Refreshed: 30. 1. 2018
Commission releases Communication on GDPR
The European Commission has issued a communication to the European Parliament and the Council on the direct application of the GDPR. The Communication outlines remaining steps for successful GDPR preparation, and gives the measures the European Commission intends to take up to 25th May 2018. Among the measures, there is new online guidance from the Commission. The Communication also reveals that one year after the GDPR enters into application, the Commission will gather feedback from stakeholders on implementing the GDPR to feed into its evaluation and review of the GDPR by May 2020.
New rules on personal data protection in the EU
New: Article 29 Working Party and European Data Protection Board Guidelines on GDPR
On 4th May 2016 two key documents for new EU legislative framework on personal data protection were published in the Official Journal of the European Union:
· Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
· Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
General Data Protection Regulation (GDPR) entered into force on 25th May 2016 and will become directly applicable in all member states two years after its publication. The same deadline also applies for transposition of the Directive into national law.
The details of GDPR implementation in Slovenian legislation are not public yet. For further information, we suggest following our website and the website of Slovenian Ministry of Jurisprudence, competent for drafting personal data protection legislation.
EU Data Protection Reform is a legislative framework, proposed by the European Commission in 2012 with the intent to update and improve the 1995 Data Protection Directive. Since the adoption of the 1995 Directive technological progress and globalisation have profoundly changed the way our data is collected, accessed and used (e.g. with development and wider use of cloud-computing, social networks, smart telephones), which is why adaptations and renewal of legislative framework were needed. Harmonized and renewed data protection legislation is essential for providing basic rights of individuals to personal data protection, for digital economy development and for a stronger fight against international crime and terrorism.
The legislative framework includes a Regulation setting out a general EU framework for data protection (GDPR) and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.
In 2010 the Commission presented a Communication to the European Parliament, the Council of the European Union, the Economic and Social Committee and the Committee of the Regions “A comprehensive approach on personal data protection in the European Union“, which was welcomed by the recipients. The Communication was the Commission’s basis for the 2012 Data Protection Reform.
The proposal was accepted in ordinary legislative procedure, which means that the Council of the European Union and the European Parliament adopted it jointly.
In March 2014 the Parliament approved its own version of the regulation in its first reading, which served as the basis for negotiation among the institutions. Proposal for updated data protection regulation was presented to the Council in January 2012, and was handled by the Working Party on Information Exchange and Data Protection (DAPIX). Article 29 Working Party, which is composed of representatives of the national supervisory authorities in the Member States, adopted its views on key matters of the reform. On 15th June the Council of the European Union approved its version in its first reading, known as the general approach, allowing the regulation to pass into the final stage of legislation known as the “Trilogue” (negotiation between the representatives of the Commission, the Parliament and the Council). The negotiation was finished in December 2015, the reform package was then adopted by the European Parliament on 14th April 2016, while the final texts of the proposals were published in the Official Journal of the European Union on 4th May 2016.
Essential proposed amendments
Data subject’s rights
GDPR lists the rights of the data subject, that is the individual whose personal data is being processed. These rights include the right to access by the subject to his or her personal data, the rights to rectification, to erasure and 'to be forgotten', the right to object, and the right to data portability from one service provider to another. It also lays down the obligation for controllers (those who are responsible for the processing of data) to provide transparent and easily accessible information to data subjects on the processing of their data.
Obligations of data controllers and processors
GDPR details the general obligations of the controllers and of those processing the personal data on their behalf (processors). These include the obligation to implement appropriate security measures and notification of personal data breaches.
All public authorities and those companies that perform certain risky data processing operations (regular and systematic monitoring of individuals on a large scale, processing of special categories of data on a large scale) will also need to appoint a data protection officer.
Data controllers will no longer be obliged to publish personal data filing systems in the Register of Filing Systems, however, the obligation to adopt Filing system catalogues maintains, and is even introduced for (contractual) processors.
GDPR also emphasizes (prior) data protection impact assessment and consultation, and in case of personal data breach provides an obligation for data controllers to notify the competent supervisory authority and in certain cases the data subjects as well.
The regulation confirms the existing obligation for member states to establish an independent supervisory authority at national level. It also aims to establish mechanisms to create consistency in the application of data protection law across the EU. It is of great importance, that in cross-border cases where several national supervisory authorities are involved, a single supervisory decision is taken. This principle, known as the one stop shop, means that a company with subsidiaries in several member states will only have to deal with the data protection authority in the member state of its main establishment.
GDPR includes the setting up of a European Data Protection Board. This board would consist of representatives of all 28 independent supervisory authorities and would replace the existing Article 29 Working Party.
The right to judicial remedy and penalty
The regulation also provides for the right of data subjects to lodge a complaint with a supervisory authority, as well as their right to judicial remedy, compensation and liability. Very severe sanctions against controllers or processors who violate data protection rules are provided. These administrative sanctions will be imposed by the national data protection authorities.
Codes of conduct and certification
Codes of conduct and certification processes are emphasized in the GDPR as new mechanisms for providing and proving proper personal data processing.
- Eurobarometer Research on relations to personal data protection:
- Reform Timeline with relevant documents