Outsourcing Journal

Independent ICT service business insights since 2010



Starting May 24th, 2016, the new data protection regulation (Regulation 2016/679 of the European Parliament and of the Council, hereinafter referred to as the „Regulation”) enters into force. Aiming to strengthen citizens’ fundamental rights in the digital age and to facilitate business by simplifying rules for companies in the Digital Single Market, the new regulation will become applicable as of May 25th, 2018. This means that the companies are given 2 years to bring the processing already under way into conformity with the Regulation.

New progressive rules for businesses

The Regulation will represent the only set of rules applicable for business all across the EU making it easier for companies when interacting with another member state. Moreover, the Regulation will also apply to non-EU companies when dealing in the EU.

Unlike until now, businesses will only have one (main) supervisory authority regardless of the number of headquarters and of member states in which they are based. The criteria for determining the main supervisory authority will be that of the main headquarters which can be determined easily under the Regulation.

What businesses need to know

Whenever data is processed, any communication that needs to be made with respect to the processing must be made in a clear and simple language and must be easy to understand. The businesses are responsible for ensuring the transparency of the processing.

While the general notification obligation of processing is no longer in force, the companies will have to be more responsible. In this respect, in case of a breach related to the security of personal data, companies will have to immediately notify the data subject and the data protection authority as soon as possible and preferably no later than 72 hours since the moment of the breach. Otherwise, the penalties and administrative fees for such infringements are high.

Also part of the responsibility undertaken by the companies under this new Regulation is the obligation, in certain cases, such as having more than 250 employees, to designate a data protection officer who will carry out specific tasks to ensure that the Regulation is dully applied and that the rights of the data subjects are protected.

Furthermore, the Regulation brings stricter conditions to be met for consent to processing to be valid. In this respect, the consent has to be clear and explicit beyond a doubt, for example, if the consent is given in a context where it approves more actions that the processing of data itself, it might be deemed unclear and, hence, unenforceable for the company.

It is very important to note, that regardless of whether a business grounds its data processing on consent or not, the data subject has to be informed about the processing, respecting the principle of transparency, as mentioned above.

This responsibility that is being transferred to the company by allowing them to process data without prior notification has its grounds in the need to deal faster and save important amounts of money and time spent with an outdated procedure that no longer reflects the direction in which companies are heading and neither the needs of the data subject. The best way to see how heavily this responsibility weights is by looking at the administrative fines which range up to EUR 10 million or 2% of the global annual turnover, whichever is higher, or in some cases can go up to EUR 20 million or 4% of the global annual turnover, whichever is higher.

A friendlier approach towards several categories of companies

One of the most burdensome obligations of the companies under the actual EU legal framework is related to the notifications to supervisory authorities, which incur a cost for business of EUR 130 million every year according to the numbers announced by the European Commission. The new Regulation removes the unnecessary administrative requirements, such as notification requirements for companies.

Furthermore, the Regulation contains a set of exemptions for SMEs, such as the exemption from the obligation to appoint a data protection officer insofar as data processing is not their core business activity or from the obligation to carry out an impact assessment unless there is a high risk. Also, companies will be able to charge a fee for providing access to data, in case the requests to access data are manifestly unfounded or excessive.

Guaranteed rights of the citizens

One of the main declared purposes of the data protection reform was to allow people to regain control over the personal data, in the context of an unprecedented technological development. For this purpose, the new Regulation guarantees the following rights of the individuals:

(I)    easier access to your own data: individuals will receive additional information, made available in a clear and understandable way, on how their data is processed;
(II)   the right to data portability: individuals shall have the right to receive their personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another service provider;
(III)  the right to be forgotten: provided that there are no legitimate grounds for retaining the data, individuals shall have the right to obtain the erasure of personal data without undue delay;
(IV)   the right to be informed on the data breaches: when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the individuals must be informed regarding such breach without undue delay.

Further steps for companies

Even though the new rules will become applicable on May 25th, 2018, the companies will have to bring the existing processing into conformity with the Regulation by that moment. This transitory period should allow companies enough time in order to establish clear ground rules and processes for complying with the new requirements in the data processing field. In this respect, a company should at first identify which legal obligations are applicable in its case and should further update its procedures and regulations accordingly.


This article was contributed by bpv Grigorescu Stefanica. bpv Grigorescu Stefanica is a Romanian law firm with a full service offering for complex projects and litigation and a unique combination of legal and tax advisory capabilities. In 2016, bpv Grigorescu Stefanica celebrates 10 years of activity during which it advised countless international and local clients from various fields: energy, infrastructure, utilities, environment, technology, pharmaceuticals, and agriculture.

Since its founding, bpv Grigorescu Stefanica has been consistently recommended as a leading Romanian law firm by the most reputed international legal directories, Chambers & Partners, Legal 500, IFLR1000, ITR World Tax. bpv Grigorescu Stefanica is a founding member of bpv Legal, an alliance of independent commercial law firms with offices in Bratislava, Brussels, Bucharest, Budapest, Prague and Vienna, offering cross-border legal advisory services.

bpv Grigorescu Stefanica comprehensively advises in the following areas of law: Antitrust & Merger Control, Banking & Finance, Commercial, Construction, Corporate & Insolvency, Dispute Resolution, Employment & Benefits, Energy, Natural Resources & Environment, Infrastructure & Utilities, Mergers & Acquisitions, Procurement, Concessions, PPPs, Real Estate, Taxation.

bpv Grigorescu Stefanica
33 Dionisie Lupu Street, RO – 020021 Bucharest
Tel. +40 21 264 16 50
Fax +40 21 264 16 60
Email: office@bpv-grigorescu.com
Web www.bpv-grigorescu.com