GDPR is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation).
GDRP was published in the Official Journal of the European Union L119 / 4 May 2016, entered into force on 25 May 2016 and will be applicable from 25 May 2018 throughout the European Union. The GDPR contains a set of rules designed to give citizens more control over the data they are able to identify.
News brought by GDPR
The Data Protection Officer (DPO) or the Data Protection Officer is a person with specialized knowledge of data protection laws and practices to assist the operator or the person empowered by the operator to monitor the compliance at internal level with the provisions Regulation (EU) 2016/679. The following conditions should be considered when designating a DPO:
New rights for people. Portability of personal data
Persons targeted will have new rights, such as the right to data portability, that is, individuals will be entitled to receive their data in a structured format
New rules on consent
Consent for processing will have a much more restrictive regime. Thus, the request for an agreement must be intelligible and easily accessible, in a clear and simple language; if several aspects are included, the request for the agreement must be clearly differentiated from the other aspects; the withdrawal of consent must be as simple as it was given; consenting conditionality (eg conditional delivery of a service or delivery of a good to the data processing agreement for direct marketing) is not allowed.
Currently, the processing of personal data has to be brought to the attention of the data subjects, but the rules applicable on 25 May 2018, according to GDPR, require a number of additional elements, such as data protection officer, processing ground, how long the data is kept, etc.
Who should designate a DPO Authorities or public institutions (courts must establish their own supervisory mechanisms for processing in the course of their judicial function) Organization / undertaking / legal person / entity which, in the capacity of operator or person empowered by operator, performs as main activity processing operations which, by their nature, scope and / or purposes, require regular and systematic monitoring of the large-scale data subjects. The organization / undertaking / legal person / entity which, as an operator or person empowered by the operator, processes, on a large scale, special categories of personal data or personal data on criminal convictions and offenses. Who is required to implement GDPR? GDPR applies to any organization operating within the EU as well as to any non-EU organization providing goods or services to customers or businesses in the EU. Finally, it means that almost every major corporation in the world will have to be prepared for GDPR to come into force. The purpose of GDRP is to streamline the regulatory environment for businesses so that citizens and businesses can fully benefit from the digital economy. There are two different types of data processing operators: the legislation applies to processors and operators. The definitions of each term are set out in Article 4 of the General Data Protection Regulation. Sanctions and Obligation Failure to comply with GDPR may result in a fine from 10 million to 4% of the company's global annual turnover, which for some could mean billions. Fines will depend on the severity of the violation of the regulation and if it is considered that the company has taken the necessary steps to ensure data security seriously. The maximum fine of 20 million euros or 4% of the company's global annual turnover will be granted in violation of the rights of the data subjects, the unauthorized international transfer of personal data and failure to adopt procedures or ignoring a person's request for personal access. Fines of 10 million or 2% of global annual turnover will be applied to companies using personal data in other ways. These include failure to identify data breaches and failure to ensure confidentiality and data protection in the first stage of the project.