Lithuania: European Parliament adopts a package of legal acts on protection of personal data.
On 14 April 2016 the European Parliament decided on a reform of personal data protection. The reform includes two legal tools: the General Data Protection Regulation, which enters into force on 24 May 2016, which will apply from 25 May 2018; and the Data Protection Directive for the police and criminal justice sector, which enters into force on 5 May 2016 and has to be transposed into the national law of each Member State by 6 March 2018.
The reform pursues the aim of protecting personal data on a uniform level in the European Union. It will strengthen existing rights and empower individuals with more control over their personal data by addressing such questions as the “right to be forgotten” or “clear and affirmative consent” to process data.
Reform rules on data transmission concern transnational police and criminal justice work. But the new provisions will mostly affect businesses. Data controllers will be prohibited from collecting data not necessarily needed to fulfill their contractual obligations. Transfer of data to non-EU states will undergo tight rules. Data controllers will also be responsible for providing transparent and easily accessible information to data subjects on the processing of their data.
To prevent disadvantage arising for the European economy, not only EU-based companies but also companies having their registered office outside the European Union will have to apply the new rules, when offering services in the EU. Breaking the rules may lead to fines amounting to up to 4% of companies’ total world-wide annual turnover.
To reduce the administrative burden, the new regulation requires each Member State to establish one regulatory authority which will be competent to deal with privacy matters. Where a company has multiple establishments, it will have a single authority as its lead authority, based on the location of the company‘s “main establishment”. Small and medium-sized companies will no longer have to notify the responsible regulatory authority. Every company is well advised to use the transition period of two years to take necessary measures to comply with the new provisions.
Source: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, OJ L 119, 4.5.2016, p. 1–88; Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, OJ L 119, 4.5.2016, p. 89–131.