Starting from 25th May 2018, failure to comply with the legislation on the protection of personal data will result in fines of up to 20 million euros or up to 4% of turnover.
The entry into force of the European privacy regulation (reg. EU 2016/679) is imminent. Companies and individuals will need to prove that they have actually taken measures in compliance with its provisions. Indeed, the regulation introduces the principle of accountability according to which the Controller or the Processor are entrusted with the task of choosing the methods, limits and tools necessary for lawful data processing.
The regulation applies to whoever carries out processing activities of data belonging to natural persons; whereby processing means any operation such as the collection, recording, storage, alteration, use, consultation, dissemination, erasure or destruction of personal data.
The territorial scope of application of the regulation is extremely broad. In fact, it also operates with regard to companies located in non-EU countries that offer products or services to persons in the European territory.
The main changes introduced by the regulation include the introduction of the Data Protection Officer (DPO) as the entity responsible for verifying and implementing the regulation by the Data Controller; the appointment of those in charge of specific activities through written contracts; the obligation to notify the Guarantor of any violations within 72 hours from the verification of the event; the greater clarity, transparency and accessibility of the information and the right to data portability.
In general, once the regulation enters into force, the Controllers must demonstrate they have implemented all legal and contractual obligations for privacy purposes and that they have adapted their organizational and information systems in order to ensure data security. To this end, it will therefore be necessary to outline and perimeter the types of processed data, analyze the necessary legal requirements and identify the potential areas of greater risk.
Depending on the single companies, it may then be appropriate to organize training courses for employees, proceed with the appointment of a DPO, prepare the record of processing activities and, all of the above, in order to avoid the severe penalties that, depending on the violations, may result in fines of up to € 20,000,000.00 or up to 4% of the total annual turnover of the previous year.
Given the current scenario characterized by an increasing threat to computer security, there is a tough challenge for those involved in the field of processing activities. They will have to demonstrate that they have taken all the necessary measures aimed at ensuring the application of the regulation.
In this context, Zunarelli – Studio Legale Associato is at its clients’ disposal to carry out compliance activities in order to assess the most sustainable and effective strategy for each company to adapt to a constantly evolving legislation.
(Bologna Office – Massimo Campailla and Marta Tonioni – 0039 (0)5 12750020)
