Data Protection Officers. Data protection officers will need to be hired where data processing is a “core” activity and where sensitive data is processed on a “large” scale. Consent Requirements. Consent is required in more circumstances than under the EU Data Directive and it must be either by a statement or a clear affirmative action. Consent has to be demonstrable upon demand, able to be retracted at any time , and will not be considered valid if a data subject has to give consent to processing for the provision of a service where the processing is not necessary to the actual performance of the contract. Member States. As a regulation instead of a directive, the GDPR is directly applicable in member state’s national laws. The intent of the GDPR is to harmonize data protection law across the EU, however each member state may enact its own laws to implement the new regulation and may enact more stringent data protection laws above the GDPR’s requirements. Children. When an online service is required to obtain consent, the consent must be obtained from the parent or guardian if the concerned individual is under 16, unless the member state passes a law to lower this age. Nevertheless, the age cannot be lower than 13. Sensitive Data. More stringent requirements apply to sensitive data than under the EU Data Directive, including genetic, biometric, health, racial, and political data. Enhanced Notice and Information Obligations. Controllers must provide any information they hold about a data subject, free of charge, and within one month of request. More details may need to be disclosed to data subjects, both initially (e.g. in a privacy policy) and in response to access requests. Controllers may be required to allow individuals to obtain a full copy of their data in a standard format and possibly facilitate transfer of data to others.
140
Made with FlippingBook - Online Brochure Maker