Back Version française

On May 25, 2018 the new General Data Protection Rules (“GDPR”) of the European Union came into force.  These rules are built on the previous rules such as “Safe Harbor”, but constitute a revolution in that the individual (“Data Subject”) is now the owner of and in control of his Personal Information.

Personal Information is any information relating to a physical person which identifies or makes the person identifiable such as name, photo, email address, account numbers, telephone numbers, social security numbers, IP addresses, etc.  The rules concern anyone who collects, records, keeps, consults, uses or destroys Personal Information.

While this is an European Directive, nevertheless, any European Union resident whose Personal Information is involved will have recourse, and if the person collecting or using such information misuses it or fails to protect it properly, the penalties are very severe.  Penalties can run up to 20,000,000€ or 4% of the worldwide revenue of the infringing entity.

Therefore, even if you are a business who only sells online and receives credit card information from a European Union resident, or if you receive Personal Information for mailing lists or whatever other purpose, you may be at risk in the event that you fall afoul of the rules.

Persons dealing with or treating Personal Information of European Union residents must:

1. name a Data Protection Officer or combine with others to name a Data Protection Officer to deal with governmental authorities in Europe (some enterprises only);
2. have a Privacy Policy which details clearly how the information will be collected, stored, treated, used, etc.;
3. obtain the clear, unequivocal, informed and free consent of the physical person to use his Personal Information for the purposes set forth in the Privacy Policy. Furthermore, the Data Subject has the right to revoke his consent and to be “forgotten” by requiring the destruction or removal of his Personal Information. It is doubtful that the long tedious legalese forms of consent currently used by many websites in particular will be valid;
4. take proactive measures to show that it is using due diligence and state of the art methods to protect the Personal Information, and the burden of proof of same is on the enterprise, not the individual.

Any requests or demands from the Data Subject made in virtue of the rules must be responded to within very strict short delays.

Furthermore, in addition to the huge penalties, which may even include penal prosecution, the Data Subject whose rights have been infringed will have a right to sue for damages. 

It is no wonder that you have probably been deluged lately with emails from many companies indicating that their Privacy Policies have recently changed.

Please do not hesitate to communicate with the undersigned for any further information or help in this regard.