The European Parliament and the Council, having in mind the fundamental right of each natural person for protection of its personal data which are being processed, the rapid technological developments and globalization, have adopted on the 27th April 2016 the General Data Protection Regulation, 679/2016/EC (the “GDPR”). This new legal framework on data protection aims to strengthen natural persons’ control over their personal data and the free movement of data.
The GDPR repeals the previous Data Protection Directive 95/46/EC, since recent developments called for a stronger, more solid and coherent data protection rules providing legal certainty and transparency.
The new Regulation will become directly applicable to all Member States from 25 May 2018, without the need for implementing national legislation.
The GDPR applies to all natural persons covering data processed by automated means, such as computers and data incorporated in non-automated filing systems, such as paper files.
Generally , the main scope of the New Regulation is broadened by covering the processing of personal data where:(i) the controller or the processor is established in the European Union (the "EU"), regardless of whether the processing takes place in the EU or not; (ii) the data subjects are in the EU, the controller or processor is not established in the EU and the processing activities relate to offering goods or services or the monitoring of the data subject's behaviour which takes place within the EU; and (iii) the controller is not established in the EU but in a place where Member State law applies by virtue of public international law.
The GDPR does not apply to the processing of personal data in the course of an activity that falls outside the scope of Union Law, or by a natural person in the course of purely personal or household activity or by competent authorities in relation to the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or (c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
Under the new Regulation the administrative fines are even higher than before since now fines are up to €20,000,000 or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, (whichever is higher). These definitely deterrent fines are imposed to those who do not comply with their obligations under the new Regulation. Therefore all the controllers and processors must comply with the GDPR’s provisions from the 25th May 2018, after the unified and consolidated application of the Regulation in all EU Members.