Thu, Jul
51 New Articles

Doing Business But Keeping Personal Data Safe

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

As personal data privacy is increasingly considered an important human right deserving protection, and with the new EU Data Protection Regulation to become enforceable in Romania as of May 25, 2018, it is becoming more and more important for corporations not only to observe the general data protection rules on commercial transactions but also to ensure full internal legal and technical compliance for all employees having access to any personal data processed internally. 

It is thus necessary for Heads of Legal Departments to dedicate extensive time towards legal reviews and assessments in order to both establish and to ensure awareness of data protection rules and policies to be observed by each department of the company as part of the company’s daily activity. 

In view of compliance with data protection legislation, a Legal Director must know all the risks associated with the specific activities of the company, including those related to the transfer of personal data outside the EU. Also, holders of top legal positions need to be involved in the company’s business strategies to be able to understand the potential risks and to issue compliance guidelines. The Legal Director’s role increasingly requires extensive expertise in general IT technical & software operations, in the technical security measures to be placed on the company’s servers & computers storing the personal data, and in drafting and enforcing policies applicable to employee access to personal data.

The Legal Director, always working jointly with his/her IT Department, must create sound legal data protection polices and ensure permanent legal supervision of the data protection rules in relation to the activities of his/her company. As such, the subjects of the personal data protection policies are not only the clients or suppliers or other collaborators of the company but also the company’s own employees. One of the most sensitive areas related to processing of personal data relates to marketing campaigns, and special attention must be paid to obtaining the consent of targeted individuals in various marketing activities, whose personal data must be protected against unauthorized or accidental access, alteration, transfer, disclosure, or loss. 

In accordance with the latest data protection regulation adopted at the EU level and automatically enforceable under Romanian law, starting in May 2018 companies which process personal data will need to appoint a Data Protection Officer in certain cases, such as in processing operations which, by their nature, scope, and/or purpose require regular and systematic monitoring of the data subjects on a large-scale basis. Because of these corporate obligations, of course, a close and permanent collaboration between the Head of Legal and the Data Protection Officer is envisaged to ensure the observance of the data privacy rules and internal regulations and for solving various potential privacy issues.

Penalties for infringement of data protection obligations have been significantly increased, with sanctions rising as high as EUR 10 million or up to 2% of total annual worldwide turnover of the data collector. For infringements of basic processing principles (such as proportionality, legitimacy, consent, etc.), the rights of the data subject (such as access, the right to be forgotten, etc.), rules of internal data transfers, or noncompliance with an order of the Data Protection Agency, the fine is EUR 20 million or up to 4% of total annual worldwide turnover.

In addition to the penalties that may be imposed by the Data Protection Agency in case of breach of data privacy, companies that do not implement safe data protection policies can also face civil claims involving significant demands for compensation from individuals whose privacy rights were not observed during companies’ commercial activities. 

In consideration of all the above, a major task of the Legal Department is ensuring the ongoing observance of data privacy regulations in all areas of a company’s activity. 

This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Our Latest Issue