General Data Protection Regulation (‘GDPR’) finally adopted
On 14 April 2016, the European Parliament finally passed in plenary session the new GDPR. This new legislative text is intended to repeal the current applicable Data Protection Directive 95/46/EC. This modification will lead to significant challenges and the need for all lotteries and companies processing personal data to change their structure, adopt further policies and implement new measures.
The first consequence that can be highlighted is the shift from an EU Directive to a Regulation, meaning that the GDPR is a directly binding EU legal instrument that does not require any national implementation to be directly applicable, unlike Directives that are only binding on Member States as to the objectives to be achieved but must be transposed into national law (leaving a certain leeway to the Member States as to the means to achieve those objectives) to have direct effect. Therefore, as soon as the GDPR will come into force, its provisions (save as otherwise provided in the text) will become applicable to all Member States and (natural) persons.
The following aspects are of utmost importance for lotteries and data controllers/processors in general:
- One-stop shop – Should controllers have several establishments within the EU or process data relating to residents based in different EU Member States, the Data Protection Supervisory Authority (‘DPSA’) of the Member State where the controllers’ main establishment is located is responsible (as the lead authority) for the entire supervision of the processing activities across all the concerned EU Member States.
- Obligation for any data controllers to report any data breach to the DPSA within 72 hours from the moment they become aware of the breach and should the breach may lead to a violation of the data subject’s rights or freedoms, notification as well to the data subject within undue delay.
- Administrative fines in case of breach of the GDPR – The amount of the fines can now reach up to EUR 20 Mio or 4% of the data controller’s or data processor’s total worldwide global turnover of the preceding financial year.
- Accountability – Any data controllers and processors have to put in place internal policies concerning the personal data processing and the data subjects’ rights; internal procedures and mechanisms to meet data subjects’ requests for obtaining information on the processing of their personal data etc.; implementation of policies and measures (technical and organisational) to demonstrate that data are processed in compliance with the GDPR’s provisions. This obligation entails setting up data protection measures by default, i.e. measures automatically processing the required data and that do not go further than what is necessary, and data protection measures by design, i.e. measures created having regard to specific processing features (including the scope, nature and purposes), to protect data subjects’ rights and ensuring a high level of security; obligation, in certain cases, to perform a data protection impact assessment…
- In certain circumstances (most likely to be met by all lottery and gambling operators): obligation to appoint a Data Protection Officer.
- Clear and unambiguous consent of the data subject – Data Controllers must ensure they receive the prior consent of the data subject. The consent must be clear, informed, unambiguous and granted for the processing of the data for a specific purpose. Moreover, consent will have to be given either by statement or a clear approval of the data subject.
- Data subjects’ right to erasure (i.e. right to be forgotten) – Data controllers and processors must make sure they implement appropriate mechanisms to ensure data collected form data subjects can be erased upon request.
- Right to portability – Data subjects must be able to receive an electronic copy of the data undergoing the processing in a commonly used format allowing the data to be processed by another data controller/processor.
The GDPR has yet to be translated into all the official languages of the EU and then be published to the EU Official Journal before coming into force. However, as regards the aspects for which the GDPR grants EU Member States a 2-year period to adapt their national legislation (approximately 50), the deadline should end in May/June 2018.
By Lucas Falco.
For any further question or information: contact us.