GDPR – General Data Protection Regulation
January 20, 2018 GDPRGENERAL DATA PROTECTION REGULATION
Days Left :
[wpcdt-countdown id=”8836″]The General Data Protection Regulation (GDPR) is a comprehensive regulation that unifies data
protection laws across all European Union member states. It defines an extended set of rights for
European Union citizens and residents regarding their personal information. Consequently, it
describes strict requirements for companies and organizations on collecting, storing, processing
and managing personal data.
“The GDPR will change not only the European data protection
laws but nothing less than the world as we know it.” Jan Philipp
Albrecht, MEP, EU rapporteur on GDPR
Where organisations are established within the EU
GDPR applies to processing of personal data “in the context of the activities of an establishment” (Article 3(1)) of any organization within the EU. For these purposes “establishment” implies the “effective and real exercise of activity through stable arrangements” (Recital 22) and “the legal form of such arrangements…is not the determining factor” (Recital 22), so there is a wide spectrum of what might be caught from fully functioning subsidiary undertakings on the one hand, to potentially a single individual sales representative depending on the circumstances.
Where organisations are not established within the EU
Even if an organization is able to prove that it is not established within the EU, it will still be caught by GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the offering of goods or services” (Art 3(2)(a)) (no payment is required) to such data subjects in the EU or “the monitoring of their behaviour” (Art 3(2)(b)) as far as their behaviour takes place within the EU. Internet use profiling (Recital 24) is expressly referred to as an example of monitoring .
Penalties
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
All MARITIME COMPANIES either their headquarters based within the EU or not should comply with the GDPR Regulation by May 28,2018 !
