HR Sincron Company towards further alignment to comply with the new GDPR regulations

21 January 2018

The new Regulation (EU) 2016/679 concerns the protection of the individuals regarding the processing of their personal data and the free movement of such data.

The main purpose of the Regulation is to adapt and update the principles and objectives previously set in line with technological developments. To that end, the regulation establishes a single set of rules, directly applicable in all Member States of the Union, in order to more effectively protect the privacy of natural persons within the European Union.

The regulation was adopted by the European Parliament on 27th April 2016 and its provisions will apply from 25 May 2018; the Regulation replaces the Directive 95/46/EC and, implicitly, the provisions of Law no. 677/2001.

Among the elements of novelty, we should mention:

Field of application:

  • It is directly applicable in all EU Member States
  • It protects the rights of all persons within the EU, regardless of the geographic location of the data operator
  • It also expands the scope for data providers established outside the EU, to the extent that their goods and/or services are (also) addressed to persons within the EU; these data operators will have to comply with the rules and principles established by the Regulation.

New rights are guaranteed:

  • The right to be forgotten – one may ask the deletion of data if it is illegally processed, without consent or if the data is no longer necessary for the purpose for which it was initially processed;
  • The right to data portability – there is more freedom of choice. One may opt to send data to another ;
  • Specific provisions regarding minors – clear and simple rules that the young person/child can understand are needed and the consent of the parent/guardian, as the case may be, must be obtained;
  • Proximity to the data subject – the supervisory authority in the Member State where the data subject is located acts as a contact point when the reported operator is established in another State;
  • Enhanced co-operation between the supervisory authorities – in the case of transnational data processing (those involving people from several EU Member States), the Regulation provides the supervisory authority in your Member State with the power to ensure, together with the authorities of the other States involved, that your data is processed according to its rules and principles.

For data controllers:

One stop shop – for data controllers operating in several EU Member States, the competent supervisory authority is the one in the Member State in which that operator has established its headquarter.

Data controllers’ accountability – emphasis is placed on the transparency towards the data subject and the data controller’s responsibility towards the way the data is processed.

Impact assessment – in the case of data processing involving a high risk for people’s privacy, the operator must conduct an impact assessment on privacy. The outcome of such an assessment will allow it to identify specific risks and adopt measures to prevent such situations to occur/result.

Data transfer outside the EU – for data transfers outside the Union, the Regulation introduces new instruments, in addition to those already established: BCR, standard contract clauses and European Commission Decisions on an adequate level of protection.

Privacy by design & Privacy by default – two new essential principles for data controllers:

Privacy by design – are you an application developer (who will also process personal data)? You must ensure, from the development stage, that your application will comply with the rules and principles set out in the Regulation.

Privacy by default – do you provide an application that processes personal data? You must ensure that the initial settings will allow users to maintain control of their private life / what they post or share with other users.

DPO – Data Protection Officer

The appointment of a DPO at the level of the data controller is one of the measures by which the data operators are to be made accountable. It provides the controller with the necessary advice to comply with all its obligations and to ensure the necessary transparency towards the data subjects.

Severe penalties – up to € 10-20 million or between 2% and 4% of the international turnover.

GDPR from the HR Sincron perspective

As a B2B software and services provider, HR Sincron operates in most cases as the entity empowered by its clients, in their capacity as personal data controllers.

In this respect, HR Sincron takes seriously the new regulations, being in full compliance process with the provisions of the Regulation, so that on 25.05.2018, both the Sincron HR Software platform and all related processes and activities comply with the requirements of the new legislation. We will continue to provide our clients with a software solution and complementary services that keep the quality standards and comply with the new legal requirements.