The Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data which was adopted by the European Parliament on April 14th, 2016 was published on the Official Journal of the European Union on May 4th, 2016.
Therefore, it will directly enter into force in all Member States on May 25th, 2018 without any domestic text required for its implementation and will replace from this date the Directive 95/46/EC of 24 October, 1995 currently in force.
This Regulation aims at strengthening rights of natural persons, at simplifying administrative procedures and at clarifying the rules which govern controllers and processors liability.
As such, the Regulation introduces new rights for natural persons (portability, restriction of profiling, etc.), creates the right to be forgotten and reinforces information needed to obtain the consent from natural person.
In addition, one of the most innovative elements of the Regulation is the removal of the prior notification to the supervisory authority and the creation of a one-stop-shop for all administrative procedures imposed by the Regulation (Binding Corporate Rules, Standard Contractual Clauses etc.).
In return, the Regulation establishes news obligations applicable to controllers only (obligation to conduct a data protection impact assessment), to processors only (obligation to obtain the prior authorization of the controller to use another processor) or to both (obligation to maintain a record of processing activities, obligation to designate a data protection officer and obligation to notify any data breach).
In addition, as a result of the Regulation, the controller will always be liable for damages in case of breach of the obligations of the Regulation. On the opposite, the processor will only be liable where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
Besides, the controller and the processor will be severally liable when both involved in a damage caused by a breach of the obligations of the Regulation. As such, each will potentially be held liable for the entire damage and will then be entitled to claim back from the other party involved for the damages corresponding to the other party’s responsibility.
Finally, at the opposite of the Directive 95/46/EC which gives Members States the choice of penalties to be implemented, the Regulation grants supervisory authorities important powers to sanction any infringement to the Regulation by imposing administrative fines up to 20.000.000 EUR or, in case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year.
From now, it is recommended that companies prepare to be able to comply with the obligations and requirements of the Regulation regarding the upcoming entry into force of the Regulation.