The new EU Regulation on protection of personal data of natural persons

On 24th May 2016, the Regulation of the European Parliament and of the Council of 27th April 2016 became effective on protection of natural persons in connection with personal data processing and on free flow of such data and repeal of the directive 95/46/EC. However, it will apply directly in all Member States as of 25May 2018 only.

The purpose of the regulation is to guarantee a high and consistent level of protection of the rights of natural persons in connection with processing of their personal data. The long-awaited legal instrument is to be an answer to the development of technology and new social phenomena that pose a threat to the right to protect personal data, in particular by unification the law of Member States in this respect.

The Regulation will find application in all cases of processing of personal data being or intended to be a part of a data set except for processing of personal data:

  • as part of activity not covered by the EU law;
  • by Member States, as part of carrying out activities stipulated under title V chapter 2 of the TEU;
  • by a natural person as part of activities of purely personal or family nature;
  • by relevant authorities for the purposes of combating crime.

The fact deserves attention that the regulation will find application in case of processing of personal data in connection with activity carried out by an organizational unit of an administrator or processing entity in the Union regardless of whether processing takes place in the Union. What is more, the regulation will be applied even in cases where an administrator or a processing entity does not have organizational units in the Union but processing of data of persons staying within the Union is linked with offering goods or services to such persons or monitoring their behaviour if such behaviour is shown in the territory of the Union.

Moreover, the regulation imposes an obligation on administrator of personal data to notify the supervisory body of any violations of personal data protection within 72 hours of finding a violation. If a violation of personal data protection can cause a high risk of the rights or freedoms of natural persons being violated, the administrator without undue delay shall notify the person concerned of such a violation.