Annexes to COM(2018)43 - Stronger protection, new opportunities - Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018 - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2018)43 - Stronger protection, new opportunities - Commission guidance on the direct application of the General Data Protection ... |
|---|---|
| document | COM(2018)43  |
| date | January 24, 2018 |
3.3 Member States to provide the necessary financial and human resources to national data protection authorities
The establishment of fully independent supervisory authorities in each Member State is essential to ensure the protection of natural persons with regard to the processing of their personal data in the EU 44 . Supervisory authorities cannot effectively safeguard individual rights and freedoms unless they act completely independently. Any failure to ensure their independence and the effective exercise of their powers has a wide-ranging negative impact on the enforcement of data protection legislation 45 .
The Regulation codifies the requirement of any data protection authority to act completely independently 46 . It strengthens national data protection authorities’ independence and provides them with uniform powers across the EU, so that they are properly equipped to deal effectively with complaints, carry out effective investigations, take binding decisions and impose effective and dissuasive sanctions. It also gives them the power to issue administrative fines on controllers or processors up to EUR 20 million, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The data protection authorities are the natural interlocutors and first point of contact for the general public, businesses and public administrations for questions regarding the Regulation. The data protection authorities' role includes informing controllers and processors of their obligations and raising the general public’s awareness and understanding of the risks, rules, safeguards and rights in relation to data processing. It does not mean, however, that controllers and processors should expect to be provided by the data protection authorities with the kind of tailored, individualised legal advice that only a lawyer or a data protection officer can provide.
The national data protection authorities therefore play a central role, but the relative imbalance between the human and financial resources allocated to them in different Member States can jeopardise their effectiveness and ultimately the complete independence required under the Regulation. It can also negatively impact the way the data protection authorities are able to exercise powers such as their investigation powers. Member States are encouraged to fulfil their legal obligation to provide their national data protection authority with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of their powers. 47
3.4 Businesses, public administrations and other organisations processing data to get ready for the application of the new rules
The Regulation did not substantially change the core concepts and principles of the data protection legislation put in place back in 1995. This should mean that the vast majority of controllers and processors, provided that they are already in compliance with the existing EU data protection laws, will not need to make major changes to their data processing operations to comply with the Regulation.
The Regulation impacts most on operators whose core business is data processing and/or dealing with sensitive data. It also impacts on those that regularly and systematically monitor individuals on a large scale. These operators will most probably have to appoint a data protection officer, conduct a data protection impact assessment and notify data breaches if there is a risk to the rights and freedoms of individuals. By contrast, operators, in particular SMEs, which do not engage in high risk processing as their core activity will normally not be subject to these specific obligations of the Regulation.
It is important for controllers and processors to undertake thorough reviews of their data policy cycle so as to clearly identify which data they hold, for what purpose and on what legal basis (e.g. cloud environment; operators in the financial sector). They also need to assess the contracts in place, in particular those between controllers and processors, the avenues for international transfers and the overall governance (what IT and organisational measures to have in place), including the appointment of a Data Protection Officer. An essential element in this process is to ensure that the highest level of management is involved in such reviews, provides its input and is regularly updated and consulted on changes to the business’s data policy.
To this end, some operators make recourse to compliance checklists (either internal or external), seek advice from consultancies and law firms and look for products that can deliver on the requirements of data protection by design and by default. Each sector must work out arrangements that are appropriate to the specific nature of its area and are adapted to their business model.
Businesses and other organisations processing data will also be able to take advantage of the new tools provided for in the Regulation as an element to demonstrate compliance, such as codes of conduct and certification mechanisms. These constitute bottom-up approaches which come from the business community, associations or other organisations representing categories of controllers or processors and reflect best practice, important developments in a given sector or can inform about the level of data protection required by certain products and services. The Regulation provides for a streamlined set of rules for such mechanisms while taking into account market realities (e.g. certification by a certification body or by a data protection authority).
However, while big companies are actively preparing for the application of the new rules, many SMEs are not yet fully aware of the forthcoming data protection rules.
