controllers to provide easy-to-understand
information and inform data subjects
about breaches; sets stricter rules
for providing consent for processing
personal information; provides easier
access for data subjects to his/her
personal information; sets more elaborate
rules on the right of the data subject
to obtain from the data controller the
erasure of personal data concerning
him/her (i.e. "right to be forgotten"); as
well as introduces new concepts such as
"data portability" (i.e. right to transfer
personal data from one service provider
to another).
As stated earlier, the GDPR imposes
stricter rules regarding the consent to
process personal data. Accordingly,
the consent must be given by a clear
affirmative action, in a written or oral
form or by electronic means, including,
for example, ticking a box on a website.
Any kind of statement or action from
which it is clear that the data subject
has accepted the processing of its data is
also considered as approval. The request
for consent should be presented in the
manner that is clearly distinguishable, in
plain language and in easily accessible
form. Presumption is not allowed by
inactivity, nor by silence. Data subjects
have the right to withdraw their consent
at any time, without limitation.
One of the novelties introduced by
the GDPR concerning the consent to
process data is the so called "parental
consent." It means that for children
below a certain age, parents must give
parental consent in order for the child's
data to be processed. It includes the
most common children's activities on the
Internet, such as opening social accounts
with Facebook, Instagram or Snapchat.
Nevertheless, parental consent is not
required in the context of preventive
or counseling services offered directly
to a child. The age limit established by
however, it allows each of the member
states to lower the age to as young as
13. This arrangement was one of the
most debated issues concerning the
GDPR, because it is expected to result
in lack of consistency among the member
states, while consistency was one of the
principal goals of the GDPR.
The GDPR introduces more elaborate
rules concerning the so-called "right
to be forgotten," which provides a
data subject with the right to demand
erasure when their personal data is no
longer necessary, when the data subject
withdraws consent or when the personal
data has not been processed lawfully.
In such situations data controllers
are required to erase mentioned data
promptly after data subject's request. On
the other hand, if processing of data is
necessary for public interest, scientific
research, defense of legal claims and
similar, the right to erasure will not be
exercised. The burden of evidence for
keeping the data is on data controllers.
One of the intended goals of the
GDPR is for data subjects to be more
aware of illegal actions over their
personal data, such as breaches and
hacker attacks. The GDPR imposes an
obligation for data controllers to notify
individuals when there is a high risk
of harm to their fundamental freedom
and rights. In any case, data controllers
will be obliged to notify a competent
supervisory authority of data breaches,
describing the nature of the personal
data breach, the consequences of the
personal data breach and the measures
taken or proposed to be taken by the
controller itself.
Besides regulating the actions to
be taken by data controllers in the
case of data breaches, the GDPR also
provides for specific guidelines that
data controllers and processors must
follow to prevent personal data from
being misused both by data controllers
measures apply even in the initial
stage of data processing. In fact, data
controllers have the obligation to conduct
a data protection impact assessment,
aimed at considering the likelihood and
severity of the risk, particularly with
large scale processing. Regarding the
data processing itself, data controllers
and processors are required to maintain
a record of processing activities under
their responsibility. Nevertheless, the
GDPR abolished various notification
requirements, e.g., the obligation of
data controllers to notify the competent
supervisory authority before carrying
out certain personal data processing
operations.
One of the new concepts introduced
by the GDPR is the so called "data
portability," or the right of a data subject
to transfer personal data from one service
provider to another. In this regard, the
GDPR establishes the right of the data
subject to receive his personal data in a
structured, commonly used and machine-
readable format, and to transmit this data
to another controller, without hindrance
from the controller to which the personal
data has been provided.
The GDPR introduced clearer rules
regarding the territorial scope of its
application. Accordingly, its rules are
always applicable in matters containing
the EU element. This element exists in
cases when a company which processes
data is registered in the EU or outside
of the EU, but operates and offers goods
and services to consumers residing in
the EU.
In conclusion, the GDPR introduces
significant changes to the data protection
rules in the EU that will affect individu-
als and companies alike.