Skip to Main Content
Date: 16 June 2015
Privacy, Data Protection and Information Management Alert
By: Noirin M. McFadden, Andrew R. Danson

On 15 June 2015 the European Council released its final proposed text for the new General Data Protection Regulation. The Regulation is being adopted to provide legal certainty and transparency for businesses and to provide individuals with the same level of rights and obligations in all EU Member States.

The Regulation will apply to data controllers located outside of the EU whose processing activities relate to the offering of goods or services to data subjects within the EU, as well as to data controllers located within the EU. Moreover, the Regulation will for the first time introduce a requirement on companies (in either a processor or controller role) to conduct data protection impact assessments where processing activities are likely to be intrusive in relation to the rights of individuals.

The Regulation has been subject to much debate. The final proposed draft raises two new specific areas of regulation which will likely be onerous for data controllers:

  • Introduction of mandatory reporting requirements. The Regulation requires data controllers to notify any personal data breaches to the supervisory authority in their jurisdiction upon becoming aware of such a breach and if possible, within 72 hours. Unless the affected data has had appropriate technological protection measures applied to it, the data controller will also be required to notify the data subject as soon as practicable and in accordance with any guidance provided by the supervisory authority. This represents a significant departure from previous practice in many EU Member States.
  • Introducing increased fines for infringement of the Regulation. The relevant supervisory authority will determine on a case-by-case basis the level of fine to be imposed in accordance with the Regulation's criteria and upper limits. The maximum fine will now be EUR 1 million or 2% of the worldwide annual turnover of the company, whichever is the higher.

A copy of the published text can be found here.

The next step is for trilogue discussions to take place between the European Council, European Commission and European Parliament to reach a final version of the text; the first trilogue meeting is to be held in Brussels on 24 June 2015. It is expected that these discussions will last until the end of 2015 or into 2016. Once the final text is agreed and adopted it will take approximately two years to come into force.

If you would like to discuss how this might affect your business, please contact one of the authors.

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Find more items tagged as: Data Protection, Privacy and Security
Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel