21 Jun 2017

New EU Data Protection Rules – Should Serbian Companies Be Worried?

The new EU data protection framework, set to come into force on May 24, 2018 in the form of the General Data Protection Regulation (GDPR) is directly binding in all Member States, however its scope goes beyond the boundaries of the EU – affecting foreign companies that deal with personal data of EU citizens.  National Data Protection authorities of EU member states already have certain powers over foreign enterprises, as seen in the landmark Costeja case (C‑131/12) where Google Inc., an American company, was forced to protect a Spanish national’s right to the respect of his private life.  The GDPR expands these powers and defines them to provide the protection of EU citizens in the same manner as if the data processing was done in the EU.

Namely, according to the GDPR, all foreign companies that either (i) offer goods or services, irrespective of whether a payment is required, to data subjects in the EU, or (ii) monitor their behavior as far as their behavior takes place within the EU, are subject to the GDPR.  This means that such companies must abide with the burdensome rules prescribed by the GDPR, or risk being faced with high penalties – up to EUR 20,000,000.00 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.  Likewise, for some less significant infringements, fines shall go up to the higher of EUR 10,000,000.00 or 2% of the total worldwide annual turnover.

This practically means that, due to the GDPR’s extra-territorial effect, even a data processor not established in the EU may be subject to administrative fines if it performs its business activities in a way that is non-compliant to the GDPR.  This is especially important for multinational companies that share personal data between group members on a regular basis, as they are obliged to achieve compliance in all jurisdictions – both within and outside of the EU.

Apart from the expanded territorial scope, the GDPR has revisited the current rights of the data subjects and obligations of data processors/controllers, and added some new ones.  For example, companies that process data on a large scale and those that process data as a part of their core activity, will have to appoint a Data Protection Officer – a person responsible for compliance with Data Protection rules and for communication with competent supervisory authorities.

The GDPR has codified data subject’s “right to be forgotten” (right to erasure).  This right was already considered a part of the right to the respect of private and family life, but due to its significance in the internet era it was necessary to regulate it separately.  Namely, the existence of unfavorable information on the internet can seriously affect someone’s life.  Under the right to be forgotten, data subjects are under certain conditions, allowed to demand from data controllers to erase their personal data, or to make it unavailable.  These conditions, inter alia, encompass the situations: when the personal data is no longer necessary for the purpose it was collected, there is a withdrawal of data subject’s consent, unlawful processing, etc.

Also, data subjects will now have the rights related to data portability, i.e. they will be allowed to request from data controllers to transfer the data to them or to another controller, in a structured commonly used format.

Based on the expanded scope of GDPR and the newly introduced fines, it is strongly advisable to perform a gap analysis related to GDPR compliance – whether your business is incorporated within or outside of the EU.  If you have any questions related to these new Data Protection rules, please feel free to contact our Data Protection team.