New general Data Protection Regulation

The main scope of the Regulation is to adapt and update the main objectives and principles established by the Directive 95/46/EC, which shall remain valid, in line with current technological developments. The Regulation establishes a unique set of rules, directly applicable to all EU member states, designed to protect the privacy of individuals more effectively within the European Union and to ensure transparency.

What is new?

  • Area of applicability – the Regulation shall apply directly to all EU member states, protects the rights of all individuals within the EU, irrespectively of the geographic location of the personal data operators, and expands the scope on the personal data operators located outside of EU, in case their goods and/or services are targeting individuals located within EU.
  • New rights for the targeted individuals – individuals may ask for deletion of data which was processed illegally, without prior consent or if such data is no longer needed for the purpose in which it was processed. Also, individuals may ask for transfer of personal data to another personal data operator.
  • Provisions related to minors – the Regulation provides, as mandatory, the consent of the parent or legal guardian.
  • One-stop-shop for the personal data operators – in case the operators carry out activities in more than one member state, the competent authority shall be the one at the headquarter.
  • Impact evaluation report – such report shall be mandatory for processing of personal data which presents a high risk on the privacy of the individuals.
  • Transfer of personal data outside EU region – the Regulation establishes new tools for ensuring a high level of protection, by including, among the already implemented tools, new ones such as: BCR (binding corporate rules), standard contractual clauses, as well as Decisions of the EU Committee on the adequate level of protection.
  • Data protection officer (DPO) – each personal data operator shall be obliged to appoint a responsible person – DPO – which shall offer necessary advice in how to comply with operators` obligations and to ensure required transparency for the targeted individuals.

Severe sanctions are provided for violation of the provisions of the Regulation, reaching up to 10-20 million euros or between 2-4% of the international turnover of the operators from private sector. It is still under discussion if and in which way to apply non-compliance sanctions to operators from the state sector.

Concluding on the above, the Regulation creates new obligations to the personal data operator, forcing them to strengthen personal data protection measures, to be accountable for the way they process personal data and to ensure transparency in regard to the targeted individual.

Contact an Advisor

If you have any questions regarding this topic and how it might have an impact on your business, please contact the Mirus Consultant with whom you regularly work, or:

Irina Craciun

  • Legal Contributions
  • Bucharest
  • +40 724 000 173