Internet is an integral part of our daily lives: 70% of European citizens use it every day. It’s a tool that allows us to do things like online shopping, apply for a job, or apply for a bank loan – actions that often require you to share personal information almost daily. However, there are many risks in using citizens’ data, such as unauthorized data disclosure, identity theft, or online abuse.
As a result, new data protection rules have come into force since May 2018: the General Data Protection Regulation (GDPR). This regulation provides a set of rules for the processing by a person, firm or organization of personal data relating to individuals within the EU1. Thus, all companies operating in the EU, apart from their location, must comply with a set of rules on data protection.
What are the consequences of this regulation?2
- Companies benefit from a level playing field
- Citizens have greater control over their personal data (ie information processing data such as address, first name and last name of an identified or identifiable person)
This gives new rights to citizens3:
- a right to receive clear and understandable information about the people who is processing their data, what data they are processing and the reason they are processing it.
- a right to request access to personal data
- a right to ask a service provider to transmit your personal data
- a right “to be forgotten” : you can ask to delete your personnel data
- a right to give your consent for processing your data
- a right to be informed if you data is lost or stolen
- a right to complain if your data protection rights have been violated
These rules do not only concern businesses and citizens, but also European institutions and agencies. In fact, in September 2018, a new regulation on the processing of data by the EU institutions was voted by Parliament.
What is it about ? It is a regulation which aims to consistently apply the common data protection principles (such as unambiguous consent, accountability and transparency) throughout the Union and therefore it concerns both the institutions and bodies of the Union.
In this context, the new rules strengthen the requirements and principles for lawful data processing. In particular, citizens’ rights are stronger, exceptions (ie where consent is not required) are clarified and the obligations on data controllers are further clarified4.
The role of the European Data Protection Supervisor (EDPS), the authority responsible for ensuring that EU institutions comply with the existing data law, has been strengthened. This authority has the power to conduct investigations, offer advice and monitor compliance with the law, either on its own initiative or that of an individual or agent of a European institution. In case of infringement, it may impose fines5.
Laura van Lerberghe
1« What does the General Data Protection Regulation (GDPR) govern? », https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en
2« 2018 reform of EU data protection rules », https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
4« Data protection by the EU’s institutions », https://what-europe-does-for-me.eu/en/portal/2/X07_17501