In May 2016, General Data Protection Regulation was published in the Official Journal of the European Union. Everybody who has an establishment within the EU and process personal data in the context of the activities of such establishment will have to get ready for the new Regulation. The form or legal personality does not matter in that regard, neither the fact whether the personal data are actually processed within the EU or not. The Regulation also applies both for controllers and processors of personal data who are not established within the EU but are offering their products or services to the data subjects in EU or monitoring their behaviour. Such controllers and processors should designate their representative for the EU.
The Regulation brings a new set of rights and duties both for the data processors and controllers and for the data subjects in wide range of areas of personal data protection. To demonstrate, the data subjects may from now on withdraw their consent with data processing at any time while such withdrawal must be as simple as giving the consent in the first place. Moreover, the data controllers shall from now on provide the data subjects with a wide range of information and notifications, such as information regarding the possible consequences of failure to provide personal data or the existence of automated decision-making, including profiling. Also, an enterprise or an organization employing more than 250 persons shall have more administrative obligation concerning data processing.
The Regulation shall apply from 25 May 2018.