1. Data Breach Notification
-
The EBF believes that the proposed requirement on data breach notification within 24 hours is unrealistic.
-
In addition, it is important not to flood regulators with too much information which only leads to additional, unnecessary and costly burden for both the Data Protection Authorities (DPAs) and data controllers.
-
Furthermore, it is important not to alarm the data subjects unnecessarily.
-
Currently, the draft regulation requires a notification to the data protection authority (DPA) of all breaches of security (Article 31). With regard to the data subject (Article 32), the requirement is restricted to breaches “likely to adversely affect” the protection of the data. The EBF believes that this limitation should also apply to the notification to the DPA.
-
Exemptions should be granted where appropriate measures to protect the data were applied.
-
EBF members propose that notification to a DPA should be on the same basis as for notification to an individual.
2. Consent
Reliance on explicit consent and significantly restricting consent where there is an imbalance in the form of dependence between the parties creates significant complications for companies.
3. Controller and processor
-
The proposed definitions of controller and processor lead to a difficult distinction of both concepts. EBF members feel that the suggested provisions add a layer of bureaucracy that goes beyond what is necessary and will not lead to improved protection for individuals.
-
Current banking supervision requirements combined with the proposed requirements may overlap. Duplication of burdens should be avoided.
4. Enforcement and Penalties
Requiring penalties of up to two per cent of global turnover of a business is disproportionate, particularly where the main business of the corporate is not related to personal data or data processing.
5. Delegated and implementing acts
-
The present draft regulation establishes a framework of principles. In addition to these principles, no fewer than 26 of the 91 Articles of the draft regulation give the European Commission the power to effectively adopt delegated acts.
-
The EBF has serious concerns regarding this extensive power for the European Commission because of the limited involvement of stakeholders in this process.
-
The EBF also sees this technique as problematic since it leaves too much uncertainty with regard to the actual implementation of the Regulation.
-
This is most worrying as the proposed delegated acts apply to essential aspects of the draft Regulation such as the lawfulness of processing (Article 6.5), the right to be forgotten (Article 17.9), measures based on profiling (Article 20.5), data protection impact assessment (Article 33.6) etc.
6. Terminology
-
Much of the terminology used in the draft regulation is either vague or misses the opportunity to clarify long-standing terminology debates. For instance, the EBF strongly recommends avoiding from the regulation wording which cannot be sharply defined such as: “verifiable consent” (Article 8.1), or “disproportionate effort" (Articles 12, 13 and 14).
-
The EBF would expect more clarity for some key elements of the proposed regulation.
Full position
© EBF
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article