On 4 May 2016, the official texts of the Regulation and the Directive have been published in the EU Official Journal in all the official languages. While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.
Whenever you open a bank account, join a social networking website or book a flight online, you hand over vital personal information such as your name, address, and credit card number.
What happens to this data? Could it fall into the wrong hands? What rights do you have regarding your personal information?
Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.
Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries.
Therefore, common EU rules have been established to ensure that your personal data enjoys a high standard of protection everywhere in the EU. You have the right to complain and obtain redress if your data is misused anywhere within the EU.
The EU’s Data Protection Directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of your data when it is exported abroad.
Individuals regularly disclose personal information such as their names, photographs, telephone numbers, birth date and address while engaged in a whole range of everyday activities. This personal data may be collected and processed for a wide variety of legitimate purposes such as business transactions, joining clubs, applying for a job, and so on.
Nonetheless, the privacy rights of individuals supplying their personal data must be respected by anyone collecting and processing that data. The Data Protection Directive lays down a series of rights and duties in relation to personal data when it is collected and processed.
What can you ask of data controllers?
Under EU rules, you have the following rights vis à vis data controllers:
- Data controllers are required to inform you when they collect personal data about you;
- You have the right to know the name of the controller, what the processing is going to be used for, to whom your data may be transferred;
- You have the right to receive this information whether the data was obtained directly or indirectly, unless this information proves impossible or too difficult to obtain, or is legally protected;
- You are entitled to ask the data controller if he or she is processing personal data about you;
- You have the right to receive a copy of this data in intelligible form;
- You have the right to ask for the deletion, blocking or erasing of the data.