The European Privacy Act – What Does HR Need To Know?

The new General Data Protection Regulation (GDPR) will take effect in the European Union (EU) on 25 May 2018.

The Sense Of EU-Wide Privacy Legislation

Technological developments do not take place at national level, but at international level. The EU has a fragmented whole of privacy legislation. The EU harmonized the protection of personal data through the European Data Protection Directive in 1995 already. This directive provides for rules for the processing of personal data. The Member States were obliged to transpose the directive into national legislation (implementation) within three years.

The beginning of the 21st century was a time when social media still played a rather insignificant role. Through the founding of Facebook in 2004 and Twitter in 2006, the directive has become obsolete. The personal data of EU citizens had to be better protected. The EU therefore designed a proposal for new legislation in 2012, which was eventually adopted in April 2016: Regulation 2016/679, or the General Data Protection Regulation/GDPR.

The advantage of a regulation over a directive is that a regulation has direct effect in all Member States and a directive must first be transposed into a national law. A directive and a regulation determine the frameworks for rights and obligations of, on the one hand, persons from whom data is collected and processed, and, on the other hand, companies and government institutions that collect and process personal data.

What the actual protection looks like, in addition to the statutory frameworks, also depends on the further development and interpretation that is given and the way in which enforcement takes place. The law and regulations in the field of privacy and the protection of personal data has many open standards. This has the great advantage that the rules remain useful for longer as the technology develops.

Citizens, businesses and governments had two years to prepare for the new GDPR rules, which will take effect on 25 May 2018.

GDPR will therefore now put an end to the fragmented privacy legislation within the EU and, among other things, ensure:

  • Strengthening and extending privacy rights. For example, organizations must receive valid permission from people to process their personal data. In addition to the existing right to ask an organization to remove their personal data, people also have the right to demand that the organization pass on the removal to all other organizations that have received this data from this organization;
  • More obligations and responsibilities for organizations that process personal data. The emphasis is on the responsibility of organizations to be able to demonstrate that they comply with the law;
  • The same authority for all European privacy regulators, such as the authority to impose fines of up to twenty million euros.
  • The best practices for HR policy implementation are in place. HR policies and procedures must adhere to the European Privacy Act and ensure employees are aware of their rights under that law.

All companies and bodies that own or process personal data are subject to the rules laid down in the General Data Protection Regulation. The GDPR applies to the automated processing of personal data. Organizations are obliged to provide information to persons whose personal data they use. Also, under this law, organizations have to inform people what personal data they use and for what purpose. They must also provide information about their identity (name and address of the organization) and whether they provide the data to other organizations.

The GDPR is, however, more concrete about the obligation to provide information. Organizations must provide at least the following information:

  • the identity and contact details of the controller;
  • the contact details of the data protection officer;
  • the purposes and legal basis for the use of the data;
  • the legitimate interests of the controller, if the processing is based on the legitimate interest;
  • the recipients or categories of recipients of the personal data; and
  • whether the data will be passed on to a country outside the EU.

In addition to the above information, organizations must provide the following additional information to ensure proper and transparent processing:

  • the retention period of the data;
  • that the person concerned has the right to inspect and rectify or delete the data, or limit the processing concerning him/her, and also the right to object to the processing and the right to data transferability;
  • that the person concerned has the right to withdraw his/her permission;
  • that the person concerned has the right to submit a complaint to the controller;
  • whether the provision of personal data is a legal or contractual obligation or a necessary condition for concluding an agreement, and whether the data subject is obliged to provide the personal data and what the possible consequences are when this data is not provided;
  • the existence of ‘profiling’ or automated decision-making;
  • if the data is not obtained from the person concerned, the source from which the personal data originated.

The GDPR further stipulates that prior information must be easily accessible and written in clear and simple language.

Data Protection Officer

One of the new rules of the GDPR is that many organizations are obliged to appoint a so-called data protection officer (DPO). The data protection officer supervises compliance with the privacy regulations in an organization.

The appointment of a data protection officer is only mandatory on 25 May 2018 for organizations that, on account of their nature or size, process personal data on a large scale and with government departments, with the exception of judicial authorities.

The most important duties of a data protection officer are:

  • monitoring;
  • collecting inventories of data processing;
  • the development of internal regulations;
  • keeping track of reports of data processing;
  • treatment of questions and complaints from employees, customers, patients;
  • information;
  • advise on technology and security.

Small And Medium-Sized Businesses

The GDPR will apply to all organizations that process personal data, including small and medium-sized businesses and freelancers who process data, such as keeping track of customer appointments, customer phone numbers or personnel information. SMEs must also appoint a data protection officer when the core activities require the processing of sensitive data on a large scale. SMEs are also obliged to keep a register of the data they collect when these activities are structural and involve a high risk for privacy.

Fines

If an organization violates the AVG after 25 May 2018, the Dutch Data Protection Authority can impose a fine of up to twenty million euros, or a fine of four percent of the worldwide annual turnover, should that amount be higher.

It is time to evaluate your readiness, build a plan, and then implement the plan.

Contact us

Contact us for more information

    HR Brochure
    Download our brochure

    Europe HR Solutions Brochure

    Our Brochure
    Learn more about the services offered by Europe HR Solutions.

      Download this file

      Please enter your name and email address and agree to receiving information from us. We will send a link to your email for downloading the file. We will not abuse your personal information.

      Q
      Other articles

      Read more of our articles

      Benefits and Challenges of Subsidiaries for European Expansion

      Benefits and Challenges of Subsidiaries for European Expansion

      Expanding into the European market presents a wealth of opportunities for businesses looking to tap into new customer bases, diversify their operations, and increase their global footprint. Establishing subsidiaries for European expansion is a common strategy that...

      A Guide to Setting Up Legal Entities in Europe

      A Guide to Setting Up Legal Entities in Europe

      Expanding your business into Europe offers a wealth of opportunities, including access to new markets, a diverse customer base, and the potential for increased revenue. However, navigating the complexities of establishing a legal presence in a foreign country can be...

      Categories

      Learn more

      About the author

      The author of this article

      Inez Vermeulen is the Founder and CEO of Europe HR Solutions, with over 25 years of successful corporate and entrepreneurial experience in various global industries. She has helped grow and expand the European divisions of global companies such as Coca-Cola Company, Regus, DHL, American Medical Systems, etc. Inez has received several company awards for her entrepreneurial spirit and success.

      She owns a Bachelor’s degree in French, History and Latin, several HR global expert certifications, a Master’s degree in Metaphysical Sciences, ICF Coach Certification and has completed her Doctorate on Transformational Leadership. Inez is fluent in Dutch, English, French, Italian and German. She works in partnership with an extensive international network of independent & professional companies and resides in Belgium near Brussels with her husband Jan.