In short, operators should prepare and adjust to the new rules and see the Regulation as:
·an opportunity to put their house in order in terms of what personal data they process and how they manage it;
·an obligation to develop privacy- and data protection-friendly products and build a new relationship with their customers based on transparency and trust; and
·an opportunity to reset their relations with data protection authorities through accountability and proactive compliance.
3.5 To inform stakeholders, in particular citizens and small and medium-size businesses
The success of the Regulation rests on proper awareness of all those affected by the new rules (the business community and other organisations processing data, the public sector and citizens). At national level, the task of raising awareness and being the first point of contact for controllers, processors and individuals lies primarily with the data protection authorities. As enforcers of data protection rules in their territory, data protection authorities are also the best placed to explain the changes introduced by the Regulation to companies and the public sector, and to familiarise citizens with their rights.
Data protection authorities have started informing stakeholders in line with the specific national approach. Some hold seminars with public administrations, including at regional and local level, and run workshops with different business sectors in order to raise awareness about the main provisions of the Regulation. Some run specific training programmes for data protection officers. Most of them provide information materials in various formats on their websites (checklists, videos, etc.).
However, there is not yet a sufficiently widespread level of awareness among the citizens of the changes and enhanced right that the new data protection rules will bring. The training and awareness raising initiative set in motion by Data Protection Authorities should be continued and intensified, with a particular focus on SMEs. Furthermore, national sectoral administrations can support the activities of data protection authorities and based on their input do their own outreach among the different stakeholders.
4.Next steps
In the coming months, the Commission will continue actively supporting all actors in preparing for the application of the Regulation.
a) Work with Member States
The Commission will continue working with Member States in the lead-up to May 2018. From May 2018 onward, it will monitor how Member States apply the new rules and take appropriate action as necessary.
b) New online guidance in all EU languages and awareness-raising activities
The Commission is making available practical guidance materials 48 to help businesses, in particular SMEs, public authorities and the public to comply with and benefit from the new data protection rules.
The guidance takes the form of a practical online tool available in all EU languages. The online tool will be regularly updated and is intended to serve three main target audiences: citizens, businesses (in particular SMEs) and other organisations, and public administrations. It comprises questions and answers selected based on feedback received from stakeholders with practical examples and links to various sources of information (e.g. articles of the Regulation; guidelines of Article 29 Working Party/European Data Protection Board; and materials developed at national level).
The Commission will regularly bring up to date the tool, adding questions and updating the answers, based on the feedback received and in the light of any new issues arising from implementation.
The guidance will be promoted through an information campaign and dissemination activities in all Member States, targeting businesses and the public.
As the Regulation provides for stronger individual rights, the Commission will also engage in awareness-raising activities and participate in events across the Member States to inform citizens about the benefits and impact of the Regulation.
c) Financial support for national campaigns and awareness raising
The Commission is supporting awareness-raising and compliance efforts undertaken at national level by awarding grants that can be used to provide training within data protection authorities, public administrations, legal professions and data protection officers 49 and to familiarise them with the Regulation.
Around EUR 1.7 million will be allocated to six beneficiaries covering more than half of EU Member States. Funding will be targeted at local public authorities, including data protection officers of local public authorities, of public authorities and from the private sector, judges and lawyers. The grants will be used to develop training materials for data protection authorities, data protection officers and other professionals, as well as ‘train the trainer’ programmes.
The Commission has also issued a call for proposals specifically aimed at data protection authorities. It will have a total budget of up to EUR 2 million and will support them in reaching out to stakeholders 50 . The objective is to provide 80 % co-financing to measures taken by data protection authorities in 2018-2019 to raise awareness among businesses, in particular SMEs, and reply to their queries. This funding can also be used to raise awareness among the general public.
d) Assessing the need to make use of the Commission’s empowerments
The Regulation 51 allows the Commission to issue implementing or delegated acts to further support the implementation of the new rules. The Commission will only make use of these empowerments when there is a clearly demonstrated added-value and based on feedback from stakeholders' consultation. In particular, the Commission will look into the issue of certification based on a study contracted with external experts and input and advice on this issue from the multi-stakeholder group on the Regulation established at the end of 2017. The work done by the European Union Agency for Network and Information Security (ENISA) in the field of cybersecurity will also be relevant in this context.
e) Integration of the Regulation into the EEA-Agreement
The Commission will pursue its work with the three EFTA States (Iceland, Liechtenstein, and Norway) in the European Economic Area (EEA) to integrate the Regulation into the EEA agreement. 52 It is only once the integration of the Regulation into the EEA agreement is in force, that personal data can flow freely between EU and EEA countries in the same way as they do between EU Member States.
f) Withdrawal of the United Kingdom from the EU
In the context of the negotiations of a withdrawal agreement between the EU and the United Kingdom on the basis of Article 50 of the Treaty on the European Union, the Commission will pursue the objective to ensure that the provisions of Union law on personal data protection applicable on the day preceding the withdrawal date continue to apply to personal data in the United Kingdom processed before the withdrawal date 53 . For example, the individuals concerned should continue to have the right to be informed, the right of access, the right to rectification, to erasure, to restriction of processing, to data portability as well as the right to object to processing and not to be subject to a decision based solely on automated processing, on the basis of relevant provisions of Union law applicable on the withdrawal date. Personal data referred to above should be stored no longer than is necessary for the purposes for which the personal data was processed.
As of the withdrawal date, and subject to any transitional arrangement that may be contained in a possible withdrawal agreement, the rules of the Regulation for transfers of personal data to third countries will apply to the United Kingdom. 54
g) Taking stock in May 2019
After 25 May 2018, the Commission will closely monitor the application of the new rules and will stand ready to take action should any significant problems arise. One year after the Regulation enters into application (2019) the Commission will organise an event to take stock of different stakeholders’ experiences of implementing the Regulation. This will also feed into the report the Commission is required to produce by May 2020 on the evaluation and review of the Regulation. This report will focus in particular on international transfers and the provisions on cooperation and consistency which pertain to the work of data protection authorities.
Conclusion
On 25 May, a new single set of data protection rules will enter into effect across the EU. The new framework will bring significant benefits to individuals, companies, public administrations and other organisations alike. It is also an opportunity for the EU to become a global leader in personal data protection. But the reform can only succeed if all those involved embrace their obligations and their rights.
Since the adoption of the Regulation in May 2016, the Commission has actively engaged with all concerned actors — governments, national authorities, business, civil society — in view of the application of the new rules. A significant amount of work has been dedicated to ensure widespread awareness and full preparation, but there is still work to do. Preparations are progressing at various speeds across Member States and among the various actors. Moreover, knowledge of the benefits and opportunities brought by the new rules is not evenly spread. There is in particular a need to step up awareness and accompany compliance efforts for SMEs
The Commission therefore calls on all concerned actors to intensify the ongoing work to ensure the consistent application and interpretation of the new rules across the EU and to raise awareness among businesses and citizens alike. The Commission will support these efforts with funding and administrative support and will help raise general awareness, notably by launching the online guidance toolkit.
Data are becoming very valuable for today's economy and are essential to daily lives of the citizens. The new rules offer a unique opportunity for businesses and the public alike. Businesses, especially the smaller ones, will be able to benefit from the innovation-friendly single set of rules and put their houses in order in terms of personal data to restore consumer's trust and use it as their competitive advantage across the EU. Citizens will be able to benefit from the stronger protection of personal data and gain better control over how the data are handled by the companies.
In a modern world with a booming digital economy the European Union, its citizens and businesses must be fully equipped to reap the benefits and understand the consequences of data economy. The new Regulation offers the necessary tools to make Europe fit for the 21st century.
The Commission will undertake the following actions:
Towards Member States
·The Commission will continue working with Member States to promote consistency and limit fragmentation in the application of the Regulation, taking into account Member States’ room for specification under the new legislation;
·After May 2018 the Commission will closely monitor the application of the Regulation in Member States and take appropriate actions as necessary, including the recourse to infringement actions;
Towards data protection authorities
·Until May 2018 the Commission will support the work of the data protection authorities in the context of the Article 29 Working Party and in the transition towards the future European Data Protection Board; after May 2018, it will contribute to the work of the European Data Protection Board;
·In 2018-2019 the Commission will co-finance (total budget of up to EUR 2 million) awareness-raising actions undertaken by data protection authorities at national level (projects implemented from mid-2018 onwards);
Towards stakeholders
·The Commission will launch an online practical guidance tool that includes questions and answers aimed at citizens, businesses and public administrations. The Commission intends to promote this guidance to the target audiences through an information campaign addressed to business and the public in the run-up to May 2018 and afterwards;
·In 2018 and beyond the Commission will continue actively engaging with stakeholders notably through the multi-stakeholder group on the implementation of the Regulation and level of awareness of the new rules;
Towards all actors
·In 2018-2019 the Commission will assess the need to make use of its power to adopt delegated or implementing acts;
·In May 2019, the Commission will take stock of the Regulation implementation and will report on the application of the new rules in 2020.
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016.
(2) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281 of 23.11.95.
(3) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016.
(4) The Regulation has been in force since 24 May 2016 and will apply as of 25 May 2018.
(5) Article 8 of the EU Charter of Fundamental Rights and Article 16 TFEU.
(6) https://ec.europa.eu/commission/sites/beta-political/files/letter-of-intent-2017_en.pdf .
(7) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37–47. According to Article 95 GDPR, the GDPR shall not impose additional obligations on natural or legal persons in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC. This means, for example, that entities covered by the e-Privacy Directive are subject to that Directive's obligation to notify a personal data breach in as far as the breach concerns a service which is materially covered by the ePrivacy Directive. No additional obligations are imposed on them by the GDPR in that respect.
(8) Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.7.2016, p. 1–30. Entities within the scope of the NIS Directive should notify incidents having a significant or substantial impact on the provision of some of their services. The incident notification under the NIS Directive is without prejudice to the breach notification under the Regulation.
(9) Article 35 of the Regulation.
(10) Commission Communication on Exchanging and Protecting Personal Data in a Globalised World, COM(2017)7 final.
(11) Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, COM(2017) 8 final.
(12) Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM(2017) 10 final.
(13) Until the ePrivacy Regulation's adoption and entry into application, Directive 2002/58/EC applies as lex specialis to the Regulation.
(14) For a complete list of the meetings, agendas, summary of discussions and overview of the state of play of legislation in the different Member States see http://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetail&groupID=3461 .
(15) For instance, the Commission will provide to the European Data Protection Board the possibility to use the Internal Market Information System (IMI) for the communication between its members.
(16) Reflection Paper on Harnessing Globalisation COM(2017)240.
(17) Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No 108) and the 2001 Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (ETS No 181). The Convention is open to non-members of the Council of Europe, has already been ratified by 51 countries (including by Uruguay, Mauritius, Senegal and Tunisia).
(18) See e.g. Data Protection Standards of the Ibero-American States’, http://www.redipd.es/documentacion/common/Estandares_eng_Con_logo_RIPD.pdf
(19) COM(2017)7.
(20) COM(2017)7 ibid p. 10-11.
(21) http://europa.eu/rapid/press-release_STATEMENT-17-1917_en.htm .
(22) COM(2017)7 ibid p. 10-11.
(23)
Two workshops with the industry in July 2016 and April 2017, two business Round Tables in December 2016 and May 2017, a workshop on health data in October 2017, and a workshop with SMEs representatives in November 2017.
(24) http://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetail&groupID=3537 .
(25) https://ec.europa.eu/programmes/horizon2020/h2020-sections
(26) All adopted guidelines are available at: http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083.
(27) Article 288 TFEU.
(28) Article 54(1) Regulation
(29) Article 43(1) Regulation provides for Member States to offer two possible accreditation methods to certification bodies, i.e. by the national data protection supervisory authority established in accordance with data protection legislation and/or by the national accreditation body established under Regulation (EC) No 765/2008 on Accreditation and Market Surveillance. The European Cooperation for Accreditation ('EA', recognised under Regulation 765/2008), which gathers national accreditation bodies, and the supervisory authorities of the GDPR should closely cooperate to this effect.
(30) Article 85(1) Regulation.
(31) Articles 6(2) Regulation.
(32) Articles 88 and 9(2)(b) Regulation. The European Pillar of Social Rights also states that 'Workers have the right to have their personal data protected in the employment context'. (2017/C 428/09, OJ C 428, 13.12.2017, p. 10–15)
(33) Article 9(2)(h) and (i) Regulation.
(34) Article 9(2)(j) Regulation.
(35) Article 87 Regulation.
(36) Article 86 Regulation.
(37) Article 90 Regulation.
(38) Article 9(4) Regulation.
(39) Case 94/77 Fratelli Zerbone Snc v Amministrazione delle finanze dello Stato ECLI:EU:C:1978:17 and 101.
(40) Recital 8 Regulation.
(41) Austria ( http://www.ris.bka.gv.at/Dokumente/BgblAuth/BGBLA_2017_I_120/BGBLA_2017_I_120.pdf );
Germany ( https://www.bgbl.de/xaver/bgbl/start.xav?start=%2F%2F*%5B%40attr_id%3D%27bgbl117s2097.pdf%27 %5D#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl117s2097.pdf%27 %5D__1513091793362 ).
(42) For the overview of the state of play of the legislative process in the different Member States see http://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetail&groupID=3461
(43) The European Data Protection Board will be an EU body with legal personality in charge of ensuring the consistent application of the Regulation. It will be composed of the head of each data protection authority and of the European Data Protection Supervisor, or their representatives.
(44) Recital 117 and previously stated already in Recital 62 of Directive 95/46.
(45) Communication from the Commission to the European Parliament and the Council on the follow-up of the Work Programme for better implementation of the Data Protection Directive, COM(2007) 87 final, 7 March 2007.
(46) Article 52 Regulation.
(47) Article 52(4) Regulation.
(48) The guidance will contribute to a better understanding of EU data protection rules, but only the text of the Regulation has legal force. As a consequence, only the Regulation is liable to create rights and obligations for individuals.
(49) Grants provided under the Rights and Citizenship 2016 Programme https://ec.europa.eu/research/participants/portal/desktop/en/opportunities/rec/calls/rec-data-2016.html#c,topics=callIdentifier/t/REC-DATA-2016/1/1/1/default-group&callStatus/t/Forthcoming/1/1/0/default-group&callStatus/t/Open/1/1/0/default-group&callStatus/t/Closed/1/1/0/default-group&+identifier/desc ).
(50) http://ec.europa.eu/research/participants/portal/desktop/en/opportunities/rec/topics/rec-rdat-trai-ag-2017.html
(51) Delegated act for information to be presented by the icons and the procedures for providing standardised icons (Article 12(8) Regulation); Delegated act for requirements to be taken into account for certification mechanism (Article 43(8) Regulation); implementing act for laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks (Article 43(9) Regulation); implementing act for the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules (Article 47(3) Regulation); implementing acts for format and procedures for mutual assistance and for the exchange of information by electronic means between supervisory authorities (Articles 61(9) and 67 Regulation).
(52) For information on the state of play, see http://www.efta.int/eea-lex/32016R0679.
(53) https://ec.europa.eu/commission/publications/position-paper-use-data-and-protection-information-obtained-or-processed-withdrawal-date_en
(54) See Commission Notice to stakeholders: withdrawal of the United Kingdom and EU rules in the field of data protection (http://ec.europa.eu/newsroom/just/document.cfm?action=display&doc_id=49245).