On May 25 last year entered into force the new EU Regulation 2016/679 on the processing of personal data repealing the previous Directive 95/46 / EC and aims to regulate binding and uniformly for all EU Member States European treatment and free movement of personal data, taking into account all the technological innovations that from ’95 to date have followed.
The Regulation will apply as of May 25, 2018: business and all stakeholders will then have two years of time to comply with the provisions in this legislation binding in its entirety and directly applicable in all Member States.
Numerous and significant are the new features. The main of which is to stress the importance, first of all concern the introduction of new figures in the data processing and the provision of new rights, principles and obligations of the various parties, elements designed to better protect the privacy of interested.
To the already well-known and solid principles of lawfulness, fairness, adequacy, accuracy and transparency of the processing is added to the principle of responsibility of the person who performs the treatment. Given the nature, scope, context and purpose of treatment, and the risks with different probability and severity for the rights and freedoms of natural persons, the data controller shall implement appropriate technical and organizational measures to ensure, and be able to demonstrate, that the treatment is carried out in accordance with Regulation (art. 24).
Another novelty in the field of principles is that concerning the conditions applicable to the consent of minors in relation to information society services. Consent given for the purpose of data processing is lawful where minors have at least 16 years. Unlike the consent should be given or at least authorized by the parents and the data controller, subject to the available technology, it must make every reasonable way to ensure that parental consent.
On the subject of rights it is introduced the right to oblivion or the subject’s right to deletion of personal data without undue delay where the information is no longer needed for the purposes for which they were collected, following the unilateral withdrawal of consent of where it is processed.
Another very important issue, both for businesses and for data providers is that regarding data portability, now recognized as a genuine right. Article. 20 in fact states that the owner has the right to receive in a structured format, common and readable use by an automatic personal data concerning him or supplied to a controller and has the right to transmit such data to another holder without impediments by the holder of the treatment to which he had initially provided them. In addition the person concerned has also the right to obtain the direct transmission of personal data by a data controller to another treatment, if technically feasible.
In order however to new figures and new subjects introduced, the Regulation provides for the possibility to appoint more data controllers that determine, transparently, through an internal agreement, the respective responsibilities for the fulfillment of obligations of the holder of the treatment provided by the Regulation itself.
Also new is the person in charge of data protection, the subject chosen and selected according to the professional qualities he possesses, in particular the specialized knowledge of legislation and practices with regard to data protection. The responsible person must be necessarily when processing is carried out by an authority or a public body, or when the data treatments require regular and systematic monitoring of the interested parties on a large scale or when the treatments involve sensitive data on a large scale.
The security officer is supported by the data controller that provides all the necessary resources to carry out its duties. Interested parties, owners of the processed data, can directly contact the person responsible for data protection for all matters relating to the treatment.
Still on the subject of security, the Regulation is not limited to the introduction of the security officer, but provides a data protection by design of treatment. Article. 25 imposes on the data controller is obliged to implement appropriate technical and organizational measures to effectively implement the principles of data protection. This should be done both at the time of determining the means of which we will use for the treatment (privacy by design), and of course during treatment.
A preventive protection and to avoid any breach of personal data are then provided two innovative measures: the impact assessment on data protection and prior consultation. The first is carried out when a certain type of treatment, in particular by using new technologies, presents a high risk to the rights and freedoms of the persons concerned. The second is the direct consequence of an impact assessment that highlights the existence of risks, in which case the holder of the treatment, before proceeding to the same treatment he should consult the reference control providing authority within eight weeks, in If it deems it appropriate, a written opinion.
A further guarantee of safety can then be provided by the Data Protection certifications as well as the trademarks and protective seals affixed and released by the new certification bodies to which the Member States, the Commission, the committee and the supervisory authorities undertake to encourage the institution.
Finally, Articles. 68 et seq., Is established the European Committee for data protection. This Committee is a body of the Union that one of its tasks is to ensure the consistent application of the Regulations, to provide advice, issuing guidelines, recommendations and best practices, to carry out the accreditation of certification bodies and specify the requirements of the certification mechanisms must be taken into account.
These are just some of the main innovations briefly summarized. Enterprises is now the task of following closely the evolution of the situation and adapt within two years of the new provision of the law, on penalty of not inconsiderable penalties that can reach up to EUR 20,000,000.00 by or, if higher, up to 4% of annual turnover.