EU General Data Protection Regulation (mentioned below as "GDPR") has come into force on May 25, 2018.
Who is affected
The scope of the new EU Regulation goes beyond the European Union.
All individuals and companies selling goods or services to, or monitoring the behaviour of, citizens of all 28 EU member States are affected regardless of where the business is based. That means that every non-EU-based businesses receiving, storing and processing personal data of EU citizens are subject to the new EU Regulation.
Penalties for Non-compliance
EU fines for noncompliance can go up to the higher of €.20 million or 4% of the offender's global annual revenues. Those highest fines are expected to be imposed for the most serious violation, like processing customer data privacy with no customer's consent. Within those limits there are tiered levels of fines for different breaches, such as not having records organized to the GDPR standard, or not notifying the GDPR regulatory authority of a data breach within the required 72 hours.
GDPR Overview
a.Definitions
Here are some GDPR definitions.
"Data Subject" is an identified or identifiable natural person."Personal data" is anything that can be directly or indirectly used to identify a person. Not only are names, addresses, government-issued identification numbers, bank and medical records included, but so are e-mail addresses, social media posts, photographs and computer IP addresses.Thus, every overseas websites that accepts personal information from EU citizens or send "cookies" to their IP addresses are subject to the new EU Regolation.
"Controller" is every natural or legal person which determines the purposes and means of the processing of personal data. "Joint Controllers" are required to determine their respective responsibilities for compliance by means of an arrangment. "Processor" is every natural or legal person which processes personal data on behalf of the controller.
Controller or processor not established in the EU are requested to appoint in writing a representative in the Union.
b. Consent
Consent of the data subject must be freely given, clearly informed and unambiguous. For sensitive, personal data, only "opt-in" systems are compliant. For non-sensitive data, unambiguous consent is sufficient, but the controller must be able to demonstrate that the data subject has consented to processing of his or her personal data.
The request for consent and its purposes cannot be expressed in legalese terms but offered on a clearly understandable, readily accessible form. The purpose of the data gathering, storage and processing must be attached to the form on which the consent is given, and may not be exceeded in scope or in time. Consent given for a specific purpose does not thereafter render the data generally available for the collecting company's use, resale, "data mining" or other purposes. Furthermore, data may not be stored longer than the purpose for which consent was given, imposing on controllers an obligation to erase already collected data. Consent may always be withdrawn and the company collecting the data must make it as easy to withdraw consent as to give it.
c. Right of the data subject
As data remains the property of the person giving the consent, several rights are provided to him or her. Right to be informed about the collection and use of the data, right of access to data, right to rectification. The person giving the consent may demand that data previously collected be erase ("right to be forgotten") imposing on controllers an obligation to erase data without delay unless another legal requirement to retain records supersedes. Right to data portability means the right to receive the personal data provided to a controller in a structured, commonly used and machine-readable format along with the right to transmit those data to another controller.
Compliance measures to Undertake
a. Appoint a Data Protection Officer (DPO) if subject to the criteria
Companies or organisations that are public autorithies or engage in large scale systematic monitoring or engage in large scale processing of sensitive personal data must appoint a DPO. Companies or organisations not meeting those criteria need not appoint a DPO.
b. Carry out a Data Privacy Risk Assesment and Audit by IT and Legal/Compliance staff
c. Implement Remediation Measures ruled by the Audit
d. Establish Internal Compliance Protocols
Our Services
Mattioli Law Firm provides on line Legal Advice on all aspects of GDPR compliance.
Services availables include:
a. GDPR compliance Legal Auditing
b. Drafting or reviewing the following documents:
-Privacy Policy
-Data Processing Agreements (controller-processor; processor-subprocessor)
-Data Sharing Agreements
-Joint Controllers Arrangments
-EU-based representative designation
-Internal Compliance Protocols
To request a legal advice on GDPR compliance, please fill out the form on "Contact" page or send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. or call us, also via Whatsapp, at +39.335.7044919. Thank you.