The new REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL of 27 April 2016, came into effect on 25 May 2016, with reference to the protection of natural persons regarding the processing of personal data and the free movement of such data.
This Regulation will be implemented as of 25 May 2018, as companies and entities have two years in order to adapt to this, with the presentation of the draft bill for the reform of the Spanish Data Protection Act [Ley Orgánica de Protección de Datos (LOPD)] expected for the first quarter of 2017.
The following are the main news to be taken into account regarding this Regulation:
Scope of application
This Regulation is applicable to those responsible or in charge of data established in the European Union and, and also those who although may not be established in the European Union, offer goods or services to those who do reside in the EU.
Conditions for providing consent by the party concerned have been reinforced. In this way, those responsible should be able to prove that an individual gave their consent for the processing of their personal data. This cannot be inferred due to any silence or inaction by the individual. The request for consent must be intelligible and easily accessible, using clear and simple language.
The right to deletion (“the right to be forgotten”) is also introduced, whereby the person concerned has a right to the deletion of his/her data under certain circumstances, such as when personal data is no longer necessary for the purpose for which it was collected, consent has been withdrawn, or data has been unlawfully processed.
Or the right to portability, whereby the person providing his/her data may ask those responsible for the automatic processing of the data to recover this in a format that will allow him/her to be able to transfer this to another responsible party.
Information to be provided
Companies will need to provide the individual concerned with additional information to that currently contemplated in the Data Protection Act 15/1999 and Regulation 1720/2007, and will therefore need to revise their action protocols, privacy notes, etc. In this same way, for example, and as appropriate, the intention of those in charge of transferring personal data to a third country or international organisation will need to revise the term during which data is kept or the right to submit a claim before a supervising authority, etc.
Company measures to be taken
The most crucial aspect of the new Regulation is the taking of preventative measures by those companies that process data. The following measures need to be taken into account by companies in this respect:
- Data protection by design and default.
Data protection by design implies that bearing in mind the state of the art, implementation costs and the nature, scope, context and purpose of the processing, those in charge of the processing will apply appropriate technical and organisational measures (such as pseudonymisation), both at the time of determining the processing means as well as during the actual processing itself.
Data protection by default implies that those in charge of the processing will apply the appropriate technical and organisation means with a view to guaranteeing that, by defect, only the necessary personal data will be subject to data processing for each specific purpose of the processing itself.
- Recording of activities.
Those responsible must keep a record of the processing activities carried out under their responsibility, and each manager must keep a record of all categories of processing activities that are carried out.
However, these obligations do not apply to any company or organisation that employs less than 250 people, unless the processing undertaken could represent a risk with respect to the rights and freedoms of the individuals, is not occasional, or involves special categories of personal data.
- Security measures.
Bearing in mind the state of the art, implementation costs, and the nature, scope, context and purpose of the processing, as well as the likelihood of risks and variable severity to the rights and freedoms of natural persons, those responsible for the processing as well as the corresponding manager will apply appropriate technical and organisational measures to guarantee an adequate degree of security according to the risk.
It is important to adhere to a code of conduct or certification mechanism which may serve as a way to demonstrate compliance to these requirements.
- Impact assessment.
If it is likely that a type of processing may imply a high risk, particularly if new technologies are used, or due to the nature, scope, context or purpose, those responsible for this process will carry out an assessment of the impact of the processing operations on the protection of personal data before processing.
- Data protection officer
A data protection officer shall be appointed whenever the main activities of those in charge or those of the manager consist of processing operations that, due to their nature, scope and/or purpose, require standard and systematic monitoring of individuals on a large scale, or the main activities of those in charge or of the manager consist of large scale processing of special categories of personal data.
- Notice of data breaches.
In the event of a security breach of personal data, those in charge of the processing will notify the controlling authority no more than 72 hours after this has been brought to their attention.
- Codes of conduct and certificates.
Member States should encourage the drafting of codes of conduct aimed at contributing to the correct implementation of the Regulation, as well as the creation of certification mechanisms for data protection as well as seals and marks for data protection in order to demonstrate compliance to this Regulation.
Administrative fines of up to a maximum of 20.000.000 EUR may be imposed or, if a company is involved, an equivalent amount of up to maximum 4% of the total overall annual turnover volume for the previous financial year, whichever is the highest.