The new European General Data Protection Regulation comes into force as of 25th May 2018, regarding protection of natural persons with regard to processing personal data and free circulation of such data, a rule for mandatory application as of that date and that imposes numerous duties on companies with regard to privacy.
Approval of the new Organic Data Protection Act is also pending, as it is now in parliamentary proceedings and will probably not be ready for 25th May, the enactment date of the European Regulation. In any event, that does not involve any kind of advantage or disadvantage, as the European Regulation will be fully enforceable in all cases.
Attention. The GDPR is a new typo of regulation that is directly applicable in all countries of the EU and, thus, does not require any kind of specific transposal mechanism. That is, this means no kind of Spanish law is required for the European Regulation to be mandatory; it is applicable as if it were a national law.
It is important to establish a route map to comply with the new Regulations, as there are numerous relevant juridical decisions to be taken into account.
The first step all companies must take is to identify and analyse the areas of risk and document the personal data processing carried out, through an inventory of all the processing activities the company performs. Thus, it will be much simpler to classify the data according to their nature, purpose, category, origin, whether they are liable to be shared, etc.
There are many obligations that both companies, self-employed workers and public and private bodies who process personal data must know, and time is short, so it is necessary to make the necessary decisions without delay to meet the deadline in compliance. The risk of not doing so is that of possible penalties: the fines may reach up to 20 million euros or 4% of the offender’s overall annual revenue. The controlling authority may act of its own motion, or due to reports filed by parties concerned.
With regard to the changes and obligations that affect the companies, we may emphasise the following among others:
- Data Protection Officer (DPO). The regulations oblige those who perform certain processing to appoint a DPO, who may be external or internal. A DPO must be a person who is an expert in Data Protection and in Information Security methods and techniques.
- Requisite of an impact assessment being carried out regarding data protection for certain processing.
- Personal data security breaches. It is obligatory to notify the Spanish Data Protection of these within a term of 72 hours and, in severe cases, the parties concerned themselves.
- Tacit consent (by silence) is eliminated, which shall require companies to obtain new consent to be able to maintain all the data they obtained tacitly in the past, or to seek another legal coverage.
- The obligations of information for the parties affected are extended, which shall require them to be updated with the information on the existing ones.
- The minimum content of third party data access contracts is extended, so contracts with processors must be established again, in the event of the present ones not complying with the GDPR.
- The GDPR does not establish a distinction between personal data and professional data (contact data of natural persons who provide their services to a legal person and individual entrepreneurs) as established in the current Regulations, which will oblige companies to have to conduct informative actions for that data category.
The obligation for companies to obtain specific, unequivocal, verifiable, non tacit consent regarding the information obtained from its clients is established.
Attention: As of the new GDPR coming into force, ane may not continue to obtain consent from the parties concerned by omission. It shall be necessary to review all previous processing to adapt it to the provisions of the new regulations.
It may be unequivocal and be granted implicitly when one may conclude from the action by the subject (for example, when the subject continues to browse a web site and thus accepts cookies being used to monitor their browsing).
It shall be necessary for companies to explicitly detail the data required from the user or client in understandable language, and data with a legitimate interest may only be processed.
The duty to inform those affected of the use and purposes of the data processing undergoes a major amendment in the new GDPR, as it considerably increases the information they must be provided, including aspects not considered up to date, such as:
- Legal basis for processing
- Intention to perform international transfers
- Particulars of the Data Protection Officer (if any)
- The term or criteria for conservation of the information
- The existence of automated decisions or profile preparation
- The right to file a complaint before the Controlling Authorities
Attention. The procedures, models or forms designed pursuant to the LOPD, must be reviewed and adapted to the new GDPR, both to adapt them to the new content of the duty to inform, as well as to adjust their form to the requisites of precision and clarity required by the new regulations.
Companies are required to report when they have suffered a security breach to the controlling bodies and, depending on the severity, those affected must be informed. Although it is now a necessary matter, the regulations establish the need for a written strategy on security matters.
In the new regulations, the security regulations are not specified in so much detail, but rather each organisation must have the appropriate security level according to the risks detected in the prior analysis.
Moreover, the data typology shall not be the sole variable to be taken into consideration when determining the applicable technical and organisational measures but rather, on the contrary, the new RGDP takes the following into account:
- The cost of the technique
- The costs of application
- The nature, scope, context and purposes of processing
- The risks to rights and liberties
Attention. The security measures scheme foreseen in the Regulations on Development of the LOPD shall no longer be automatically valid. It is necessary to determine the applicable measures on a case by case basis, under a focus of risk, based on the principle of security based on design and by default.
The figure of data processors also undergoes major changes in the new regulation. To sum up, the changes may be summed up in three points:
1) The new GDPR establishes obligations that are specifically aimed at data processors, such as:
- Keeping a record of processing activities
- Determining the security measures applicable to the processing performed
- Appointing a Data Protection Officer in the cases foreseen in the GDPR
2) There is increased emphasis on the duty of diligence in chosing the data processor, so the data controllers must only chose processors who offer sufficient guarantees to apply the appropriate technical and organisational measures.
