February 19, 2024
Sodium Valproate (Epilim) Inquiry
In November 2020, the Minister for Health, Mr Stephen Donnelly, announced that an inquiry would take place into the historical licensing and use of the epilepsy drug Sodium Valproate (also...
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation) (the “Regulation”) has been published by the EU Official Journal.
The new Regulation will enter into force on 24 May 2016 and shall apply from the 25 May 2018. The new Regulation applies to data controllers and data processors that operate outside the European Union where their processing activities relate to goods or services of data subjects within the EU. Therefore, the territorial reach of the Regulation extends beyond the EU.
Currently, companies in the EU must adhere to stricter standards than companies that are established outside the EU. With the new Regulation, companies that are based outside the EU will have to apply the same rules when they offer goods or services on the EU market. For companies the important question to ask is whose data am I processing? Is the data subject an EU citizen? If the answer is yes and the entity is processing data in relation to an EU person, then EU data law arises and it does not matter where the business that processes the information is located.
The purpose of the new Regulation is to ensure that peoples’ right to personal data protection are recognised and remain protected. The current rules had been in place since 1995 and did not reflect digital and technological changes implemented since then, e.g. the cloud. As well as reinforcing individual rights and strengthening the EU internal market, it aims to set global data protection standards and give people more control over their personal data and accessing it. The regulatory framework is moving to a single regulation so rather than having to comply with data protection rules across EU member states, one set of rules will apply.
This means that peoples’ data should be protected no matter where it is stored, even if this is outside the EU, as is often the case with internet transactions. One of new rules introduced is the data subject’s right to be forgotten; where there is no longer any need for an organisation to maintain data in relation to a person, it will be deleted. There is also a right to know when there has been a data breach and specific timelines will be in place for breach notifications. Breach notification obligations shall apply to data processors as well as data controllers. The new Regulation introduces stronger enforcement of data protection; data protection authorities will be able to fine companies that do not comply with the new rules at up to 4% of their global annual turnover.
In summary the main changes to Data Protection law under the new Regulation are:-
Practically speaking, businesses that process data in relation to EU data subjects will need to carry out extensive audits to ensure that they are complying with EU Data Protection law. At a minimum they should be able to demonstrate that they have proper policies and procedures in place, that data within an organisation is properly classified and only the correct persons have access to each class of data.
For more information on these recent changes contact Gríana O’Kelly, Partner Corporate and Commercial Group
Contact our office
Make an enquiry