Tine A. Larsen, President of the National Data Protection Commission (CNPD) details the impact of the General Data Protection Regulation on businesses. Interview

 

How does the new legal framework change the deal... in terms of data protection?

 

The General Data Protection Regulation (GDPR) will enter into force on 25 May 2018, replacing the 1995 Directive and the Luxembourg Law of 2002. This single European data protection system will give citizens more control over their personal data, making businesses more accountable and reducing their declaration requirements. In parallel, however, the role of protection authorities such as the CNPD will increase. The GDPR's philosophy is “accountability", i.e. making the people who process data more responsible. The CNPD's role will therefore move from pre-verification to post-verification, and the commission will be able to concentrate more on its awareness and advice roles.

 

"The heavy penalties incurred by companies that seriously breach the new regulations symbolise the importance of data protection in the 21st century.”

What advice should be given to professionals to prepare for the change in legal framework?

 

From 25 May, at any time, a business may have to demonstrate the efficiency of the technical and organisational measures put in place within the company to comply with the obligations introduced in the Regulation.

 

The CNPD suggests that companies follow seven steps. One, find out about the coming changes. Two, make an inventory of all the personal data processing it performs. Three, check whether or not it is required to name a data protection representative. Four, based on the processing records, identify actions to be taken to comply with the future obligations. Five, for data processing likely to involve a high risk to citizens, carry out a data protection impact assessment (DPIA). Six, put in place internal procedures that guarantee data protection at all times. Seven, document the processing of personal data. If a company does not comply with the new regulations, the CNPD may order it to delete or destroy the data in its possession, or even ban it temporarily or definitively from processing data! In the most serious cases, the authorities may inflict fines of up to 20 million euros or 4% of the company’s annual global turnover. Of course, the CNPD will use its powers in a proportionate, judicious way...

 

What about marketing mailouts?

 

The current system will still apply until a specific new regulation is adopted. More precisely, using an email address linked to an individual for marketing purposes will only be possible if the individual concerned has given prior consent, unless the company holds these electronic data as a result of selling a product or service. Failure to comply with these provisions may still lead to criminal penalties. Moreover, the Luxembourg Consumer Code also prohibits marketing mailouts or unsolicited telephone calls, considering them to be “aggressive commercial practices”. However, when a product or service is purchased, the subscriber can always object to any future marketing contact. Companies must remind them of this option in every message. However, these measures do not affect electronic communications between professionals, or B2B. The law protects named addresses such as name.firstname@company.lu but not addresses such as info@company.lu or contact@company.lu, for example.