impact assessment upon processing
data that involve special privacy risks,
for instance regarding health.
businesses and organizations must appoint
a data protection officer:
employees
than 5,000 persons within a period of
12 months
referred to as privacy officer is an
independent person who monitors the
general quality of the data protection
policy of an organization. The data
protection officer will control whether
the processing of data in a company is
in accordance with the Data Protection
Act. If the data protection officer detects
irregularities, he must report them to
the person in charge or to the company
he was appointed by. In addition, the
data protection officer is allowed to
make recommendations. However, these
recommendations have an advisory
function only. Ultimately, it's up to the
person in charge whether to follow the
advice of the data protection officer
or not. Appointing a data protection
officer might imply that the national data
protection agency will act reluctantly if
the data protection officer performs his
duties properly.
Requirement
will be introduced. This means that if a
company has been affected by a data leak,
it has to report it within 24 hours to the
relevant authorities. There is a notification
requirement in the event of a breach of an
organizational security measures for data.
Examples are: theft of password or client
data, hacking or loss of data, for instance,
if an employee has lost a USB device.
A data leak must be reported by the
person in charge of data processing in a
company, for instance the data protection
officer. If a breach could lead to the risk of
negative consequences for the protection
of data, the responsible person needs to
notify the relevant authorities and also all
persons who are concerned in this matter.
A breach of data processing needs to
be reported by the person in charge within
24 hours after noticing. If a breach of
the data processing isn't reported within
24 hours, a specific explanation must be
provided. An organization that doesn't
report a violation completely or in a timely
manner will risk incurring a severe fine.
The amount of the fine will be determined
based on the facts, as, for instance, prior
breaches, the scope of the breach and
whether it's a question of intent of gross
negligence.
consumer has the right that companies
and institutions delete the data and that
further spread of the data will not occur if:
processed personal data for the
processed for;
her consent, and/or when the period
allowed for data storage has passed;
complaint against the processing of
personal data;
comply with the other provisions of the
regulation.
to delete the data in question but also
to prevent further spread of the data.
Therefore, a company is obliged to
inform third parties who process data
provided by the company of the person
in question's request to delete any link
or copy of the personal data. It is wise to
create a protocol for handling requests
about information, modification or
deletion of personal data according to
the new regulation.
businesses can incur are a lot higher
than before, it is really important that
companies throughout the world are
fully aware of the rights and obligations
of EU citizens that arise out of the new
regulation. It must be taken into account
that as this new regulation will protect
the data of all EU citizens, it will apply
to all companies worldwide that process
data of EU citizens. This may be the case,
for example, when your company has a
webshop that offers goods or services.