Rights for citizens, duties for firms under new EU data rules

623

PARIS, May 14, 2018 (BSS/AFP) – The EU’s new data protection rules are set
to bolster European citizens’ rights while imposing new responsibilities on
companies.

Here is an explainer on the rights and obligations entailed under the
General Data Protection Regulation (GDPR), which is set take effect later
this month:

– Power to the people –

These are the main rights guaranteed to European internet users under the
GRPD — please note that some are already covered by national legislation in
several countries.

The right to be informed. Internet users who hand over personal data have
the right to know how it will be used, how long it will be kept and whether
it might be used outside the European Union.

The right to access, correct and erase data. Users will be able to
transfer their data to another service provider, or receive it themselves in
a usable format.

The right to be forgotten. Users can ask that they no longer appear in
searches, although this right is also balanced against the public’s right to
know.

The right to challenge algorithms. If algorithms play an important role in
decisions, such as admission to universities, those affected should have the
right to challenge the decision and request human intervention.

The right to contest violations of rights. Each country’s information
rights agency will accept complaints. If the complaint concerns a company in
another EU state, it will be transferred to the regulator in that country.
Final decisions taken by all the national agencies together are binding
across the EU.

– New rules for companies –

For companies, the regulations is not one-size-fits-all. Their obligations
depend on what kind of data they collect, what they do with it and their
size. It doesn’t matter if they are European firms or not — if they collect
data from Europeans then the GDPR applies to them.

For most small and medium-sized businesses the new regulations simply
protect the information they have on their clients and suppliers using the
“rules of common sense”, in the words of France’s data protection agency
CNIL.

The GDPR’s main objectives is to reduce the amount of data being collected
and processed from the start.

This means that firms should evaluate what data they really need, and then
how to protect it. The information should then be updated regularly.

Clients and subcontractors should also be informed what data is being
collected and what for, as well as how they can exercise their rights.

Companies also need to set out policies on who has access to data and how,
designate who is responsible for data protection, and put into place all
necessary measures to safeguard the data, particularly sensitive information.

Firms also have the right to appeal to their national data regulator.