EU Data Protection Regulation To Apply to All Business Dealings May 2018

EU General Data Protection Regulation
Kicks in 25th May 2018

The European Commission’s January 24 2018 communication shows that only two member states, Austria and Germany, have adopted the required national legislation. Others, Croatia included, are at different stages of the process. To meet the May 2018 deadline, Croatia should promptly address its national approach to open issues. Croatian stakeholders are aware of the new rules concerning personal data treatment to a satisfactory level.

The EU General Data Protection Regulation (GDPR), which entered into force on May 25 2016, was enacted to harmonise the legal framework protecting the personal data of EU citizens by introducing stronger individual rights and powerful protections against data breaches. After a two-year transitional period, on May 25 2018 the GDPR will directly apply in 28 EU member states.

Key messages in GDPR:

The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that will apply from 25 May 2018.

Non-EU countries’ businesses with an establishment in the EU, or that offer goods and services in the EU, or that monitor the behaviour of individuals in the EU may need to comply.

The GDPR and the existing Privacy Acts of non-EU countries may already share many common requirements, including to:

• implement a privacy by design approach to compliance

• be able to demonstrate compliance with privacy principles and obligations

• adopt transparent information handling practices.

Non-EU countries’ businesses should determine whether they need to comply with the GDPR and if so, take steps now to ensure their personal data handling practices comply with the GDPR before commencement.

The GDPR applies to the data processing activities of businesses that are data processors and controllers with an establishment in the EU. Generally speaking, a controller says how and why personal data is processed and a processor acts on behalf of the controller. (‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; and ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4, GDPR).)

Where a business has ‘an establishment’ in the EU, activities of the business that involve processing personal data will need to comply with the GDPR, regardless of whether the data is actually processed in the EU.

The GDPR also applies to data processors and controllers outside the EU where the business’ activities involve:

• offering goods or services to individuals in the EU (irrespective of whether a payment is required) (A processor or controller ‘offers goods or services’ if ‘it is apparent that the controller or processor envisages offering services to individuals in the EU’ (Recital 23, GDPR).

• monitoring the behaviour of individuals in the EU, where that behaviour takes place in the EU (Article 3) (A processing activity ‘monitors the behaviour’ of individuals where individuals are tracked on the internet. This includes profiling an individual to make decisions about that person or to analyse or predict that person’s personal preferences, behaviours and attitudes (Recital 24, GDPR).

Non-EU country businesses with customers in the EU, or that operate in the EU, should confirm whether they are covered by the GDPR, and if so, take steps to ensure compliance by May 2018. What information does the GDPR apply to? The GDPR applies to ‘personal data’. This means ‘any information relating to an identified or identifiable natural person’ (Article 4).9 Additional protections apply to the processing of ‘special categories’ of personal data, which includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (Article 9).

Although by definition EU resolutions directly apply across the European Union, member states must adjust local laws to implement the GDPR. Further, the resolution left room for member states to decide on national approaches to certain issues. The GDPR calls for member states’ active participation in preparing for its application, which is one of the reasons for the long transition period. Another reason is the preparatory work regarding personal data protection to be undertaken by relevant stakeholders in order to comply with the resolution. This preparatory work is even greater considering that the territorial scope of the GDPR is expanded to every EU citizen, thereby bringing overseas businesses under its scope.

Croatian authorities, legislative and supervisory, are involved in preparatory work.

Following the meeting on the application of the GDPR held on December 6 2017 in Brussels, where member states reported on their preparatory work for the application of the GDPR and national approaches for specific GDPR articles, Croatian representatives publicly reported that:

• an intergovernmental group (made up of ministries, the Personal Data Protection Agency and academics) was set up to examine the necessary changes and that this group had finished its work; and

• a new law would be submitted to Parliament by the end of January 2018.

A draft of a law relating to personal data protection was not submitted to Parliament until February 8 2018.

The Croatian Personal Data Protection Agency – set up in 2003 under the Personal Data Protection Act as an independent supervisory authority – will remain the national supervisory authority under the regulation. In 2017 the agency began actively engaging in promoting awareness of the GDPR. Its activities intensified in the second half of 2017, when it organised numerous educational programmes aimed at public authorities, the private sector and the general public. The head of the agency has repeatedly confirmed that the agency is undertaking extensive reorganisation efforts, including acquiring staff and financial resources in order to meet the obligations and exercise its powers under the GDPR.

One of the issues that Croatia must address before the May 2018 implementation date is administrative fines.

Penalties under the GDPR – specifically, the administrative fines that may be imposed for any infringement of the regulation – are the centrepiece of stakeholders’ interests due to the substantial fines that may be imposed.

Undertakings in breach of the GDPR can be fined up to 4% of their annual global turnover or €20 million for the most serious infringements. The second tier of fines, applicable for the less serious infringements, is up to 2% of an entity’s annual global turnover or €10 million.

Although it has so far been focused on its advisory and educational role, the Personal Data Protection Agency has the power to impose administrative fines for personal data protection breaches under the existing legal framework. To implement the GDPR fully, Croatian legislation must set additional procedural requirements on the enforcement procedure to be followed by the agency.

Another important issue is that the resolution enables each member state to lay down the rules on whether, and to what extent, administrative fines may be imposed on its public authorities and bodies. The Croatian legislature should therefore address the issue, considering both normal functioning of public authorities and their compliance with applicable personal data protection requirements.

Anyone conducting business in Croatia (or any other EU country) would do well seeking legal advice within the  EU country to check compliance with GDPR, if already not done. Ina Vukic