General Data Protection Regulation taking effect this Friday

25.05.2018 On Friday, 25 May, the General Data Protection Regulation of the European Parliament and of the Council will take effect to create uniform rules for the processing of personal data, strengthen the right to privacy online and stimulate digital economy.Minister of Justice Urmas Reinsalu affirms that the anxiety that the upcoming changes have generated is unnecessary. ‘I would like to state this clearly: the underlying principles of data protection will remain the same. For ordinary people, not much will change. In the future, people will simply have greater control over the use of their data, since all agencies processing personal data will have to notify people in plain and intelligible language about what it is that they are specifically doing with their personal data. Whether a person reads the contract in its entirety and accepts it or not will be up to the person to decide,’ the Minister of Justice said. Minister Reinsalu draws attention to the fact that it is particularly important for all information to be set down in writing especially clearly and unambiguously when the personal data of children are being processed.Under the General Data Protection Regulation, a child has to be at least 13 years of age in order for her or his personal data to be processed in the provision of an information society service. Particular protection applies to the use of children’s personal data for marketing purposes or to the creation of a social media account as well as to the collection of children’s personal data in the event of the use of services provided for children directly.The data protection reform concerns all agencies and businesses that come into contact with personal data – from public authorities and health institutions all the way to banks, telecommunications companies and small businesses. Organisations have to communicate to consumers very clearly why they are collecting people’s data, who are using their data and which third parties their data are being shared with. Going forward, the consent of the consumer will have to be clear and data processing will have to be transparent. Thus, the use of pre-completed checkboxes or tacit consents will not be permitted in the future.‘One of the purposes of the General Regulation is to introduce a risk-based approach by business operators and agencies: the more sensitive data processing is, the more stringent the rules are. Business operators collecting and using sensitive personal data and large data sets have to think through their work organisation and data processing processes. Also when data are being moved from one country to another, it has to be assessed whether the action is consistent with the principles of data protection,’ Reinsalu explained.The European Union respects the essential functions of every Member State, for example, the upholding of public order and the safeguarding of national security, as a result of which the regulation of data in these areas will remain within the jurisdiction of each Member State. In the near term, the Personal Data Protection Act Implementation Act will bring 130 pieces of legislation into conformity with the General Data Protection Regulation.