Compared to the current Directive 95/46 / EC transposed into Romania by Law 677 / 2001, G.D.P.R. presents:
- Determination of the scope for which data is processed;
- Elimination of the current notification mechanism of the national authority (NSAPDP) and introduction of the accountability principle – the operator must be able to demonstrate that it complies with the GDPR requirements;
- More extensive rights for the data subject and more restrictive rules for consent;
- Designation of the Data Protection Officer;
- Obligation to notify security incidents;
- Serious sanctions (up to 4% of global turnover or 20 million euros).
G.D.P.R. sets out the sixth principles on which the operator must prove:
- Legal, fair and transparent processing of data;
- Data collection for determined, explicit and legitimate purposes;
- Processing is appropriate, relevant and limited to purpose;
- Data is accurate and permanently updated;
- Keeping data in a form that permits identification of the data subjects for a period not exceeding the time required to meet the purposes for which the data are processed;
- Data processing in a way that ensures proper security.
Personal data is used and shared with great ease by many entities; but from May, next year, the law will force companies to comply with clear rules. At this moment:
- 80% of companies are just beginning to become aware of the changes that are taking place;
- only 20% of economic players understand and actually adapt to the requirements regarding the protection of personal data.
The fines that can be applied for non-compliance are up to 4% of the turnover or 20 million euros, and the highest value is taken into account.
The General Data Protection Regulation (G.D.P.R.) is applicable in all Member States as of 25 May of 2018, replacing the current Directive 95/46 / EC, transposed into Romania by Law 677 / 2001.
The new regulation has emerged from the need to continue the effort of unifying the European economic market, keeping pace with new technologies and helping to raise awareness of the actual value and impact of information at the moment.
There were many infringements of the current Data protection with regard to the personal data Romanian entities collect. With the new technologies and development, law in force makes processing and transfer of personal data unclear to most of those directly involved in the process:
- individuals whose data are processed;
- beneficiary companies;
- service providers processing personal data;
A recent poll conducted recently at European level on personal data protection has revealed that only 20% of those interviewed (representatives of companies in various industries) are already considered to be in compliance with the General Data Protection Regulation. In the meantime, 59% say they are just working on this and 21% admit they are not ready at all.
If we relate to Romania’s situation, things are even more alarming. In view of the legislation in force and the related implementation mechanisms, companies’ efforts to protect personal data were in most cases nonexistent. The new Regulation found the way to manage this problem by implementing a very high amount for the fines in case of non-compliance.
Compared to other European countries, the sanctions adopted by the Romanian supervisory authority (NSAPDP) were considerably more severe, as the highest fine in Romania was around LEI 50,000; in other EU member states the fines are constantly reaching hundreds of thousands of euros.
- in 2016, in the UK, the total amount of fines for breaching data protection obligations reached 3.2 million pounds;
- Italy has recently applied total sanctions of over 11 million (between EUR 850 000 and EUR 5,9 million for each of the companies involved in the investigation).
There are only six months until 25 May of 2018, six conclusive months for economic operators to get ready to enter the new era of data protection.
Although almost all economic operators are affected by the new regulation, most exposed are those who work in the areas of media, telecom, marketing, retail, banking, cloud services, medical and pharmaceutical services, online activities or any other areas, involving large-scale direct interaction with individuals.
Contact an Advisor
If you have any questions regarding this topic and how it might have an impact on your business, please contact the Mirus Consultant with whom you regularly work, or: