Author: Luca Marchesi
Date of publication: 20/05/2022
The processing of personal data is increasingly at the center of attention. To protect such data at European level, the GDPR, acronym of General Data Protection Regulation, is the regulation that deals with privacy and data issues, since 25 May 2018.
First of all ... What is a regulation?
The regulation is one of the legislative acts of the European Union, along with directives and decisions. Unlike the latter, it is characterized by having general scope (valid in all countries) and direct applicability in all its elements (it becomes law immediately, without having to go through transposition by the Member States). Countries can decide to review their legislation if there are obvious incompatibilities with the new European rules.
What does the GDPR foresee?
The GDPR, as the acronym says, is a text that tries to standardize the European laws on data processing and (our) right to be in full control of the information concerning us. In particular, the regulation consists of 99 articles and introduces some innovations such as:
the right to be forgotten (users can ask to remove information about them),
the "portability" of data (you can download and transfer data from one platform to another, without binding to a certain account),
the obligation to notify in the event of a data breach (if companies experience sensitive information leaks, must communicate it within 72 hours).
The recipients are the "data controllers", i.e. those who manage the information: individuals and, above all, companies.
What are the main obligations?
Obligations to be taken into consideration include, above all:
a clear request for consent (Article 7),
the establishment of an activity register (Article 30),
the notification of violations within 72 hours (Article 33) and
the designation of a "data protection officer" (Article 37).
As for consent, the company must ask for the go-ahead "in a way that is clearly distinguishable from other matters, in an understandable and easily accessible form, using simple and clear language (as opposed to the old and kilometer-long information, ed.)". With regard to the processing register, the owners are obliged to have an activity register which lists - among other things - the purposes of the data processing, the recipients, and the possible deadline for their cancellation.
What if the regulation is violated?
If the regulation is violated, sanctions are applied. Specifically, depending on the seriousness of the infringement, the fines are divided into two brackets:
up to a maximum of 10 million euros or, for companies
2% of turnover (whichever is higher),
or up to a maximum of 20 million or 4% of turnover, again for companies and always in relation to turnover.
Therefore, to get an idea, the Privacy Guarantor managed to collect just over 3.3 million fines in 2015.
However, the “lightest” fine (10 million or 2% turnover) is imposed for the transgression of principles such as privacy by design (lack of data protection by design) or the lack of suitable measures to guarantee a good standard of security. On the other hand, the heaviest one (20 million or 4% of turnover) occurs in the event of a violation of fundamental principles, such as denial of the right to be forgotten or opacity in the request for data consent.
Finally, the European Union hopes that this Regulation will allow the development of the digital economy in the internal market. Also, it guarantees individuals the control of their personal data and strengthens legal and operational certainty for economic entities and public authorities.
So, don’t worry: your privacy is secure!