The European Parliament, Council and Commission just reached an agreement in principle on the content of the General Data Protection Regulation.

The regulation, with direct effect, will repeal the former regulation which was a product of Directive 95/46/CE.

The new rules, which will apply on 1 January 2018, will allow all data subjects to better control their personal data.

All data controllers must thus provide in advance of any data collection the technical information and practices to any data subject (for example, contact information of the entity responsible for the processing, modalities to exercise the right to erasure and length of data retention), when such information is collected from the subject, even when the personal data is not collected directly from the person concerned.

Moreover, the data controller and his potential sub-contractor must systematically appoint a data protection delegate when the processing is done by a public entity, or when the controller’s or sub-contractor’s core business activity is data collection which, by its very nature, scope and/or finality requires regular and systematic follow up by the persons concerned.

The regulation also enshrines the right to be forgotten and to erasure of personal data, thus reinforcing the national supervisory authorities’ power to impose penalties. The authorities will be able to impose administrative fines of up to 4% of total worldwide annual turnover on noncompliant data controllers.