Regulation (EU) 2016/679 on General Data Protection (the GDPR) Q&A

1. What is the scope of the GDPR?

General Data Protection Regulation (EU) 2016/679 or, in brief, the GDPR, sets forth the rules on the protection of natural persons with regard to the processing of their personal data and on the free movement of such data.

2. When is it expected to come into force?

The GDPR provisions shall apply from 25 May 2018.

3. What are the new principles of reference?

  • The focus has shifted to the controllers and processors’ accountability –i.e., to the adoption of such conducts eligible to prove that they have consistently put in place the measures aimed at ensuring the application of the GDPR, having special regard to the assessment of risks.
  • The activities connected with the assessment of the risks connected with the processing operations are fundamental, and include the risk to negatively affect the freedoms and rights of the data subjects. Such impact shall be evaluated by means of the Data Protection Impact Assessment (DPIA). Because of such impact assessment, the controller may decide at its discretion whether to commence the processing (after taking the suitable steps to ensure sufficient mitigation of risks) or seek guidance from the competent supervisory authority on how to deal with the residual risks.

4. What will change for controllers, processors and agents?

  • The subjective features and duties of data controllers and processors will remain unchanged. Although a “processing agent” has not been expressly provided, according to the Italian Data Protection Authority, the GDPR does not forbid its designation.
  • In addition, the GDPR:
    • Regulates those instances where the data are jointly processed by multiple entities
    • Specifies the requirements of the instrument whereby the controller appoints the data processor
    • Allows for the processor’s ability to designate its subordinate processors, for specific processing tasks, subject to compliance with the same contractual obligations binding the controller with the initial processor
    • Imposes specific obligations at the charge of data processors, which differ from those imposed on their respective controllers.

5. What are the Records of Processing Activities?

  • Data controllers and processors are requested to maintain a record of the processing activities carried out by the controllers, or by the processors on behalf of the controllers.
  • Organizations with less than 250 employees are relieved from this obligation, provided that their processing activities do not entail a risk for the rights and freedoms of the data subjects, are not carried out on an occasional basis, and do not include atypical categories of data, or personal data relating to offences and criminal convictions. The three conditions above are alternative and not cumulative.
  • The information that must be contained in the records is set out in article 30 of the GDPR.

6. How should the security measures be assessed?

  • The security measures must “ensure a level of security appropriate to the risk” of processing.
  • The assessment will be entrusted to the controller and the processor, on a case-by-case basis, subject to the risks that may be specifically detected.
  • Attention is also drawn on the opportunity to adopt specific codes of conduct or certification schemes to certify that the implemented security measures are fit for purpose. 

Click here for full article. 

The information on this page may have been provided by a contributor to ChinaGoAbroad, and ChinaGoAbroad makes no guarantees about the accuracy of any content. All content shall be used for informational purposes only. Contributors must obtain all necessary licenses and/or ownership rights from the relevant content owner(s) before submitting such content (including texts, pictures, photos and diagrams) to ChinaGoAbroad for publication. ChinaGoAbroad disclaims all liability arising from the publication of any content/information (such as texts, pictures, photos and diagrams that infringe on any copyright) received from contributors. Links may direct to third party sites out of the control of ChinaGoAbroad, and such links shall not be considered an endorsement by ChinaGoAbroad of any information contained on such third party sites. Please refer to our Disclaimer for more details.