With the entry into force, in May 2016, of regulation (EU) 2016/679 General Data Protection Regulation (GDRR) on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC introduces a single legal framework that will harmonise the legislation protecting the personal data of European citizens. The Regulation (GDRR) will apply after 25 May 2018 and is intended to facilitate the free movement of flows of personal data within and outside the EU relating to international trade and international cooperation by providing mechanisms for protection against infringements of The privacy of personal data when using automated and other means of processing them. After 25.05.2018, the rights of individuals and the obligations of controllers and data processors regarding privacy and the protection of personal data will have to be taken into account already at the planning stage of a specific activity falling within the scope of GDRR. The changes introduced by the GDRR lead to changes in regulatory policies and mechanisms for implementing them.
• The obligation to request consent for processing and storage of personal data. Requirements are introduced for the texts relating to the request for consent, namely: – Clear, concise, easily understood (do not use unintelligible terms from the legal jargon); – Differ from other topics/questions; – Available for processing purposes. It will be necessary to ensure that the withdrawal of consent is made as easy as its provision.
• Rights of individuals: GDPR grants the right of the data subject to receive a confirmation concerning: – The purpose of the processing; – The data category; – The recipients of the data; – The time limit or criteria for determining the storage period; – The right to oppose processing; – The existence of automated decision-making, including profiling. – The right to request the rectification or deletion of personal data or limitation of the processing of personal data relating to the data subject, the right to lodge a complaint with a supervisory authority; The data sources where they have not been received by the entity; – The right to receive a copy of the personal data in an accessible electronic format.
• The right to be forgotten: The data subject receives the right, which allows him to request, by the controller of personal data, deletion of personal data and to cease further dissemination and processing of the data. In article 17 of the GDPR, the conditions for deletion include data which are no longer relevant to the processing envisaged or a request for revocation has been received. When examining such requests, account shall be taken of whether the public interest in the presence of such data will be affected.
• Data portability: The data subject’s right to receive personal data, structured in a widely used and machine-readable format, is entered in order to transfer them to another administrator.
• The obligation to notify the competent supervisory authority (IRC). The GDPR introduces an obligation for the notification of IRC in case of established breaches of the security of personal data. The administrator will have to perform the notification without undue delay until 72 hours after becoming aware. Security. Privacy and the security of personal data in the implementation of control or surveillance mechanisms are the basis for the current declaration of applicability used in certified management systems for Information security (ISO 27001). The use of technical and organizational mechanisms, by controllers and processing personal data, to ensure the security of data will be a legal requirement after 25 May 2018 the mechanisms must comply with the level of risk and its severity on The rights and freedoms of natural persons (e.g. Pseudonymisation and encryption of personal data; ability to ensure the continued confidentiality, integrity, availability and sustainability of processing systems and services; ability to promptly Restoring the availability and access to personal data in the event of a physical or technical accident; The process of regularly testing, evaluating and evaluating the effectiveness of technical and organizational measures in order to ensure the security of processing).