When we put Privacy into perspective, our modern day Privacy regime is largely driven by developments in the EU, UK and the US. A Global Regulator is not yet a reality, but many countries have introduced laws based on the automatic processing of personal data that have been developing in Europe since the late 1970’s – early 1980’s. Plus, it’s coming into summer over there.
In recent times, Europe has developed the EU General Data Protection Regulation (“GDPR”) containing new data protection requirements. It aims to replace the EU’s existing national data protection rules by implementing clear, uniform data protection laws. It is intended to enhance customer trust in online services and more legal certainty for business.
Is it for me?
The GDPR will apply to businesses operating in the EU. But it will also catch Australian business having an office in the EU, a website where EU customers can order goods and services or which enables payment in euros, or a business that tracks individuals in the EU on the internet to analyse and predict personal preferences, behaviours and attitudes.
You should note that the GDPR applies to all businesses, irrespective of size or the turnover amount of the business. Even if your business is not subject to the Privacy Act 1988 (Cth) (‘Privacy Act’) because the turnover is less than $3M, your business could still be caught by the GDPR.
What is my itinerary?
If the GDPR applies to you, you need to:
- Obtain an individual’s specific consent to not only collect, but to keep and use their personal data. Individuals must also be given the right to withdraw their consent as well.
- Provide individuals with the right to receive their personal data, particularly in a format which is easy to read and transmit to others.
- Give individuals the right to access their personal data, without delay or charge.
- Provide individuals with the right to object to the processing of their data
- Give individuals the right to know why their data is processed, who will share their personal data, how long their data will be kept, and how it will be processed.
- Afford individuals the right to restrict the processing of their personal data.
- Allow individuals the right to rectify their personal data.
- Provide individuals the right not to be subject to automatic processing of their personal data.
- Give individuals the right to have their data deleted.
There is also a mandatory data breach notification requirement, similar to the Australian scheme introduced in February 2018 under the Privacy Act. Under the GDPR though, applicable businesses must notify the Regulator of personal data breaches within 72 hours after the breach becomes known.
When do I take off?
The GDPR comes into effect from 25 May 2018.
What happens if my VISA is cancelled?
A breach of the GDPR can result in a fine of up to 4% of the prior years’ annual global turnover or up to €20 million, whichever is greater.
Direct line: 02-8488-3383
Ledlin Lawyers’ articles are intended as general information and commentary and should not be used or relied on in place of legal advice. Please seek formal advice on particular transactions, circumstances and matters related to any articles, blog posts or case studies posted on this website.