General Data Protection Regulation (GDPR) will come into force on 25 May 2018 when it will have direct effect in the EU/EEA1. GDPR will be incorporated into Swedish law and enter into force at the same time. For that reason, the Swedish Club tries to explain this regulation.
GDPR aims to protect natural persons in relation to the processing of data. The Regulation applies to those within the EU/EEA which may hold such data, but also to those outside the EU/EEA which may offer goods or services to natural persons within that area, or send personal data to organisations within the EU/EEA, or send personal data to recipients within the EU/EEA.
The Swedish Club attempts to summarize the importance of the Regulation and present what measures must be taken:
- A Data Protection Policy will be established and implemented;
- Internal written procedures and processes will be updated to include, for example, a regular review to ensure that unnecessary personal data is deleted;
- Standard privacy notices to data subjects giving details of rights under the GDPR will be issued when required;
- The security and integrity of IT and communication systems will be verified, in relation to both personal data and sensitive personal data.
As said above GDPR applies to operators within the EU/EEA area and those outside the EU/EEA. These operators are advised to undertake a review with a focus on the following areas:
- Updating or adoption and implementation of a Data Protection Policy;
- Organisations handling data on a large-scale ought to consider the appointment of a DPO;
- Establish routines to ensure that data subjects receive appropriate information about processing of personal data and their rights;
- Unless there is another legal basis upon which to continue to store it, personal data which is no longer necessary should be deleted;
- Security should be enhanced for communications with third parties (including other P&I clubs) relevant to sensitive personal data as defined (e.g. health and medical data);
- Additional checks should be established to ensure that personal data is transferred to third countries only when permitted (e.g. when there is a legal basis or a separate agreement exists).
For further information, click in the following PDF