3) There is amendment of the minimum content the contract with the data processor must include, including such aspects as:
- Object, term, nature and purpose of the processing
- Type of personal data and categories of parties concerned
- Obligation of the processor to only process personal data following documented instructions from the controller
- Conditions for which the controller may provide prior, specific or general authorisation, for subcontracting
- Assistance for the controller, whenever possible, in attending to exercise of rights by the subjects…
Attention. All the data processing contracts previously signed must be reviewed to check whether they comply with the new requirements of the GDPR.
The new GDPR includes new rights such as the right to portability and right to be forgotten, the right not to be the target of individualised decisions and the right to limitation of processing.
- RIGHT TO ACCESS: This is the right to know what personal data on you is being processed by the controller, the purpose of the processing, the origin of such data and whether or not it has been, or is to be communicated to a third party.
Attention: Pursuant to the LOPD, the data controller must provide all the base data held on the subject, but not copies or documents. However, the new GDPR specifically recognises the right of the individuals affected to obtain a free copy of the personal data subject to processing.
If possible, the data controller must be authorised to facilitate remote access to a secure system that provides the individual affected direct access to their personal data.
- THE RIGHT TO CORRECTION: This consists of the possibility of amending data that is inexact or incomplete.
Attention: In addition to correcting inexact data, it includes the right to completion of incomplete personal data, even by additional declaration.
- THE RIGHT TO CANCELLATION: Allows cancellation of personal data when inadequate or excessive.
Attention: The subjects are entitled to have their personal data deleted and no longer processed:
- If no longer necessary for the purposes for which they were collected or otherwise processed
- If the subjects have withdrawn their consent for processing or oppose processing of their personal data
- If processing their personal data breaches the GDPR in any other way
- THE RIGHT TO OPPOSITION: By exercising tat right, the subject may oppose their personal data being processed in the following cases:
- When, where consent is not necessary for processing, there is a legitimate, due reference to their specific personal circumstances (except if a Law establishes the contrary)
- In the case of personal data processing for the purpose of performing advertising and sales prospection activities
- When the purpose of the processing is to make a decision regarding their person, solely based on automated processing of their personal data
- RIGHT TO BE FORGOTTEN: This is a declaration of the rights of cancellation or opposition in the online environment. The data controller who has made personal data public is bound to order the data processors who are processing such personal data to suppress all links to them, or the copies or replicas of such.
Attention: The right to be forgotten has some limitations such as freedom of expression and the right to information, public interest in the field of health, research or defending complaints.
- RIGHT TO DATA PORTABILITY: This is an advanced form of right to access by which the copy the subject is provided must be offered in a commonly used structured, machine readable format. This means that the subject’s personal data is transmitted directly from one controller to another, without the need for it to previously be transmitted to the actual party concerned, as long as this is technically possible.
- RIGHT NOT TO BE SUBJECT TO INDIVIDUALISED DECISIONS. The subject must be entitled not to be targeted by a decision, that may include a measure, that assesses their personal aspects, and that is based solely on automated processing and has juridical effects on them, or significantly affects them in a similar way.
- RIGHT TO LIMITATION OF PROCESSING: To request the data controller to suspend data processing when:
- The exactness of the data is challenged, while that exactness is verified by the controller
- The subject has exercised their right to oppose data processing, while verifying whether they legitimate reasons the data controller has override those of the subject.
- The processing is illicit and the subject opposes deletion of the personal data and requests limitation of its use instead
- The controller no longer needs the personal data for the purposes of processing, but the subject needs them to make, exercise or defend complaints.
The regulations establish the obligation of documentary registration of processing operations, both by the Data Controllers as well as the Data Processors.
PROCESSING PERSONAL DATA ON WEB PAGES
Any web page or online shop that collects personal data through forms (contact, subscription or request for estimates) must request consent from the users to be able to process their data.
SENDING SALES MESSAGES
Advertising or sales messages are allowed to be sent by electronic mail to users who have previously requested or authorised this specifically. Sales messages may also be sent to users with whom there is a prior contractual relation, in which case the provider may send advertising regarding similar products or services to those subscribed by the client.
ATTENTION REGARDING THE NEW PENALISATION REGIME
In some cases, enactment of the new GDPR may give rise to a significant increase in penalties for breaches committed: the fines may amount to the sum of 20 million euros, or 4% of the global annual turnover of the offender. The controlling authority may act of its own motion, or when reported by the individuals affected.
For more information, you may consult the AEPD web page or contact this professional office with your reference consultant.
We inform you that our professional office is able to advise and provide your company guidance on the process of adapting or implementing a security system to protect and process personal data that complies with the legal requisites of the new GDPR.
Sellarès Assessors, GDPR, contact e-mail firstname.lastname@example.org