The newly revised EU legal framework in the field of personal data protection has already made the processing of personal data an increasingly important topic for businesses operating in the territories of EU member states. As from 25 May 2018, the General Data Protection Regulation (“GDPR”) will become directly applicable in all EU states. With the objective to strengthen citizens’ fundamental rights in the digital age and to simplify procedures for companies, the new legislation will also introduce fines for illegal personal data collection and processing that will be significantly higher than the currently effective fines. The fines, depending on the relevant circumstances, may reach up to 4% of the total worldwide annual turnover of an undertaking or EUR 20,000,000, whichever amount is higher.
We have summarized below the most important principles of personal data protection set out in GDPR. Any processing of personal data which is incompatible with any of the principles would be unlawful (unless an exemption or derogation applies).
- Personal data must be processed lawfully, fairly and in a transparent manner
This is the most general principle of personal data processing according to which data controllers must always, inter alia, collect and process personal data on legitimate legal grounds; not use the data for unjustified purposes or in a way which would not be reasonably expected by the data subjects and adopt a transparent approach towards data subject allowing them to fully benefit from their rights under the GDPR (please stay tuned since more information on the rights of data subjects under the GDPR will follow shortly).
- Personal data must be collected for specified, explicit and legitimate purposes
Companies process personal data on a daily basis for various purposes: in order to comply with statutory or contractual reporting obligations, in corporate documents, commercial relations with suppliers and customers, assignment and collection of receivables, for security reasons (e.g. video surveillance), online tracking of consumers’ preferences, webpage administration, etc. In all cases, any personal data must be processed diligently and in accordance with the initial purposes for its collection.
In practice, it is often a fine line between compatibility and incompatibility with the initial purpose of the data processing. As an example, according to the Bulgarian Personal Data Protection Commission and the competent national court (the Supreme Administrative Court) a written revocation of a power of attorney specifying a former employee’s personal data details (such as Personal Identity Numbers) sent to customers constitutes a disproportionate processing, which is not related to the initial purpose for the collection of such data.
As per GDPR the compatibility of any further processing with the initial purposes is determined by, inter alia, the link between the initial and the subsequent purposes, the reasonable expectations of the data subjects, based on their relationship with the controller, as to the further use of their personal data, the nature of such personal data, the consequences of any further processing for the data subjects, etc.
- Collect and process only personal data, which is adequate, relevant and limited to what is necessary
Companies must always be aware of what type of personal data and in what amount is needed in each specific case (contracts, employment related documents, invoices, corporate documents in public registers etc.). It is important to stay updated on the current legislation and review any internal processes for data collection in order to avoid processing of personal data which goes beyond its purpose.
Processing of personal data must be limited to what is necessary not only in scope, but also in time. Any personal data, which no longer serves the purpose/s for its collection must be deleted securely. The retention of such data may lead to other inconveniences such as the risk of it becoming inaccurate or outdated (see it. 4), the obligation to store such data securely (see it. 5), etc.
- Accuracy of personal data
Data controllers must process personal data, which is accurate and, where necessary, has been kept current and up to date. Every reasonable action must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they have been processed, be erased or rectified without delay. Internal assessment of whether the personal data processed is up-to-date is thus necessary.
It is worth noting that the GDPR does not apply to personal data of deceased persons. Member States may, however, provide for rules regarding the processing of personal data of deceased persons. Data controllers must mind that pursuant to the Bulgarian Personal Data Protection Act the successors of a deceased person have certain rights as, for example, the right to be informed (free of charge) whether any personal data of the deceased is being processed, the purposes of such processing, and so on.
- Data security
Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The adequacy of the security systems and methods used by data controllers depends on the circumstances of each specific case (including without limitation the nature of the personal data and the harm from its potential misuse, or the use/transfer of such information within or outside the company). Normally IT expertise should be involved in the assessment and implementation process with respect to electronically processed personal data.
Under the GDPR data breaches must be communicated without undue delay: (i) to the data subjects, where the personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions, and (ii) to the national supervisory authority unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. Ideally data controllers would develop appropriate internal action plans in cases of personal data breaches to ensure timely and adequate reaction.
- What is new?
The comparative analysis of the principles set out in Directive 95/46/EC and in the GDPR shows that, contrary to other aspects of data protection, for the most part those principles would remain unchanged. Additional organisational and administrative burden is imposed on data controllers with the broader definition of the accountability principle, which now requires from data controllers not only to comply, but also to be able to demonstrate, when required to, their compliance with the data protection principles. This may include adoption of internal policies and rules for personal data processing, conduct of employee trainings, appointment of dedicated, expert data protection officer/s (where relevant), etc. All companies with more than 250 employees would be required to keep records of their processing activities (e.g. databases containing certain information) and such records may be requested periodically for review by the national data protection authorities.