GENERAL DATA PROTECTION REGULATION
The GDPR is an EU regulation on personal data processing and privacy, adopted on 27 April 2016, which entered into force on 25 May of the same year and operating as from 25 May 2018.
The regulation contains contains laws to ensure the best privacy and security of the personal data of every single European citizen, establishes a series of laws to empower companies, together with a number of facilities for companies Virtuous
Consent, warranty instrument also online
The user's consent must be explicit, preventive and unequivocal. Any form of tacit consent (silence, that is, not equivalent to consent) Is excluded, and the consent can always be revoked at any time, when the consent has been revoked, the holder will not be able to do any treatment to the data.
The Right to Oblivion
Thanks to the introduction of the so-called "right to Oblivion", interested parties may obtain the cancellation of their personal data also on-line by the owner of the treatment if certain conditions are laid down in the Regulation: if the data are Treaties only on the basis of consensus; If the data is no longer necessary for the purposes in respect of which they were collected; If the data is processed illicitly; Or if the person concerned legitimately opposes their treatment
Portability and data transfer outside the Eu
The GDPR defines the concept of data portablity, i.e. the transfer of data from one controller to another. For example, you can change your email proviader without losing your saved messages. In Addition, limits are placed on the transfer of data to other third parties or entities outside the European Union which do not comply with the standards of data protection adequacy and data may only be transferred with the explicit consent Of the person concerned in the event that there are no contractual warranties or adequacy awards.
Obligation to disclose personal data violation cases (data breach)
The Data controller shall disclose any breach of personal data (data breach) to the national information Protection Authority. If the data breach poses a threat to people's rights and freedoms, the rightholder will have to inform all concerned in a clear, simple and immediate manner and provide guidance on how he intends to restrict the possible negative consequences. The data controller may decide not to inform the interested parties if it considers that the infringement does not entail a high risk for their rights (for example, fraud, identity theft, image damage, etc.); Or if it proves to have adopted security measures (such as encryption) to protect the data violated; Or, finally, in the event of informing the parties concerned, it could lead to disproportionate effort (for example, if the number of persons involved is high).
In this last case, it is still required a public communication or suitable to reach as many interested as possible (for example, through an advertisement on a newspaper or a communication on the website of the proprietor).
News for Business
The Regulation is directly applicable and binding in all member States of the European Union and does not require a national transposition law.
The Regulation promotes the accountability of the holders of the treatment and the adoption of approaches and policies that take into account the risk that a given treatment of personal data can entail for the rights and freedoms of the interested parties.
The key principle is "privacy by design", that is to guarantee the protection of data from the conception and design phase of a treatment or a system, and to adopt behaviours that allow to prevent possible problems. For example, there is an obligation to carry out impact assessments before proceeding with a data processing that presents high risks to people's rights, by consulting the data protection Authority if in doubt.