaboration of Gonçalo Pinto Ferreira, Partner, and Sofia Pamplona, the associated TELLES
You can read this news in full and in the original: https://www.dinheirovivo.pt/outras/628235/
You can view the publication in the EU's website at: http://ec.europa.eu/justice/newsroom/data-protection/infographic/2017/index_pt.htm?pk_campaign=facebook-data-protection-infographic-2017-02