[email protected]
+30 210 4520410
Select Page

EU General Data Protection Regulation

Jan 17, 2018 | Circulars

EU General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) is a regulation which requires all organizations providing services or handling data related to EU citizens, to comply with it, even if the organizations are not located in EU. It was adopted on 8 April 2016 and replaces the EU Data Protection Directive. The Regulation will be applicable to all EU Member States and will come into force on 25 May 2018.

Goals of GDPR

EU GDPR updates the current legislation as a result of digitalization and technological developments and increases harmonization in standards between EU member states. It aims to protect individuals from unauthorized use of their personal information from companies and to be easy for data controllers around the world to follow.

Consequences of not complying with GDPR

If a company does not comply with the Regulation, there will be significant fines, reaching the 2% of its annual revenue or €10million and for more serious breaches the fines can be as high as 4% of company’s annual revenue or €20million.

Actions required

In order to comply with the General Data Protection Regulation, companies should:

  • Ensure that consent has been obtained on handling personal data, and that it can be proven.
  • Conduct a Data Protection Impact Assessment to identify the most effective way to comply with data protection obligations and individuals’ expectations.
  • Identify and notify their supervising Data Protection Authority
  • Maintain records of processing activities.
  • Appoint or hire a Data Protection Officer (DPO), who will supervise compliance and data protection strategies.
  • Prepare to report data breaches within 72 hours.

The above can be implemented with an effective and updated Cyber Security Management Plan, for both data protection and protection against cyber-attacks.

Annex 1: Frequently Asked Questions regarding GDPR

1. What is Personal Data?

Personal data is any information relating to a person who can be identified by an identifier such as a name, identification number, location data, online identifier or through specific factors relating to their biological or social identity. Special category personal data is data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, genetic, medical or orientation.

2. What is Processing Personal Data means?

Processing is performing any operation on one or more item of personal data. Examples are automated activities (such as generating mailing list from database) as well as amending, searching for, using, disclosing, erasing or deleting personal data.

3. What are Data Controllers and Data Processors?

A data controller is the organization which either alone or in conjunction with others, determines the purposes and means of the processing or personal data. If your organization uses any personal data for any commercial purpose, it is likely that you are the controller of some or all of that information.

A data processor undertakes processing of personal data on behalf of a controller. Note that GDPR obligations apply to processors as well as controllers.

4. Which is the Data Protection Authority (supervisory authority) for a Company?

Supervisory authority is one (or more) independent public authority which is designated by a Member State to be responsible for monitoring the application of the Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within EU. Companies which the GDPR applies to, will be subject to the oversight of the data protection authority situated in the EU member state where the majority of their operations are situated or take place.

5. Which is the key requirement of GDPR?

Processing of personal data must be lawful, fair and transparent. Processing personal data is only permitted if:

  • Consent has been obtained
  • The processing is necessary, and an appropriate private notice has been issued.

Processing is characterized necessary if it is undertaken to meet at least one of the following criteria:

  • Perform a contract with the individual
  • Comply with a legal obligation
  • Protect the vital interests of the individual or another person
  • Perform a task in the public interest
  • Allow Company to pursue its legitimate interests, provided these are not overridden by fundamental rights of the individual such as the right of privacy.

6. What is a Privacy Notice?

Where Company acts as controller (see Q3) and has obtained personal data either directly from relevant individual or from a third party, it must provide the individual with a privacy notice. The privacy notice provided must contain:

  • The identity and contact details of Company
  • Contact details of Data Protection Officer
  • Purposes of processing data
  • Legal Bases for the processing of data
  • An explanation of who will receive the personal data, including third parties
  • If applicable, a reference to the fact that Company may transfer data to a Country (or organization) outside of the EU and the description of how the data will be protected.
  • Details for data storage (including time frame of storage)
  • Details of the individual’s right to request access to and rectification of their data, or to request restriction of processing of their data.
  • Explanation of the individual’s right to lodge a complaint with an EU data protection authority
  • A notice in case providing data is a legal requirement or necessary to perform or enter into a contract.
  • Details of any automated or profiling processes applied to the personal data (if applicable)

7. Which are the individual’s rights regarding data in accordance with regulation?

  • Individuals have a right to request details of data about them held and processed by the Company
  • Individuals have the right to object to processing of their personal information.
  • Data portability. Individuals have the right to request the transfer of their data to another Company or organization. The information held about them must be provided in a structured, commonly used format which can be used by IT applications.
  • Right to be forgotten. Individuals have the right to request their data to be rectified or erased without undue delay or restrict of processing of it, where:
    • The information is no longer necessary
    • The data has been unlawfully processed
    • Consent to the processing has been withdrawn
  • If the individual is not happy about any of these matters, he/she has the right to complain to the relevant data protection authority

8. Who is the Data Protection Officer?

Each Company subject to the regulation has to appoint a Data Protection Officer who must have expert knowledge of data protection law and practice. The role must be independent from operations to enable the officer to provide appropriate oversight. DPO’s contact details must be published and be known to all individuals within the Company

9. How can a Company transfer data outside the EU (To a third Country)?

  • Companies subject to the regulation are only permitted to transfer data to a third country in the following circumstances:
  • The third country (or specific sector or territory within that country) has been designated by the EU commission as having an adequate level of personal data protection.
  • Appropriate data safeguards are in place which are legally binding and enforceable.
  • The individual has explicitly consented to the third country transfer, having been informed of the possible privacy risks arising in case there are no adequate safeguards in place.
  • The transfer is necessary for the performance or entry into a contract, public interest purposes, legal claims process, to protect the vital interests of the individual or other people.
  • If none of the above options is available, the transfer may be permitted if only a small number of individuals are affected provided that the relevant Data Protection Authority has been notified.

10. How to respond to a data breach?

Personal data breach means a breach of security leading to the distraction, loss, alternation, un authorized disclosure or, or access to, personal data. Unless the breach is minor and would not threaten the privacy of any individual, the GDPR requires Companies to notify the relevant Data Protection Authority within 72 hours of becoming aware of the breach. If there is a delay in notification, the reasons must be explained. It is important to have in place a data breach response procedure which sets out measures taken to address the breach and/or to mitigate potential adverse effects of it. The procedure should also set out when notification to Data protection Authorities is required and what information should be included in the notices.

See also our related products

 

Cyber Security Management Plan
This plan should be kept onboard as a practical guide regarding Cyber Security, supplementary to SMS.
Regulatory Reference: , , ,
Cyber Security Awareness Course
To analyze the Cyber Security Threat, provide guidance on maritime cyber security issues, present relevant legislation and demonstrate best practice approach.
Regulatory Reference: , , , ,
Days: 1 | 250€
EU GDPR Course
To analyze the EU regulation 2016/679 regarding personal data, provide guidance on maritime cyber security issues, present relevant legislation and demonstrate best practice approach.
Regulatory Reference: , , ,
Days: 1 | 250€