We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

What businesses need to know about the EU proposed general data protection regulation

2 July 2015

The European Council (the Council) published its text of the proposed general data protection Regulation (the Regulation) on 15 June 2015. Negotiations have now commenced between the European Commission, the European Parliament and the Council. We expect agreement to be reached, and the final text published, during late 2015/early 2016 with a two year implementation period.

  • The Regulation not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects
  • The Regulation will make it easier for data controllers to rely on ‘legitimate business interests’ as a lawful ground to process personal data where there is a relevant and appropriate connection between the data controller and the data subject
  • Data processing agreements between data controllers and data processors will be required to contain extensive mandatory data protection clauses; for example, controllers’ right to audit its processors and obligations on processors to assist with subject access requests and personal data breaches
  • Member states may provide for additional special conditions for the processing of personal data for specific sectors and for the processing of special categories of data
  • Codes of Conduct and Certifications will be developed to assist data controllers and processors demonstrate their compliance with the Regulation and also as a means to legitimise international data transfers
  • Multinationals will benefit from a one stop shop, where the data protection authority in the member state where the controller or processor has their main establishment will be the lead authority in relation to data processing undertaken by that controller or processor
  • Organisations may, or where required by applicable member state law, appoint a Data Protection Officer
  • Data controllers and processors will be required to maintain a record of all of their data processing activities which must be made available for inspection
  • Serious data breaches must be notified to the DPA, in most cases within 72 hours; data breaches may also need to be notified to the affected individuals who may have the right to claim compensation
  • The application for Binding Corporate Rules as a means to transfer personal data intra-group will be simplified
  • Fines of up to 2% of annual worldwide turnover of the preceding annual year or EUR 1million may be imposed for non-compliance; DPAs will also have the power to carry out data protection audits

For more information contact Janine Regan on +44 (0)20 7427 6798 or janine.regan@crsblaw.com