Regulation implements the Data protection reform, which aims for a better protection of the personal data and privacy. The new rights of natural person have been established in this Regulation:
  • a right to data portability. Persons will have a right to receive personal data concerning them in a structured, commonly used, machine-readable format and to transmit it to another controller; 
  • a right to be forgotten. A person will have a right to have his or her personal data erased where he or she has withdrawn his or her consent or objects to the processing of personal data;
  • a right to be communicated of a personal data breach. A company shall have an obligation to notify the personal data breach to the person concerned. 

Attention should be drawn to the fact that the Regulation is applicable directly and thus, to meet the requirements, set in the Regulation the companies shall take the following measures:
  • review the Internal Order and procedures related to personal data, to renew them and assure the correlation with the new requirements;
  • the Regulation sets a requirement for the companies to make the persons aware of where, for what purposes and how their personal data will be used. It is important to note that personal data may not be used for different purposes, unless a separate consent will be provided by the person. The companies will have to assure that the person is aware of the purpose the consent is being provided for. Also, that amount of personal data collected shall not exceed the one necessary for provision of the service. A declaration of the consent pre-formulated by the controller should be clear, provided in an intelligible and easily accessible form;
  • introduce measures by which the data may be provided to the person and which would allow to implement the person’s right to be forgotten;
  • where the Regulation sets out a requirement - to establish position of data protection officer. This officer is responsible for implementation of Regulation requirements, accountability, monitoring the processing of data etc. The person may be employed for this position or he / she may provide services upon agreement of service provision. The group of companies may employ one data protection officer;
  • to inform and instruct the personnel, so that everyone would be aware of the extent of their duties and authorizations related to personal data protection. 

Let us draw your attention, that the territorial scope of Regulation has been extended. The Regulation will be applicable not only to those companies established in the European Union (hereinafter – EU), but also to those which process the data of the persons who are in the EU and their activities are related to offering of goods and services to such persons or the monitoring of their behavior as far as their behavior takes place within the EU even though such companies are not established in the European Union.

The Regulation will be applicable to all processors and controllers who process names, surnames, e-mail addresses, information of credit cards, delivery address of of goods or the billing address, despite of it is natural or legal person (ex. e-shops, owners of the loyalty cards etc.).

The Regulation could be found:
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC