The General Data Protection Regulation entered into force on the 25th of May and was designed to harmonize data privacy laws across Europe by introducing a new standard of data protection. It is important to remember that this legal instrument has an extraterritorial effect and as such also concerns foreign companies which operate within the EU or process data of European Citizens. Beyond doubt, companies operating in the maritime industry will be affected by the GDPR as they process large volumes of personal data such as data regarding employees, business contacts, passengers, vessel crew, contractors and much more. Stricter rules and higher fees increase the risk of non-compliance, however, the most direct impact of the GDPR raises three main issues.
First and foremost, the GDPR provides a number of new rights to the European Citizens. The most fundamental one is the legal basis for data processing which is, in fact, the consent of the person whose data is to be processed. As provided in the art. 4(11), the consent per se has to be given freely, unambiguously by statement or clear affirmative action. Consent from Clients can be accepted in several ways, e.g. by written, electronic or oral consent. Importantly, the Companies have to ensure that it is as easy to withdraw the given consent as it was given in the first place. Additionally, to considering the issues relating to obtaining or withdrawing consent to the processing of personal data one should also take into account the further individual rights granted by the GDPR:
• right to access data (art. 15)
• right to rectify data (art. 16)
• right to delete data – “right to be forgotten” (art. 17)
• right to limit processing (art. 18)
• right to transfer data (art. 20)
• right to object (art. 21)
Moreover, the GDPR sets out seven key principles that should lie at the heart of data processing:
• lawfulness, fairness and transparency
• purpose limitation
• data minimisation
• storage limitation
• integrity and confidentiality (security)
At the moment, every company operating in the shipping industry worldwide has to comply with the GDPR’s provisions when EU Citizen’s privacy rights are in question. This will have a major impact on those companies both time-wise and money-wise.
1. Bureaucracy and costs
The companies that wish to be compatible with the new law will be subjected to an enormous amount of formal requirements and paperwork. All relevant activities should be implemented by means of appropriate internal procedures and duly documented. For this purpose, it is recommended to prepare appropriate documentation indicating the measures taken to properly implement and apply the GDPR (such documentation may include, among others, appropriate security certificates and certifying the competence of persons having the access to personal data, guidelines for employees, reports and analyzes risk, certification of the measures used to secure ICT systems, etc.).
The art. 30(1) of the GDPR, obliges each data administrator to keep a register of personal data processing activities. Mainly, this obligation binds only those companies which have more than 250 employees. However, it may still apply to smaller companies when data processing may cause a risk of violation, is not occasional and includes specific categories of information (e.g. race, affirmation to trade unions).
When the main activity of the administrator or processor consists of processing operations which, by their nature, scope or objectives, require regular and systematic monitoring of data subjects on a large scale then the GDPR provides for the obligatory appointment of Data Protection Officer. The administrator is required by the GDPR to carry out an analysis whether it is obliged to appoint a DPO. However, even if such an obligation does not directly result from the GDPR, according to the position of the Working Group (the opinion-forming body and co-creating the content of the GDPR), appointing an inspector is strongly recommended.
The appointment of such a person gives additional security guarantees – it confirms that the relevant body has acted with due diligence as regards the protection of personal data. The art. 37(5) provides that DPO should be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices as well as the ability to fulfil the objectives of the Regulation. In other words, the GDPR requires concerned companies to create a new position and employ an expert in the field.
As you can well imagine, these necessary changes will be time-consuming and will incur unavoidable costs. According to some estimations, the world’s 500 biggest corporations are on track to spend a total of $7.8 billion to comply with the GDPR.1
2. More costs
The risk of non-compliance entails potentially very high costs as the regulators will have the power to fine businesses who breach GDPR requirements up to 4% of their worldwide turnover.
In the event of violation of rights of individuals, the administrator is exposed to civil and administrative legal liability. In the scope of the first type of liability, the GDPR provides persons whose rights have been violated with the possibility, inter alia, to apply to the court demanding that the administrator refrains from violating or ordering specific behaviour or for awarding damages.
In addition, a data administrator is also exposed to administrative sanctions, taking the form of fines, i.e.
• a fine of up to 10 million euro, and in the case of a company or group of companies with a total worldwide turnover exceeding 500 million euro – up to 2% of total global turnover from the previous year;
• a fine of up to 20 million euro, and in the case of an enterprise or group of companies with a total worldwide turnover exceeding 500 million euro – up to 4% of total global turnover from the previous year.
3. Member States are not prepared
Back in 1995 the EU already have legislated on the protection of personal data. As such, the GDPR is a legal instrument which finds its origins in the previous century. Even though, a little number of Member States were actually prepared for the GDPR. Only France, Germany, Austria, Slovakia and Sweden have implemented appropriate national legislation in order to adjust their legal systems to the GDPR.
However, it does not mean that the other countries have resigned from introducing national modifications. Majority of Member State already have a draft legislation which will have to be passed in a due time. Hence it should be emphasized that it is not recommended for the entrepreneurs to refrain from adapting to the GDPR and its policy until the adoption of the new law on the protection of personal data in their Member States. The GDPR adopts a form of a regulation – hierarchically the most important legal act of the European Union – which means that the provisions of the GDPR are directly binding and applicable and as such have a direct effect. In other words, as from May 25, 2018, the GDPR applies in full, and entities that perform the relevant activities, including the collection and processing of personal data, are forced to strictly comply with these provisions.
Overall, high-stakes call companies to make sure to be GDPR compliant and there is a high probability that most of them still aren’t.