Overtaken by the tremendously fast-paced evolution of the technology, the current legislation[1] about personal data protection does no longer ensure an adequate level of protection for the European citizens. Recognizing this, the European Union enacted at the end of May 2016 a new General Data Protection Regulation[2] (thereafter “GDPR”) which is to enter into force on 28th May 2018.

According to the action plan of the European Commission for a “Digital Single Market”, the GDPR’s purpose is to restore the faith in the digital economy by strengthening the rights of European consumers and citizens as well as their control over their personal data. In this respect, some innovations at the benefit of the consumers are worth mentioning such as: the strengthening of the information obligation/the consent requirement, the introduction of new rights (right of erasure, right of access to the data, data portability…etc), the introduction of new remedies including deterrent fines … etc.

If the European citizens have every reason to be fully satisfied with the new regulation, what about the businesses?

The reinforcement of the European citizens’ rights has its downside, which is the imposition of new obligations on the data controllers. Thus, the GDPR will be a revolution and the interim period running until its official entry into force scheduled on 28th May 2018 will be essential in order for the data controllers to comply with their new duties.

It should first be reminded that any business is potentially affected by the new restrictions imposed by the GDPR. Indeed, the “processing of personal data” is very widely defined so that the mere collection of any piece of information allowing the direct or indirect identification of a physical person is sufficient to fall under the scope of the new obligations of the GDPR.

All the new obligations imposed by the GDPR on the data controllers rely on two fundamental underlying principles:

  • The first one, “Privacy by Design (PbD)[3], means that the protection of personal data shall become the rule and not the exception anymore. By default, data protection shall be ensured by the data controllers implementing organizational and technical measures suitable for the processing purposes (e.g. data pseudonymisation, limitation on the amount of personal data collected, on the extent of data processing, on the retention period, on the data accessibility…etc).
  • The second essential principle is the “Accountability[4]. On this basis, the data controllers shall not declare data processing to the different national supervisory authorities anymore. In the future, the data controllers and their sub-contractors shall be obliged to keep a record of all processing activities in order to prove at any time their compliance with the obligations of the GDPR.

What are strictly speaking the main provisions and challenges set by the GDPR to the businesses processing personal data in Europe?

Extraterritorial application – Data controllers and their subcontractors, even if established outside the EU, will have to comply with the GDPR provisions as soon as their activities are targeting European citizens or consumers.

Joint responsibility of the data controllers and the subcontractors – The subcontractor processing personal data on behalf of a data controller will also have to comply with the obligations of the GDPR. By failing to do so, his responsibility could be engaged alongside the data controller.

Strengthening of the information obligation and the consent requirement – Any data controller shall provide concise, transparent, intelligible and easily accessible information, using clear and plain language, to any European citizen whose personal data are being processed. In addition, the businesses processing personal data shall also inform any concerned person of the existence of his/her rights, namely the right to complain to the European Data Protection Supervisor (EDPF), but also the details of a potential transfer of his personal data out of the EU, as well as the contact details of the Data Protection Officer. According to the abovementioned general principles of “Privacy by Design” and “Accountability”, the businesses shall be able to provide an explicit consent of their users/customers for every single data processing operation.

Data protection impact assessment – When a new technology is likely to result in a high risk for privacy, or in the event of profiling or a large scale data processing, the data controller shall first conduct a data protection impact assessment in order to adopt suitable protection measures compliant with the GDPR.

Notification of personal data breach – The supervisory authority shall be notified by the data controller or his subcontractor within 72 hours in the event of any breach of personal data. The individual concerned by the breach of his personal data shall also be notified if there is a high risk for his rights and privacy.

Designation of a Data Protection Officer – Some data controllers with higher risk factors (e.g. public organizations; or businesses processing, systematically or on large scale, personal data) shall be obliged to designate a Data Protection Officer. The tasks of the Data Protection Officer shall be to ensure the correct application of the GDPR, to provide advice and guidance thereupon and to cooperate with the European Data Protection Supervisor (EDPF).

Record of processing activities – Any data controller or subcontractor shall keep a register of all his personal data processing activities. Unless data processing presents an increased risk, the businesses of less than 250 employees can be exempted from the abovementioned obligation.

New obligations for the transfer of personal data outside the EU – In the future, the personal data of European citizens shall be transferred to a third country only if the country of destination guarantees a suitable level of protection for the data and received an approval from the European Commission.

Code of conduct and certification – The GDPR explicitly encourages the creation and adoption of conduct codes, labels or other certifications in order to promote compliance with its obligations.

Unlike previous legislations, the GDPR found the appropriate words in order to capture the hearts and minds of the data controllers. The solution? Hang a sword of Damocles over the heads of the businesses processing personal data since non-compliance with the GDPR can be sanctioned by an administrative fine up to 20 million euros or 4% of the worldwide turnover. Beside the financial sanctions, it is also the reputation of the non-compliant business which is at stake. Indeed, the data controller sanctioned for breaching a legislation whose purpose is to restore the European citizen’s confidence in the digital economy would be inevitably pointed out as a black sheep. Therefore, it is very likely that the consumers will not hesitate heading towards other actors more concerned by their personal information protection.

If the new obligations imposed by the GDPR will be significant for the businesses processing personal data, the data controllers and processors shall also benefit from these new European regulations. First, the 28 different national legislations about personal data protection and the 28 national supervisory authorities will be replaced by a unique framework and contact person at the European level. This major change and the reduction of the administrative formalities costs shall result in a saving up to 130 million euros for the processing businesses. Secondly, the right to data portability shall enable the consumers to transfer more easily their personal data to another service provider which would certainly increase competition and guarantee for startups and SME’s an easier access to the market. Finally, one of the main concern of the GDPR was to prevent an excessive administrative burden on the SME’s. In this regard, it should be reminded that most of the SME’s will neither have to designate a Data Protection officer nor keep a record of their processing activities.

If the GDPR implementation is already going to represent a significant amount of work for the businesses complying with the current legislation, the task is likely to be daunting for the businesses which will have to apply the personal data protection legislation for the 1st time, or which were overlooking it due to the weak sanctions incurred. Therefore, the 2 years transitional period being already well under way, it is now crucial for every data controller or business processing personal data to: (i) make a full assessment of all its activities in order to identify the ones susceptible of falling within the scope of the GDPR, (ii) evaluate the compliance of every subcontractors with the coming regulation in order to avoid joint liability and (iii) adopt the appropriate measures in order to be compliant with the GDPR for its entry into force scheduled for May 28th, 2018.

Luxembourg, le 06/12/2016

[1] Directive 95/46/CE transposed into Luxembourgish legislation under the Law of the 2 August 2002 on the protection of individuals.

[2] Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/CE.

[3] Article 25 of the GDPR.

[4] Article 5.2 and Chapter IV of the GDPR.