The protection of natural person in relation to the processing of personal data is a fundamental right. The right to the protection of personal data must be considered in relation to its function in society and be balanced to other fundamental rights in accordance with the principle of proportionality.
Nowadays, rapid technological developments and globalization have brought new challenges for the protection of personal data. The scale of the collection and sharing personal data has increased significantly. Natural persons increasingly make personal information available publicly and globally.
The regulation 2016/679 was voted on the 27/04/2016 and it will be in full force on the 25/05/2018 in all Member States. It has been approved as a unite Legal framework, abolishing the older legislation.
The establishment of the united legal framework, sets a series of obligations and restrictions in the organisations relevant to:
- Processing of the personal data in all the time of their living
- Possibility of transferring them in other countries
- Protection of the rights of the natural persons
- The security (confidentiality, availability, and integrity) of the personal data.
- The disclosure actions that the organisation is obliged to implement in cases of infringement.
The new regulation increases the obligations of the organisations and at the same time gives the size of the penalties and fines (up to 20 million euros or the 4% of the worldwide turnover).
The government organisations, the public and private companies which concentrate, collect, process and handle in general, the personal data which are related to customers, clients, employees, associates, or other natural persons are covered by the regulation which also covers all the organisations established within and out of the European Union provided that the data are related to E.U. Citizens.
The organisations and companies that are under the scope of the regulation must:
- Comply and obey the basic principles of the protection of the personal data and therefore to collect these data for specific reason and as many of them are required as important.
- It is forbidden the in a incompatible way- extra processing of the data, under the reason of the updating.
- To implement electronic tools relating to the prompt and free of charge response on requests regarding data;
- To keep records and communicate every infringement to the Authority of Protection of Personal Data within 72 hours. The communication shall be done also to the natural persons directly, or within a public announcement.
- To transfer the data outside the Union, under certain circumstances. The transfer could take place only if, subject to the other provisions of the Regulation, the conditions laid down in the provision of the Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
- To store them for the minimum required term, receiving ad hoc the consent of the of the natural persons.
- To approve sufficiently that all the requirement of the Regulation are satisfied.
Companies that are covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.
Under the GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator.
The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. The regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union Institutions and bodies and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium sized enterprises in the application of the Regulation.
The protection afforded by the Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. The Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.
Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.
The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of the Regulation are met. In order to be able to demonstrate compliance with the Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.
Therefore, a strong and more coherent data protection framework is required. The regulation, in order to ensure a consistent and high-level of protection of natural persons and to remove the obstacles to flows of personal data the level of protection of the rights and freedom shall be equivalent.
The scope of strengthen and set out in details of the rights of data subjects seems an effective protection. Simultaneously those who process and determine the processing of personal data shall be obliged to comply with the requirements of the regulation giving a continuing monitoring and compliance in order to reduce as much as possible the infringements.