You are here
Relevant News Introduced by the New General Regulation on Data Protection
On May 25, 2016, the new General Regulation on Data Protection (“RGPD”) entered into force. Its main aim is to ensure a uniform and coherent application of the law on data protection within the European Union so as to achieve the highest level of harmonization. Even though this is a directly applicable regulation, a domestic Organic Law on data protection, whose content is yet unknown, is being drafted and will be approved in May 2018.
The Regulation has already entered into force, but it will not be applied until May 25, 2018. In the transitional period those in charge of data processing (that is, the data controllers and data processors) must prepare and take all necessary measures in order to be in compliance with the regulation when it becomes applicable.
The RGPD modifies some aspects of the current regime and adds new obligations for data controllers and data processors, including the following:
- Safety measures: The RGPD establishes a list of the measures to be taken by the controllers, and sometimes by the processors, with the purpose of ensuring that such processing is in compliance with the Regulation. Some examples of these active responsibility measures are the record keeping of data processing activities or the appointment of a Data Protection Officer (DPO), amongst others. However, the RGPD does no longer specify which measures must be taken according to security levels (low, medium, high). Rather, it establishes that, from now on, data controllers and data processors must establish which measures are to be applied after having assessed the risks of each activity.
- Reinforcement of the duty to inform: The RGPD grants a greater importance to the information that must be provided to the citizens whose personal data are being processed. It establishes a thorough list of the contents that must be included on the information clauses on data protection (some new contents such as the contact information of the DPO, categories of the recipients to whom the data may be disclosed, data retention period, etc. are now included).
- Extinction of tacit consent: The RGPD expressly establishes the obligation for the interested parties to actively express their consent (for example, it forbids the use of pre-selected checkboxes or the use of clauses according to which the consent is expressed simply by reading them).
- Expansion of the rights of interested parties: in addition to the right of access, rectification, cancellation and opposition, the RGPD establishes the right to processing limitation (at the request of the data subjects, their personal data will not be subject to certain processing operations), and the right to data portability (the transfer of the data subject’s personal data form one data controller to another).
- International data transfer: The RGDP widens the list of possible legal means to offer warranties, including Binding Corporate Rules (BCR), codes of conduct, etc. In these cases, it will not be necessary to obtain an authorization from the Spanish Agency on Data Protection (Agencia Española de Protección de Datos) in order to transfer personal data.
- Tougher penalties for noncompliance: the amount of the fine for breaching the Regulation increases. It enables the competent authority to impose sanctions that amount to EUR 20 million or to 4% of the world turnover of the breaching party.
- Compensation for damages: The RGPD provides for the possibility that the data controller or the data processor must compensate the data subject for the damages caused.
Should you have any question upon adapting your company’s data processing to the new Regulation, please do not hesitate to contact us.
 Regulation (EU) 2016/679 of the European Parliament and the European Council of April 27, 2016 on the protection of individuals regarding the processing of their personal data and the free transfer of such data. This Regulation abrogate the Directive 95/46 / EC.