Entry into force of the new general regulation on data protection of the EU
On May 25, 2018, the General Regulation of Data Protection of the EU (RGPD) comes into force. LOAB ABOGADOS has already worked on the revision and adaptation of its procedures to comply with the new requirements introduced by the RGPD. You should do it too. We help you?
Which companies will be required to comply with the RGPD?
This Regulation applies to all entities that deal with personal data that are within the European Union.
They will also apply to managers and managers not established in the EU as long as they process data as a result of an offer of goods or services intended for citizens of the Union.
This Regulation supposes a greater commitment of the companies and organizations with the Protection of Data. The information that should be given to the interested parties in relation to the treatment of their data, as well as their rights in this matter is extended.
The concept of privacy is incorporated from the design, which means that the elaboration of business procedures has to be done taking into account data protection from the start.
Notification of security breaches
The new regulations require that security breaches that may affect personal data be notified within a maximum period of 72 hours to the corresponding Control Authority (Spanish Data Protection Agency).
Record of treatment activities
The new regulations eliminate the obligation to register the files with the corresponding Control Authority.
However, it requires keeping an internal record of all the processing of personal data carried out by the entity, provided that it has more than 250 employees or when, not occasionally, sensitive data are processed.
This active responsibility refers to the need for prevention by organizations that handle personal data.
Companies and entities must adopt measures that sufficiently guarantee that they are in a position to comply with the rules, rights and guarantees that the Regulation establishes.
The RGPD understands that acting only when the infringement has already taken place is not enough as a strategy, because that infraction can cause damages to the interested parties, which can be very complicated to compensate or repair.
For this, all organizations that process data must perform a risk analysis of their treatments in order to establish which measures to apply and how to do it.
These analyzes can be simple procedures in entities that do not carry out more than a few elementary treatments that do not suppose, for example, specially protected data, or more complex works, in entities that develop many treatments, that affect a large number of people or that by their characteristics require a careful assessment of their risks.
Delegate of Data Protection
It is a new figure of responsibility within the entity.
The DPO will be responsible for planning the security measures applicable to data processing. as well as the management of them.
It should be noted that it will serve as a link between the company and the control authority.
It will only be mandatory in certain cases, which we find regulated in the new LOPD when it is definitely approved.
Right to forget
It is the right that citizens have to request, and get from those in charge, that personal data be deleted when they are no longer necessary for the purpose for which they were collected, when the consent has been revoked or when these have been obtained from illegal way
Right to portability
It implies that the interested party who has provided his or her data to a person in charge who is treating them in a digitized manner may request to recover that information in a format that allows him or her to be transferred to another person in charge.
Changes in obtaining consent
The Regulation requires that consent, in general, be free, informed, specific and unequivocal.
Companies should review the way they obtain and keep their consent.
Currently there are practices that fall under the so-called tacit consent and that are accepted with the current regulations, but will cease to be so when the Regulation is applicable.
To be able to consider that the consent is «unquestionable», the Regulation requires that there be a declaration of the interested parties or a positive action that points to the agreement of the interested party.
Acceptance can not be inferred from the silence or inaction of citizens.
It is required that the consent has to be «manifest» in certain cases, such as to authorize the processing of sensitive data.
Therefore, the consent must be verifiable and those who collect personal data must be able to prove that the affected party granted their consent.
If you have some particular question and / or want legal advice in this area, do not hesitate to contact LOAB ABOGADOS. Likewise, we attach a guide published by the Spanish, Catalan and Basque Data Protection Agencies that may be of your interest