May 25, 2021 – three years of application of the GDPR
by Mugurel Olariu, RPD protectie date
By art.99, GDPR provides for its entry into force at the level of EU Member States from May 25, 2016, respectively its application from May 25, 2018. Thus, May 25, 2021 marks three years of application of this important instrument.
In the following, we present some assessments related to the role of this document, important aspects regarding citizens’ rights, as well as the rules applicable to companies.
ROLE of this regulation:
✔ The regulation allows the citizens of the European Union (EU) to have better control over their personal data. It also modernizes and unifies the rules, allowing businesses to cut red tape and enjoy increased consumer confidence.
✔ The General Data Protection Regulation (GDPR) is part of the EU Data Protection Reform Package, along with the Data Protection Directive for police and judicial authorities.
Important aspects of Citizens’ Rights: GDPR strengthens existing rights, provides for new rights and gives citizens greater control over their own personal data. These include:
➢ easier access to one’s own data – including providing more information on how that data is processed and ensuring the availability of that information in a clear and intelligible form;
➢ a new right to data portability – facilitating the transmission of personal data from one service provider to another;
➢ a clearer right of erasure (“the right to be forgotten”) – when a person no longer wants his or her data to be processed and there are no good reasons for keeping it, that data will be deleted;
➢ the right to know when their personal data has been hacked – businesses and organizations will be obliged to promptly inform individuals about serious data security breaches. They will also be required to notify the competent data protection supervisory authority.
RULES for enterprises:
GDPR is designed to create business opportunities and stimulate innovation through a number of measures, including:
■ a single set of rules at EU level – it is estimated that the existence of a single EU law on data protection will save EUR 2.3 billion per year;
■ designation of a data protection officer by public authorities and large-scale data processing enterprises;
■ one-stop shop – companies must interact with a single supervisory authority (in the EU country where they are headquartered);
■ EU standards for non-EU companies – companies based outside the EU must apply the same rules when providing services or goods or when monitoring the behavior of individuals within the EU;
■ enovable innovation standards – a guarantee that products and services incorporate data protection measures from the earliest stage of development (implicit data protection from the moment of design);
■ Privacy techniques such as pseudo-anonymization (when the identifying fields in a data record are replaced by one or more artificial identifiers) and encryption (when the data is encrypted so that it can only be read by authorized parties);
■ elimination of notifications – the new data protection rules will eliminate most notification obligations and the costs associated with them. One of the objectives of the Data Protection Regulation is to remove obstacles to the free movement of personal data within the EU. This will facilitate the development of enterprises;
■ impact assessments – companies will be required to carry out impact assessments where data processing may pose a high risk to the rights and freedoms of individuals;
■ keeping of records – SME’s are not obliged to keep records of processing activities, unless the processing takes place regularly and is likely to create a risk to the rights and freedoms of the persons whose data are processed.
At national level, ANSPDCP, marked the fulfillment of the three years of application of the GDPR by publishing a summary of the activity for the first four months of the year*1, of which we mention next:
✔ received 1733 complaints, notifications and notifications regarding security incidents, based on which 288 investigations were opened.
✔ As a result of the investigations, 15 fines were applied in a total amount of 110,545.7 lei.
✔ 37 more warnings were applied and 30 corrective measures were ordered.
✔ received 1600 complaints, based on which 155 investigations were initiated.
✔ security incidents, both under GDPR and Law no. 506/2004, 84 notifications, and the notifications regarding possible non-compliances with the provisions of the GDPR amounted to 49.
✔ As a result of the notifications received and the security breaches notified by the personal data operators, 133 ex officio investigations were initiated.
✔ 352 requests were sent to our institution to issue points of view on various aspects regarding the interpretation and application of the GDPR and other incidental regulations.
At European level, the specialized body – EDPB published on the official website, on 02.06.2021, the EDPB Annual Report 2020*2, of which we mention:
1. EVIDENCE 2020
1.1. EDPB contribution to GDPR evaluation.
1.2. Problems with COVID-19 Answers
✔ During the COVID-19 pandemic, EEA Member States took measures to monitor, limit and mitigate the spread of the virus. Many of these measures have involved the processing of personal data, such as applications.
✔ tracking contacts, using the given location or processing health data for research purposes.
✔ The EDPB provided guidance on how to process personal data in the context of the COVID-19 pandemic. During this period, the EDPB also responded to letters from Members of the European Parliament requesting further clarification on COVID-19 issues.
1.3. International personal data circulates after the Schrems II judgment. Following the CJEU decision, the Board adopted the following documents:
✔ Statement on the Court of Justice of the European Union Judgment in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, on 17 July 2020.
✔ Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, on 23 July 2020.
✔ Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, on 10 November 2020.
✔ Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, on 10 November 2020.
1.4. First art. 65 RGPD binding Decision.
On 10 November 2020, the EDPB adopted its first binding decision pursuant to art. 65 GDPR. The decision addressed the dispute that arose after the Irish National Supervisory Authority (NSA), as the lead NSA, issued a draft decision on the International Company Twitter and subsequent relevant and reasoned objections expressed by several targeted NSAs.
2. EUROPEAN DATA PROTECTION BOARD – ACTIVITIES IN 2020
✔ In 2020, the EDPB adopted 10 guidelines on such topics, the concepts of operator and authorized person, targeting social network users, etc.
✔ three guidelines that were adopted after the public consultation.
✔ also issued two Recommendations.
✔ The EDPB also supervised the procedures related to coherence – process clarification activities and aimed at ensuring its efficiency for the National Supervisory Authorities.
✔ EDPB issued 32 opinions based on art. 64 GDPR. Most of these opinions refer to the draft requirements for the Codes of Conduct, Certification Bodies, Binding Corporate Rules, Data Protection Impact Assessment, Standard Contractual Clauses.
3. ACTIVITIES OF SUPERVISORY AUTHORITIES IN 2020
✔ National supervisory authorities (NSAs) are independent public authorities that monitor the application of data protection law. ANS plays a key role in protecting the data protection of human rights. They can do this by exercising corrective powers.
✔ The EDPB website includes a selection of NSA actions related to the application of GDPR at national level. The EDPB published a register of decisions taken by the NSA in accordance with the one-stop shop cooperation procedure (art. 60 RGPD) on its website.
3.1. Cross-border cooperation. The GDPR calls on the EEA National Supervisory Authorities to cooperate closely to ensure the consistent application of the GDPR and the protection of the rights of individuals to data protection in the EEA. One of the tasks is to coordinate the decision-making process in cases of cross-border data processing.
4. CONSULTATION OF INTERESTED PARTIES AND TRANSPARENCY
✔ During the COVID-19 pandemic, the EDPB responded to letters from Members of the European Parliament requesting further clarification on issues related to COVID-19.
✔ The EDPB organized an event of stakeholders on the concept of legitimate interest to gather opinions on this specific issue in the interest of developing future guidelines.
✔ The EDPB organizes public consultations in order to offer stakeholders and citizens the opportunity to provide additional contributions, being then taken into account in the subsequent process of drafting the documents. In 2020, the EDPB launched and completed seven such consultations.
5. STRATEGY AND OBJECTIVES FOR 2021
✔ EDPB has defined its strategy for 2021-2023, which covers four main pillars of its strategic objectives, as well as a set of three key actions on the pillar to help achieve these objectives.
✔ at the beginning of 2021, the EDPB adopted its two-year work program for 2021-2022, according to art. 29 of its Rules of Procedure.