Email marketing is constantly evolving in terms of strategies and supporting technology.¬†But the laws that govern activities and processes also change.
Therefore, considering the forthcoming entry into force of the European Union’s¬†General Data Protection Regulation, we thought of a new section for our blog focused on legal and privacy matters. In the new¬†Legal &¬†Privacy section, you‚Äôll find contributions and insights from our experts to keep you¬†informed on the important issue of privacy protection and legal issues involved in email¬†marketing.
With this first blog post, we dive into¬†the new General Data Protection Regulation.
Steps leading up to the reform
After a four-year discussion, the reform of the legislation on handling¬†personal data by companies operating in the EU is¬†now complete.
On the 25th January, 2016, the European Commission submitted a legislative package ‚Äď consisting¬†of a proposed Regulation and proposed Directive on the processing of personal data ‚Äď to¬†update the current legislation, which dates back to 1995 (Directive 95/46/EC).
Why a reform? The great impact of the Internet and technological advances¬†on the economy and social relations has prompted the European Commission to make the¬†protection of personal data one of the priorities of its Digital Agenda. Hence the decision to¬†introduce a general regulation on data protection to replace individual national regulations¬†without the need for transposition laws.
The Regulation allows the following three fundamental goals to be achieved:
- updating the principles contained in the 1995 Data Protection Directive and¬†introducing a single regulatory text which is directly applicable in all 28 member¬†states of the European Union;
- establishing the rights of individuals and the obligations of data processors and¬†data controllers;
- establishing methods to ensure compliance with regulations, and the scope of the¬†sanctions imposed on those who infringe them.
After long discussions lasting over three years, at a¬†special meeting held on the 17th of December¬†2015, the Committee on Civil Liberties, Justice and Home Affairs of the European¬†Parliament expressed its position on the texts agreed following the talks between the¬†Council, the European Parliament and the Commission. On December 18, the¬†Committee of Permanent Representatives (COREPER) approved the final text of the¬†regulation, which is now only pending several formalities before it is published in the¬†Official Journal of the European Union.
The draft regulation addresses several key issues and changes the current legislation in¬†relation to numerous substantial elements. Here is a summary of the main points:
1) Rights of concerned parties
The regulation lists the rights of concerned parties, i.e. natural persons whose personal¬†data is processed. These reinforced rights give individuals more control over their¬†personal data through:
- the need for clear consent to the processing of personal data;
- easier access for concerned parties to their personal data;
- the right to rectify, delete and have data ‚Äúdestroyed‚ÄĚ;
- the right to object to the use of personal data, including for the purpose of¬†‚Äúprofiling‚ÄĚ;
- the right to transfer the data from one service provider to another.
The regulation also establishes the requirement for data controllers to provide concerned¬†parties with transparent and easily accessible information on the handling¬†of their data.
2) Data Owners, Data Processors¬†and Data Privacy Officers
The new regulation specifies the general obligations of the personal data owners and¬†those who process them on their behalf (data processors). These include the obligation to¬†implement appropriate security measures based on the risk associated with the data¬†processing (risk-based approach). Data owners are also required, in certain cases, to¬†disclose personal data breaches (data breach notification). Moreover, all public¬†authorities and companies that perform risky data processing must appoint an additional executive that will¬†be in charge of data protection, known as the Data Privacy Officer.
3) Guarantors, new issues for multinationals and new¬†sanctions
The regulation confirms the current requirement for EU Member States to establish a¬†national independent supervisory authority; it also aims to establish mechanisms to¬†ensure consistency in the application of data protection across the EU. In particular, a¬†single decision will be adopted for important cross-border cases involving several national¬†supervisory authorities. According to this principle (known as the ‚Äúone stop shop‚ÄĚ¬†principle), a company with subsidiaries in several Member States must only interact with¬†the data protection authority in the Member State where its main site is located.
The draft agreement also includes the establishment of a European Data Protection¬†Committee, made up of representatives from all 28 independent supervisory authorities.
Concerned parties have the right to make a complaint to the supervisory authority, as well¬†as the right to a judicial review, compensation and liability. Concerned parties shall also¬†have the right to seek a review by a national court in regard to the decisions taken by the¬†respective authorities for data protection. The above shall apply regardless of the Member¬†State where the data controller is based.
Data controllers or data processors who breach the rules on data protection are subject to¬†very heavy sanctions; up to EUR 20 million or 4% of their overall annual turnover, which¬†will be imposed by the national data protection authorities.
4) Data transfers to third countries
The proposal also provides for the transfer of personal data to third countries and¬†international organisations. In this case, the Commission will assess the level of¬†protection provided by a processing sector or region in third countries. In the absence of¬†an appropriate decision by the Commission, the transfer of personal data may still take¬†place in particular cases or where there are appropriate safeguards, such as data¬†protection clauses, binding corporate rules or contractual clauses.
Next steps for the regulation
The text will be submitted for the adoption of a political agreement at a forthcoming¬†meeting of the Council. Following the adoption of the Council‚Äôs position at the first reading,¬†it will be submitted to the Parliament for approval.
The regulation is expected to come into force in the¬†Spring of 2016 and to become applicable in the¬†Spring of 2018.
In the next blog post, we will go into more detail on the new elements introduced by the¬†regulation, focusing on the ten points you need to know to avoid possible¬†sanctions. Queries¬†or concerns? Leave a comment below.