Last year adopted General Data Protection Regulation, which includes the so-called Data Protection Reform will come into force across the European Union on 25 May 2018. The time for the proper preparation for entry into force of the General Data Protection Regulation is running out, thus a large amount of information and the rush has led that many erroneous myths related to Personal Data Protection Reform have been already prevalent in the society.
Myth 1: all data controllers and processors must appoint a Data Protection Officer
The Data Protection Officer is new for both Lithuanian and foreign companies and therefore a myth that practically all data controllers and processors must have this officer became prevalent. However, that is not the case. The Data Protection Officer must be appointed only in the following cases:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
Myth 2: General Data Protection Regulation is applied only to companies established in the EU
Many people have formed unfounded impression that it applies only to companies that are established in the European Union. However, the General Data Protection Regulation is applied to those companies which are established outside the European Union too, where there is at least one of the following conditions – commercial activities related to the offering of goods or services (even if it is offered for free) to personal data subjects in the European Union is carried on or the monitoring of the personal data subjects in the EU is carried on. It should be noted that the company will have to appoint a representative to the European Union.
Myth 3: Data Protection Reform is relevant only for large companies
Very high fines (in the case of a company, up to 10 million Euros or 20 million Euros or 2 – 4% of the total annual worldwide turnover) for breaches of General Data Protection Regulation can presuppose that Data Protection Reform is relevant only for large companies, multinational corporations, groups of companies. The truth is that the General Data Protection Regulation is directly applicable to all personal data processors and controllers who handle personal data, regardless of their size, the amount and nature of personal data and, as well as regardless of whether it is a natural or legal person.
Myth 4: the same binding corporate rules will be applicable to all companies belonging to the group of companies established in different countries
Although the General Data Protection Regulation is a direct effect legal act and does not need to implemented in national law, i.e. it is directly applicable in its entirety in national law, Member States are entitled to regulate themselves certain issues and to deviate or ignore certain provisions of the Regulation. For example, national law may provide for the other liability than the Regulation provides, more specific provisions for the application of the Regulation Rules. Binding Corporate Rules are provisions for personal data protection policies, which the controller or the processor established in the Member State takes during the processing of personal data. These rules will not be able to oppose not only the General Data Protection Regulation, but also specific national legal systems. Therefore, the same Binding Corporate Rules cannot be applied to all companies belonging to the group of companies because they cannot comply with specific national law.
Myths are only the creation of human imagination; thus it is not worth it to believe them. Equally it is not worth it to believe unfounded myths related to Data Protection Reform. It needs just to familiarize with what actually are the new requirements, and to take this reform as a positive challenge. Therefore, it is intended to more realistically protect his personal data and to provide for strict liability for breaches of requirements of personal data protection.