(+34) 976 233 383
Call and make an appointment
o or send us an email
and we will call you
Publicado el 8/9/2017
The regulation seeks to strengthen the right to the protection of personal data, inherent in all persons, as a fundamental right and to allow European citizens better control of them.
On 25 May last year, new Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing and free movement of goods of personal data, thereby repealing Directive 95/46 / EC.
This Regulation, unlike the Directives, will apply directly throughout Europe, without the need for Member States to incorporate them into their internal legislation. Due to the importance of the new rules and rights regulated in this new regulation, it will not be applicable in each state until May 25, 2018, since a long period of adaptation is necessary in the States, Public Administrations and companies. Directive 95/46 / EC shall be repealed on the same date.
The regulation seeks to strengthen the right to the protection of personal data, inherent in all persons, as a fundamental right and to allow European citizens better control of them. For their part, companies will be able to make the most of every opportunity in a single European market.
But what are the main novelties of the new regulation that companies must take into account in their security and data protection policies?
To begin with, the standard includes novelties related to the duty of information, since it expands the one that the responsible one must facilitate previously to the treatment of the data. In relation to the request for consent, as a legal basis for the processing of the data, it will be clearer and more rigorous. Tacit or omission consent shall not be permitted. ' Companies, therefore, should review their consent solicitation processes to see if they conform to the new requirements of the regulation.
The regulation, in addition to recognizing the already classic ARCO rights (Access, Rectification, Cancellation and Opposition), regulates new rights: the "right to forget" by which citizens have the right to ask companies to delete their data in certain circumstances, such as when the data no longer serve the purpose for which it was collected; the "right to portability" of data, whereby organizations that process data in an automated manner should provide the citizens concerned with a copy of this data in the format requested to facilitate portability. The citizen may request, whenever possible, that the same company transfers the data to another responsible person directly. And, thirdly, the right of limitation, the power of those interested to request and obtain from the controller, a limitation on the processing of their personal data.
Companies should also prepare impact assessment reports on data protection when designing a new product or service. And such analyzes may be required to identify potential risks in treatment. At the same time, the new regulation requires companies to notify authorities of data leakage within 72 hours of it occurring. In the event of significant harm to citizens, they must also be notified.
Another important aspect for companies that manage a large volume of personal data or having data processing as one of their main activities is that they should have data protection delegates (DPOs).
In addition, the regulation incorporates the so-called "one-stop shop", that is to say, in the case of a company having its headquarters in several EU Member States, it will respond to the data protection authority of the country in which it has its registered office principal. This authority will act as a one-stop shop for all those activities that the company performs in different countries. At the same time, restrictions are placed on data transfers to countries outside the EU and limited to those countries that offer adequate data protection. Finally, the new standard increases penalties for non-compliance, which may imply fines of up to 20 million euros or 4% of a company's turnover.
In summary, the General Data Protection Regulation (RGPD), to guarantee the right to the protection of personal data inherent to all persons, establishes clear guidelines and mandates in some of its aspects, leaving others, however, to the adequate internal management of organizations. In this way, companies must include all processes of personal data management within the general processes of the organization: analysis and risk management, impact analysis, etc.