GDPR or Regulation of the European Union on the protection of personal data has entered into force on the 25th of May 2018 and regulates this matter in a uniform manner.
The territorial application of GDPR refers primarily to companies that are established or have offices in EU Member States, regardless of where the processing is done. However, under certain circumstances, the application applies to companies not established on the territory of the Member States.
The processing of personal data has to be performed in compliance with the principles governing the processing of data and with the consent of the natural person whose data are processed. The consent should be unambiguous, given through a statement or a clear confirmation. If consent given prior to May 25, 2018 is in accordance with the stated conditions of the new GDPR, it is valid and the company is not obligated to seek consent again.
The GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.
Whether the company will be required to comply with the rules of the GDPR depends on the risk of violation of fundamental rights and freedoms which can occur by data processing. Primarily, the scope of personal data being processed and sensitivity should be taken into account. For example, if a company processes a small amount of sensitive data relating to human health or a large amount of general, non-sensitive personal data, it will be obliged to apply the GDPR.
The companies which are the most influenced by GDPR requirements are those that collect personal data, such as social media companies, online retailers, banks, energy suppliers, telecommunication companies, etc.
Moreover, the GDPR explicitly prohibits processing a personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. This means that GDPR rules may influence, as well on stakeholders whose activities include provision of services to health industry – insurance companies, pharmaceutical companies, etc. Derogations from the general prohibition for processing such special categories of personal data are allowed in specified situations.
The maximum administrative fine that can be imposed for non-compliance with GDRP is € 20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Obligations of companies established on the territory of the EU
Among companies that have obligations under the GDPR, there is a distinction between the controller in whose name and for whose account the data is processed and processor who actually performs data processing. For example, a processor may be a data warehouse, that storage data in the so-called cloud platforms or a company that deals with payroll services or statistical analysis. The legal relationship between controller and processor is regulated by a contract which content is prescribed in the GDPR and a controller is obliged to ensure that a processor respects the data processing principles in accordance with controller’s instructions.
A controller and a personal data processor are required to:
- Respect the principles of personal data processing;
- Appoint a Data Protection Officer, who shall perform the tasks of consulting and controlling the application of the GDPR, as well as to establish contact with the supervisory authorities. In certain situations, companies are exempt from the obligation to appoint a Data Protection Officer;
- Adopt internal policies and implement technical and organizational measures to comply with the GDPR at the earliest stages of the design of the processing operations (Data Protection by Design), as well as at the later stages when personal data is processed, in order to ensure that data is processed with the highest privacy protection (for example only the data necessary should be processed, short storage period, limited accessibility) so that by default personal data isn’t made accessible to an indefinite number of persons (Data protection by default). GDPR specifies these measures;
- Keep records of processed data in written and electronic forms. The contents of the records are regulated in detail. In certain situations, companies are exempted from the obligation to keep records;
- In a case of a transfer of personal data to countries outside the EU territory or to international organizations, fulfill the specific conditions laid down in the GDPR, if the European Commission has not ruled that the degree of personal data protection in a given country or international organization is at a satisfactory level;
- Notify the supervisory authority about the breach without undue delay, and at the latest within 72 hours after having become aware of the breach. In certain situations, there will be an obligation to notify individuals whose personal data is violated;
- Conduct an assessment of the impact on the violation of the rights and freedoms of natural persons when processing data, in certain situations.
Companies that are not established on the territory of the EU
Companies that are not established on the territory of Member States (companies outside the EU) may fall under the GDPR domain in two cases.
The first case is if they process personal data of natural persons from EU countries, and they offer/market goods or services to them. The GDPR explains that the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain that controller envisages offering goods or services to data subjects in the Union. If goods and services are offered in the language and currency of the Member State, it can be considered that controller has an intent to contract with natural persons from EU countries. The companies that accept payment in Euros will likely be targeted by the GDPR.
The second case is monitoring of behavior of natural persons on the territory of the EU (the so-called profiling). In particular, it needs to be determined whether the behavior is monitored on the Internet and whether the collected data will be subsequently used to predict future behavior.
If companies outside the EU fall under one of the two cases, they need to fulfill obligations related to companies established on EU territory (the obligations described in the first part of the text).
In addition, companies outside the EU are obliged to appoint representatives in the EU, which requires the involvement of lawyers from some of the EU Member States or the establishment of a representative office that would act on behalf of and for the account of the data processor. In certain situations, companies outside the EU will not be required to appoint representatives.
The Serbia has an obligation to align its Data Protection Act with GDPR. Currently, Serbian Government has adopted the new proposal, which will be processed further in the legislative procedure before National Assembly.
It is recommendable that both companies which perform on domestic market and those which operate internationally check whether their Data Protection rules are in line with the GDPR, taking into account high penalties that can be imposed by competent authorities.
Attorney at law Damir Petrović
The information contained herein has been provided only for the purpose of general information and cannot be considered as a legal opinion or legal advice. Accordingly, the Law Firm Petrović Mojsić & Partners disclaims all responsibility and accept no liability in respect to actions taken or not taken based on any or all the contents contained herein.