This General Data Protection Regulation (GDPR) is applicable to companies established in the EU, to those companies that process and monitor data of subjects within the EU, as well as companies which provide goods and services to EU subjects, even where such companies are established outside the EU. Under this regulation, both data processors and data controllers are directly liable.
GDPR makes it considerably easier for individuals to bring private claims against data controllers and processors. In particular, persons who have suffered "material or non-material damage" as a result of a breach of GDPR have the right to receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that individuals will be able to claim compensation for psychological suffering and distress, even where they are not able to prove financial loss.
A new concept of ‘pseudonymisation’ is provided for in Article 4. This is defined as the processing of personal data in such a manner that personal data can no longer be attributed to a specific data subject without the use of additional information.
It is for the first time that data processors are being directly regulated by the GDPR. The current Directive regulates controllers, being those responsible for determining the purposes and means of the processing of personal data, rather than data processors.
Data processors are mainly those organizations who may be engaged by a controller to process personal data on their behalf. According to the GDPR, processors will be required to comply with a number of specific obligations and if they fail to meet these criteria, they will be directly liable to sanctions (Article 83) and may also face private claims by individuals for compensation (Article 79).
Access to and correction of personal data remain mainly unchanged from the Directive, but the right for the controller to charge a fee for such a request is much more limited under the GDPR.
The right to ‘be forgotten’ is not absolute. It only arises in quite a narrow set of circumstances notably where the controller has no legal ground for processing the information, mainly due to sufficient necessity or when not in compliance with the same Regulation.
The GDPR provides for a right to portability which has no equivalent in the current Directive. Where the right is likely to arise, controllers will need to develop procedures to facilitate the collection and transfer of personal data when requested to do so by data subjects.
Data Protection Officers will also be required to be appointed by the GDPR, whereby their role is generally attributed to compliance measures, which must possess a level of independence in the conduct of their duties.
LexPractis, 98 Archbishop Street, Valletta, VLT 1446, Malta, Europe
Office: +356 2122 1030 | +356 2122 1130
Fax: +356 2122 1002