The European Commission proposed its data protection reform in 2012. The rules on data protection had been in place since 1995, so these needed to be modernised to make them fit for the digital age as they were adopted at a time when many of today’s online services and their implications for data protection did not yet exist. GDPR will replace the previous regulation and once it comes into force in the first half of 2018 will be applicable directly in all member states.
The GDPR will apply to organisations not established in the EU with the following conditions: the processing of the personal data of EU data subjects when offering them goods and services (even if payment is not required) and monitoring their behaviour (in so far as their behaviour takes place within the EU).
The GDPR regulates the matter of consent more strictly. Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication such as by a written statement, including by electronic means, or an oral statement. The data subject shall have the right to withdraw his or her consent at any time.
The GDPR strengthens the rights of individuals. With the ‘right to be forgotten’ the data subjects have the right to require the erasure of personal data concerning them without undue delay in certain situations, e. g. when the personal data are no longer necessary in relation to the purposes for which they were collected.
On the other hand the GDPR places an additional burden on the data processors. The keystone of the regulation is that the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with the GDPR including the effectiveness of the measures.
Author:
Dr. György Zalavári Senior Partner, attorney at law, ECOVIS Hungary Legal, Budapest, Hungary, gyorgy.zalavari@ecovis.hu
The GDPR will apply to organisations not established in the EU with the following conditions: the processing of the personal data of EU data subjects when offering them goods and services (even if payment is not required) and monitoring their behaviour (in so far as their behaviour takes place within the EU).
The GDPR regulates the matter of consent more strictly. Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication such as by a written statement, including by electronic means, or an oral statement. The data subject shall have the right to withdraw his or her consent at any time.
The GDPR strengthens the rights of individuals. With the ‘right to be forgotten’ the data subjects have the right to require the erasure of personal data concerning them without undue delay in certain situations, e. g. when the personal data are no longer necessary in relation to the purposes for which they were collected.
On the other hand the GDPR places an additional burden on the data processors. The keystone of the regulation is that the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with the GDPR including the effectiveness of the measures.
Author:
Dr. György Zalavári Senior Partner, attorney at law, ECOVIS Hungary Legal, Budapest, Hungary, gyorgy.zalavari@ecovis.hu
