GDPR: the normative framework

The G.I.S.I. headquarters in March were the venue for a meeting regarding the new General Data Protection Regulation (GDPR). Let us consider the novelties and key issues, among new concepts, rights, necessary conditions and fines

by Renato Uggeri

As we know, the new Regulation will be applicable in all EU countries as from May 25th. During their speech, Sabrina Bruschi, TÜV Italia, Business Assurance Division, and Stefano Azzolina, Partner, Azzolina and Associates Legal Offices, explained some of the most relevant points.

The concept of “personal data”: limits, criteria and violations
Among the numerous novelties illustrated by Sabrina Bruschi was the concept of “personal datum”, that is, any information which concerns identified individuals or persons who may be identified, such as the name and surname or denomination, address, fiscal code and so on. The GDPR introduces clear rules in terms of information and consent, defines limitations to automatic processing of personal data and establishes stricter criteria for the transfer of data outside the EU and of cases of violation of the data themselves. Any violation may be pointed out to the data protection authority of the person’s country, irrespective
of where the data may have been processed (single desk). Data processors must notify the violation to the Authority within 72 hours of the moment when they became aware of this fact. After 72 hours, they must motivate the delay in this communication.

The rights of the persons concerned and how may they be guaranteed
The persons concerned have the right to ask web engines to remove a web page from their search result listings or to ask a website to delete information. The right to obtain restitution of one’s own personal data forwarded to a company or to an online service and to transfer them to others is also acknowledged.
The persons concerned also have the right to be informed of the existence of the processing and of its purpose. Besides, they should be informed of the existence of profiling and of its consequences. The consent of the persons concerned is any show of specific, informed and unquestionable free will with which their approval is expressed, for instance by means of a declaration. The data processor must enact adequate measures to guarantee, and to be able to prove, that the processing is carried out in compliance with the regulations.

The documents issue
Regarding documents, the GDPR does not state what must formally be kept. When a type of treatment could imply a high risk for the rights and freedom of persons concerned, the data processor must carry out a preliminary evaluation of its impact on personal data protection, of the probability and relevance of the risk, considering the type, application field, context and purpose of the processing and the sources of the risks. To improve the transparency and respect of the regulation, the creation of certification mechanisms and seals should be encouraged, as well as marks of protection of the data allowing those concerned to evaluate rapidly the protection level of the data of the relative products and services. Compliance with codes of conduct or to a certification mechanism may be used to show the respect of requirements on the part of the data processor.

Differences between data processor and data controller
Mr Azzolina then spoke in detail about such aspects as the data processor and data controller, processing registers and special types of data, the DPO or Data Protection Officer, the new disclosures and consent.
Specifically, the data processor is the person who decides the destiny of the processing, enacting adequate measures to guarantee and prove the conformity to the Regulation. The data controller, on the other hand, is the person operating on behalf of the processor, providing sufficient guarantees to enact such measures that will comply with the Regulation’s requisites. Processing registers are kept by every processor and controller in writing, even in digital form. However these obligations do not apply to companies with less than 250 employees, unless the processing they carry out may create a risk for the rights and freedom of the person concerned.

The role of the data protection officer
The data protection officer must be designated consistently. The person concerned or the person who collects the personal data are informed in advance as regards: the purpose and methods of the processing, the compulsory or optional nature of the conferral of data, the consequences of the refusal to answer, the subjects or categories to whom the personal data may be communicated or who could get to know about them and the area of circulation of the data themselves and so on.
The data processor provides the person concerned with further information such as: the period of storage of the personal data or the criteria used to determine this period; the existence of the right of the persons concerned to ask the data processor to access their personal data, modify or delete them or to oppose to their processing, as well as the right to the portability of data, the existence of the right to withdraw consent at any time with no prejudice to the legality of the processing based on consent provided before its withdrawal, the right to file a complaint with a control authority and so on.

The legitimacy of processing and the necessary conditions
Processing is legitimate if at least one of the following conditions is present: the person concerned expressed consent; processing is necessary to fulfill a contract or on account of a legal obligation which the data processor must comply with to safeguard vital interests, to carry out a task of public utility, or to pursue the legitimate interest of the processor or of third parties, so long as the fundamental rights and freedom of the person concerned do not prevail.
Finally, if processing is based on consent, the processor must prove that the person concerned provided this consent; if consent is provided within the context of a written statement which also concerns other issues, the request for consent must be presented in a way which makes it clearly stand out, and the person concerned is entitled to withdraw consent at any time.

Heavy fines for companies which do not comply
In case of lacking or inadequate compliance with the GDPR, fines are envisaged ranging from a simple administrative warning to fines which may reach 20 million euro based on the type, seriousness and consequences of the breach. Specifically, lack of compliance with he obligations of the processor and controller, of the certifying entity or of the control bodies imply fines of up to 10 million euro, or, for companies, up to 2% of the overall sales revenues of the previous year.
Non-compliance with the basic principles of processing, of rights of the persons concerned, of the rules concerning the transfer of personal data to third countries or international organizations, a temporary or permanent restrictive order or an order to interrupt the flow of data issued by the control authority, imply sanctions of up to 20 million euro, or, for companies, up to 4% of the global revenues of the previous year. To steer clear of unpleasant surprises, it is therefore best to comply with the rules on time and, above all, to comply diligently with the Regulation.