Post by: Lila Machado, Associate Zaroni Advogados
The General Data Protection Regulation (GDPR), which was approved by the European Union Parliament on April 2016, at first glance, seemed to be effective only within EU borders. However, it is worth noting that this new regulation — to be enforced as of May 25, 2018 — also applies to organizations outside the EU that handle personal data of EU residents. Therefore, this matter deserves the attention of all companies in this industry, especially regarding the following issues.
The GDPR unifies the way companies should manage personal data and privacy, giving back to EU residents the control over their own personal data collected for commercial — or political — purposes.
The main goal behind these normative changes is to constrain the commodification of personal data, reinforcing the idea that this group of information should be considered just merchandise but, above all, a fundamental right and freedom of natural persons, who have the right to the protection of data concerning them.
It imposes a new behavior to companies that from now on must follow what the GDPR prescribes regarding processing personal data from EU residents.
According to GDPR’s Article 4.2:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
As previously emphasized, the GDPR is also mandatory for companies outside the European Union that offers, whether requiring payment or not, goods or services related to EU residents’ personal data, processing and holding this data, regardless of the company’s location.
In today’s global and digital context, this is not an uncommon scenario. E-commerce, social media advertisement, cloud computing services, and numberless internet-related business activities, among others, when involves the use of personal data from EU residents result in the application of GDPR’s rules.
These companies will have to comply with GDPR requirements such as appointing a person in charge of data processing — who is responsible for all personal data processing operations within the company — and, in some cases, designating an EU located representative who will represent the company in the event of inspection from competent authorities.
Oftentimes, these data processing companies (controllers and processors) will not only manage personal data directly collected under the data subject’s explicit consent, but they will also have to handle personal data required for contracts and agreements to which the data subject is a party, as well as to ensure compliance with legal obligations imposed on themselves, to safeguard vital interests of data subjects, and in many other scenarios.
Where an individual’s consenting is required for personal data processing, it’s worth to note that such consent should be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Furthermore, the GDPR creates new rights for EU residents that can be enforced against companies. Rights of a data subject include:
• Right to remove personal data at any time and using the same means by which the data subject has given their consent;
• Right to ask for and receive information about the processing of their personal data by the company;
• Right to access their personal data and receive information about how this data is processed, as well as for what purpose the company collects or processes personal data, all the recipients of the personal data, and whether their personal data will be subject to automated decisions;
• Right to rectify and erase personal data, as well as to withdraw their consent;
• Right to restrict the processing of their personal data when processing is unlawful or the company have failed in erasing the data subject’s personal data;
• Right to personal data portability, allowing the data subject to ask for and receive all the personal data they have provided.
In addition to the compliance to the rights above, companies must keep track of all activities related to processing of personal data, set technical measures to ensure an appropriate level of security for the processing of collected personal data, and notify EU authorities and individuals about any personal data breach.
GDPR also allows the transfer of personal data to a third country when such country ensures an adequate level of protection. This takes into account, but is not limited to, the rule of law, respect for human rights and fundamental freedoms, relevant legislation, and the existence and effective functioning of one or more independent supervisory authorities.
Otherwise, in the absence of adequacy, GDPR allows the transfer of personal data to a third country if the controller or processor provides for appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies are available, or in specific situations under Binding Corporate Rules approved by national authorities.
Competent authorities have full power of investigation over controllers and processors, including request for information, access to a company’s facilities and demand that a company execute positive actions to comply with all the rights and obligations mentioned above.
Any company that fails to comply with GDPR requirements on the processing of EU residents’ personal data is potentially subject to severe penalties, including administrative fines starting at 10 million EUR and prohibition of processing personal data.
In the light of the above, it should be stressed that all companies that handle and process personal data must be aware of GDPR’s new rules and, when applicable, consider drafting new contractual clauses to ensure that transactions and operations involving the use of personal data remain legal under the new European rules.