New EU data protection law: Fines up to EUR 20 million
The General Data Protection Regulation (GDPR) adopted by the EU Parliament in 2016 provides a higher standard of protection of personal data for EU citizens. The GDPR will have direct effect in all member states as of May 25, 2018 and it will affect businesses all around the world that are engaged in activities with individuals in the EU.
The new regulation intends to secure all EU citizens a higher level of control over their personal data in today’s digital world. “Personal data” means any information relating to an identified or identifiable natural person.
Expanded duties and liability
Every business is affected
Everyone shall be aware and prepared. Data protection law applies to every organization, since all of them necessarily process personal data. Processing means any operation performed on personal data. The typical data processing activities include the management of personal data of employees/customers, receiving job applications, sending newsletters, issuance of fidelity cards, operating CCTV, operating an online shop, company presence on social media platforms, organizing lotteries, maintaining electronic admissions systems etc.
Also businesses from outside the EU that offer goods or services to or monitor the behaviour of EU citizens if that behaviour takes place within the EU are affected and shall comply with the new regulation. For the conclusion that goods or services were offered the mere accessibility of a non-EU website by EU citizens is not sufficient. Monitoring the behaviour of individuals in particular covers the tracking of natural persons on the internet for the purposes of profiling, analysing or predicting personal preferences or attitudes.
The so-called flexibility clauses of the GDPR allow each EU member state to enact its own national law in specific fields of data protection. Austria and Germany have already adopted their new national legislation, respectively, in other countries of our alliance the new law is still to come.
Non-compliance is not an option
Any organization that will not be adequately prepared and is found in non-compliance after May 25, 2018 could expose itself to massive fines and potential serious litigations. Under the new law fines may be imposed up to EUR 20 million, or 4 % of the global annual turnover in the preceding financial year. The national data protection authorities are expected to increase their activities and align their practice to impose fines at harmonized rates for similar breaches across the EU. Individuals may claim damages and courts are expected to deliver judgments with heavier figures.
With severe fines, the threat of lawsuits for violations and loss of good reputation, organizations simply cannot afford not to comply with GDPR.
As partners with great experience and extensive expertise in this field we will be glad to support you on all questions relating to the subject of data protection, as well as in establishing a data protection management system.
Further articles on the topic "General Data Protection Regulation 2018"