After more than four years of negotiation, the new regulation on personal data (the “Regulation”) has finally been adopted on May 24, 2016. However, it shall take effect only as of May 24, 2018. Data controllers and processors will have until this date to comply with the Regulation, including for those processing of data already implemented up until this date.
The purpose of the Regulation is to adapt the rules on personal data to the digital world and to harmonize said rules within the European Union (EU) member states. This text will replace the existing regulation.
Its scope is broad: it will apply when (i) personal data collected relate to a citizen residing in the EU, whether or not the data controller is established in such territory; (ii) the data controller or its processor resides in the EU, i.e. the Regulation would apply to a non-European citizen whose data would be collected or processed by a EU company. The place of establishment of the data controller, used until the new Regulation comes into effect to define the law applicable to data processing, has been significantly expanded. The aim is particularly to enable a regulation of data processing carried out over the Internet when one of the persons involved in the processing (the data controller/processor or the person whose data are processed) is located outside the European Economic Area.
The following essential points of the Regulation should be noted:
- It establishes a high level of protection and control of citizens over their personal data, particularly by creating a right to data portability and enshrining a “right to be forgotten”;
- It fundamentally modifies the liability regime. For instance, data controllers are no longer subject to the declaration obligation (however, the authorization scheme is maintained for certain cases) and will have to demonstrate that they have complied with the provisions of the Regulation; legal obligations will now apply to data processors;
- Administrative penalties have been strengthened in the event of non-compliance with these rules: such penalties could range up to 4% of the annual worldwide turnover of the company and up to 10 or 20 million euros in other cases.
More particularly, among the obligations placed on companies processing personal data, the latter shall now:
- Implement appropriate technical and organizational measures and be able to demonstrate such compliance with the Regulation at any time (the “accountability principle”). In this respect, data controllers should for instance guarantee the confidentiality of the data processing or ensure that, by default, only those data strictly necessary with regard each purposes be processed (the “minimization principle”);
- If a company has more than 250 employees (subject to certain exceptions), maintain a record of processing activities comparable to an inventory of processing operations;
- Appoint a data protection officer if the company belongs to the public sector, if its core activities consist of processing operations which require systematic monitoring of data on a large scale or if its core activities consist of processing (still on a large scale basis) “sensitive” data or data relating to criminal convictions;
- Notify security flaws to the authorities (and the persons concerned if such breach is likely to result in a high risk to the rights and freedoms of a person) within a 72 hours delay after having become aware of it.
Given that the Regulation will apply to processing of data already implemented in May 2018, companies have an incentive to make the necessary changes as soon as possible in order to abide by these new rules which imply reshaping a new organization, particularly for data processors bound by legal obligations for the first time.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC