General Data Protection Regulation (GDPR): application in Europe and the effects across non-European countries

The General Data Protection Regulation (GDPR) is the new European Union Regulation on data protection and privacy, which came into force on 25 May 2018.

The new Regulation 679/2016 has been directly implemented within the European Union (EU) and the European Economic Area (EEA). The Regulation has the merit to achieve a more harmonious EU relating to privacy, through a consolidation act that is applicable in all member states, notwithstanding that the states that maintain the right to issue supplementary provisions in this regard.

The new legislation represents a significant economic burden for professional firms and businesses, bearing in mind that the Regulation provides for multinational companies that do not comply with data protection requirements, fines of up to 4 percent of their global turnover or 20 million euros.

It is therefore important to highlight the main changes introduced by GDPR, concerning first of all the relevant information and consent.

GDPR information and consent request must be given in a concise, transparent, intelligible form, easily accessible and with a simple and clear language; the information and consent request shall be provided in writing or in electronic format and, if requested by the interested party, may also be provided orally, provided that the identity of the interested party is proven by other means.

With regard to consent to the processing of personal data, the latter must be free, specific, informed and not tacit or presumed, as well as unequivocal. Any form of tacit consent is excluded or collected through the presentation of pre-selected options. Here, it should be noted that consent shall always remain revocable.

The Regulation also maintains the so-called “right to be forgotten” or the right of the party to obtain the cancellation of their personal data, even online, by the data controller, in certain cases expressly provided for in the Regulation. The cases in which the right to oblivion meets the limits are also indicated in the Regulation.

GDPR introduces the portability of one’s data or the possibility that the holder transfers the portable data to another holder indicated by the interested party and with their consent. The rationale is to promote greater fluidity of the digital market.

Additional guarantees for minors are also provided in the Regulation. Internet service providers and social media, in fact, must request parental consent or parental authority to process the personal data of children under 16.

Impact assessments on data protection (Privacy Impact Assessment) will also be necessary in the event of risky processing and preliminary checks for different circumstances by the Guarantor.

In instances where an enterprise has more than 250 employees, GDPR requires that the controllers and the controller’s representative shall maintain a record of processing activities, adopt safety measures, notify any personal data breach to the competent supervisory authority not later than 72 hours after having become aware of it; they shall further designate a Data Protection Officer (DPO), a new organisational figure who provides to enterprises the necessary consultancy in regard to management and protection of personal data. This individual’s nomination by the company/professional is obligatory only in cases strictly indicated by the Regulation.

It should be emphasized that the legislation in question extends well beyond the borders of the European continent as it also applies to companies that, regardless of their geographical location, retain personal data relating to customers residing in Europe.

Lots of uncertainty among those affected by GDPR

Based on the results of Vanson Bourne research promoted by WatchGuard Technologies, 37% of global organisations are unsure if they need to comply with GDPR while 28% believe they don’t need to comply at all. Yet among the latter, 14% collect personal data from European citizens.

Lack of awareness about the scope of the GDPR is clearly a serious issue. It is, therefore, appropriate to clarify that “any non-EU company that comes into contact with the data of European citizens and offers them goods or services or monitors their behaviour must fully comply with the Regulation”. What’s more, this company will also have to nominate, within a Union country in the cases indicated in Article 27 GDPR, a representative who essentially performs the function of intermediary between the same and the National Guarantor Authority in the matter of protection of privacy or the body that monitors compliance with the new legislation.

In relation to the latter, the appointment of a representative within a member country is often unavoidable because, in the absence of a designated interlocutor, if non-compliance with the provisions of the GDPR is found, the company may face the initiatives of all the countries whose guarantors have reported an infringement and consequently a penalty may be imposed.

In a European context, the effects of the GDPR felt in Switzerland, the United States, China, Russia, India, Great Britain, or in those countries that are the main interlocutors of transnational operations.

Another relevant novelty is represented by the fact that the transfer of data to third countries can also take place without the national authorization of the Guarantor, unlike what was in force with the previous Privacy Code. However, this is only partially true, as the authorization of the Guarantor will still be necessary if a holder wishes to use ad hoc contractual clauses or administrative agreements concluded between public authorities.

GDPR, in Chapter V, has foreseen that data flows in non-EU countries are forbidden unless there are specific guarantees that the Regulation lists in hierarchical order:

  1. capability of the third country recognized by decision of the European Commission;
  2. in the absence of capability, decisions by the Commission, adequate guarantees of a contractual nature or agreement that must be provided by the owners involved (including the binding corporate rules — BCR and model contractual clauses); and
  3. in the absence of any other condition, use of exemptions from the transfer ban applicable in specific situations.

With regard to the first point, it should be noted that the adequacy assessment must take into account the precise parameters expressly provided for by art. 45 paragraph 2 of the Rules. A periodic review of this decision must then be carried out, in order to keep under control the effective adequacy of the level of data protection. If the State to which the data will be transferred has been judged adequate, all transfers to that State should no longer be subject to authorizations of any kind.

Regarding the second point, it should be noted that in this case the data controller or processor can transfer personal data to a third country only if they have provided adequate guarantees, specified by the GDPR in a non-exhaustive manner, and on condition that the data subjects have rights to action and effective remedies. Among these guarantees, the legal and contractual components play an important role.

As the third point highlights, exceptions to the prohibition of transfer are strictly required by the Regulation.

Binding Corporate Rules (BCR)

Lastly, the Binding Corporate Rules (BCR) deserve particular attention, as they are part of the adequate guarantees mentioned above but which have the particularity of being aimed at cross-border transfer of data between companies belonging to the same group. These are embodied in a document containing a series of clauses (rules) that set binding principles to which all companies belonging to the same group (corporate) are kept.

Article 4 of the Regulation expressly defines the “binding corporate rules” as “policies on the protection of personal data applied by a data controller or controller, established in the territory of a Member State, transfer or transfer complex of personal data to a data controller or controller in one or more third countries, within a business group or group of companies performing a common economic activity “.

The BCR, therefore, constitute a mechanism able to reduce and simplify the administrative burdens borne by the multinationals as regards the intra-group flows of personal data.

The issue of an authorization to transfer personal data through BCR allows, in fact, the branches of the multinational company which has requested it and regardless of their geographical location, to transfer, within the business group, the personal data subject of the BCR, as further obligations are not necessary.

Specifically, the content of these clauses consists of the complex of the technical rules, standards, security tools and company policies that the companies plan to implement, adopted by the intra-group companies for the transfer of data.

The fundamental requirement to use this mechanism is, therefore, the membership of the companies involved in the transfer to the same corporate group.

In order to be able to use BCRs, there must be approval from time to time by the competent supervisory authority on the matter, in accordance with the consistency mechanism pursuant to Article 63. In particular, to be approved it is required that:

  • BCRs are legally binding and apply to all interested members of the business group or group of companies engaged in a common economic activity, including their employees;
  • BCRs expressly confer to the interested parties’ rights that can be exercised in relation to the processing of their personal data; and
  • BCR’s meet a series of stringent predetermined requirements.

From what has been expressed above, it is clear how, in the application of GDPR, companies will have to implement their own models of privacy protection and personal data processing at the European level but also towards third countries with important repercussions on intra-group relations. In the coming months, the first concrete responses to the normative text recently entered into force will be evaluated.

If you would like more information on GDPR or other related corporate issues, send us an email at talktous@horizons-advisory.com, and we’ll have a Horizons professional contact you.  

Please visit our website at horizons-advisory.com