Although several aspects remain in the hand of national legislators via flexibility clauses, the GDPR harmonises data protection across the EU. The GDPR promotes free movement of personal data within the EU. At the same time, it contains more extensive and new obligations for the processing of personal data. Most notable changes with the GDPR may be massively increased fines as well as an increased documentation effort.
Further, the EU law will in future also apply to non-EU companies operating in the EU, regardless of whether the processing takes place in the Union or not and regardless of whether they are acting as data controller or data processor.
Principles of the GDPR
A data controller has to be compliant with some general principles of the GDPR. The following principles apply to any processing of personal data:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Under the GDPR, controllers are not only responsible for the compliance with these principles, they have to be able to demonstrate compliance with these principles, too. This accountability principle leads to the controller’s obligation to introduce an integrated overall data protection management system.
Data protection management system / organizational measures
Under the GDPR requirements on a data protection organization increased, in particular with regard to documentation and provision of evidence. This applies because a data controller is responsible for the compliance with data protection laws as well as the data controller is obliged to demonstrate compliance,
Potential elements of a sophisticated data protection management system could be as follows:
Data protection officer (DPO)
Many data controllers will have to appoint a DPO. As your potential users probably include minors, appointing a DPO in your scenario is very sensible. The DPO’s role is to monitor compliance with data protection regulations.
The data controller must provide internal and external guidelines and implement further organizational processes to ensure GDPR-compliance. Such organizational processes may include, for instance
- Subsequent monitoring of processing activities (e.g. internal audits)
- Facilitating data subjects’ rights
- Compliance with notification and informational duties
- Handling of data breaches
- Assignment of personal responsibilities
- Training and advising employees (this can be a task for the DPO)
Records of processing activities
A data controller has to maintain a written or electronic record of all processing activities.
Data protection impact assessment
Where certain data processing operations may present a high risk to the interests of the data subjects, data protection impact assessments must be carried out by those data controllers. The data protection impact assessment is intended to assess whether the tested procedure is permitted under data protection law.
Privacy by design and by default
Data controller’s IT systems and the underlying business processes must be designed in such a way that data protection by design and by default is ensured.
- Privacy by design has to be ensured via technical and organizational measures. The data controller has to take appropriate measures to ensure a level of protection commensurate with the risk of the processing. Measures could be:
- pseudonymization and encryption of personal data
- ability to ensure the confidentiality, integrity, availability and resilience of systems and services relating to processing in the long term; and
- ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident; and
- implementing of a procedure for the regular review, evaluation and evaluation of the effectiveness of technical and organizational measures to ensure the safety of processing
- Privacy by default is to be ensured via data protection friendly default settings (e.g. no divulgence of data to the public without interference of data subject)
Rights of the data subject
The GDPR provides for a number of rights of the data subject against the controller relating to the processing of their personal data. The controller has to provide information on their identity and contact details, name and contact details of the DPO, purposes of data processing, legitimate interests, recipients, envisaged international transfers to the data subject at every time when personal data are obtained. Further, the data subject my request:
- information on the processing of their personal data
- access to their personal data processed
- correction of incorrect personal data
- deletion of certain personal data
- blocking of personal data
- portability of personal data
Remedies, liability and sanctions
Affected data subjects can demand compensation for material and immaterial damage caused to them by controller’s data protection violations.
Regulatory authorities may impose fines of up to 20 million Euros or up to 4% of the total annual group revenue achieved worldwide in the previous financial year.