On 25 May 2018, the EU General Data Protection Regulation (GDPR) enters into force. LOAB ABOGADOS has already worked on reviewing and adapting its procedures to meet the new requirements introduced by the GDPR. You should too. Shall we help you?
Which companies will be required to comply with the GDPR?
This Regulation applies to all entities dealing with personal data located within the European Union.
They will also apply to managers not established in the EU provided that they process data as a result of an offer of goods or services intended for Union citizens.
This Regulation implies a greater commitment of companies and organizations to Data Protection. The information to be given to data subjects in relation to the processing of their data, as well as their rights in this field, is expanded.
The concept of privacy is incorporated from the design, which means that the elaboration of business procedures has to be carried out taking into account data protection from the out the outing.
Notification of security breaches
The new regulations require that security breaches that may affect personal data be notified within a maximum period of 72 hours to the corresponding Control Authority (Spanish Data Protection Agency).
Recording treatment activities
The new regulations eliminate the obligation to register the files with the corresponding Control Authority.
However, it requires to keep an internal record of all the processing of personal data carried out by the entity, provided that the entity has more than 250 employees or when sensitive data are processed, not occasionally.
This active responsibility refers to the need for prevention by organizations that handle personal data.
Companies and entities should take measures to ensure sufficiently that they are in a position to comply with the rules, rights and guarantees established by the Regulation.
The GDPR understands that acting only when the infringement has already taken place is not sufficient as a strategy, because such an infringement can cause harm to the interested parties which can be very difficult to compensate or repair.
To do this, all organizations that process data must carry out a risk analysis of their treatments in order to establish what measures to implement and how to do so.
These analyses can be simple procedures in entities that carry out only a few elementary treatments that do not involve, for example, specially protected data, or more complex work, in entities that develop many treatments, affect large numbers of people or that by their characteristics require careful assessment of their risks.
Data Protection Officer
This is a new figure of responsibility within the entity.
The DPO will be responsible for the planning of the security measures applicable to data processing. as well as managing them.
It should be noted that it will serve as a liaison between the company and the supervisory authority.
It will only be mandatory in certain cases, which we find regulated in the new LOPD when it is definitely approved.
Right to be forgotten
It is the right for citizens to request, and obtain from those in charge, that personal data be deleted when they are no longer necessary for the purpose for which they were gathered, when consent has been revoked or when they have been obtained illegally.
Right to portability
It implies that the data subject who has provided his/her data to a controller who is treating it in a digitized manner may require retrieving that data in a format that allows it to be transferred to another controller.
Changes in obtaining consent
The Regulation calls for consent, in general, to be free, informed, specific and unequivocal.
Companies should review how they obtain and keep consent.
There are currently practices that fall within the so-called tacily-called consent and which are accepted with the current legislation, but will no longer be so when the Regulation is applicable.
In order to be able to consider the consent to be “unquestionable”, the Regulation requires that there be a statement by the interested parties or a positive action that points to the agreement of the interested party.
Acceptance cannot be inferred from the silence or inaction of citizens.
Consent is required to be “manifest” in certain cases, such as to authorize the processing of sensitive data.
Therefore, consent must be verifiable and those who collect personal data must be able to prove that the data member granted them their consent.
If you have any particular questions and/or would like legal advice in this area, please feel free to contact LOAB ABOGADOS. Likewise, we attach a guide published by the Spanish, Catalan and Basque Data Protection Agencies that may be of interest to you.