News on the European data protection regulation

On 4 May 2016, Regulation (EU) 2016/679 of the European Parliament and of the Council, of 26 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, was published, usually referred to as the General Data Protection Regulation (GDPR). This regulation aims to bring together the provisions relating to rights in terms of privacy and data protection, as well as guarantee common security standards in the digital environment in the countries of the European Union.

The deadline for moving from the Directive replaced by the aforementioned Regulation is 6 May 2018 and its provisions will be fully applicable on 25 May 2018, therefore it is worth knowing what changes or adaptations must be made by companies to ensure compliance with the new data protection regulation. This is not a trivial matter. The fines imposed by the Spanish Data Protection Agency (AEPD) are significant. Specifically, non-compliance by companies with the data protection regulation may accrue sanctions of up to 20,000,000 euros or 4% of the company’s annual turnover, whichever amount is larger.

Spanish legislation on data protection is certainly one of the most advanced and thorough in the region, to the extent that even the European Regulation was inspired by several of the provisions of the current Organic Law 15/1999, of 13 December, on the Protection of Personal Data (LOPD). For this reason, adapting to the new European regulation should not be a big problem for Spanish companies that already comply with current legislation. However, it is worth bearing in mind some of the changes or additions that implementation will involve for those responsible for processing data by certain methods, in order to adapt to these changes.

Below are some of the most relevant developments:

  • Registration of files: The obligation to register files containing data with the national data protection authorities is removed. Each person in charge of data must keep an internal record of the data processing that takes place.
  • Impact evaluations: Prior to the implementation of data protection measures, the system that already exists in the company must be evaluated, along with the impact of data processing on the person, the methods that are available and the procedures to ensure compliance with their obligations. The data protection system must be constructed in accordance with this prior evaluation. This is named “privacy by design”.
  • Data protection by design and by default: The former involves the person responsible for data processing adopting suitable measures based on their specific circumstances. The latter, data protection by default, means that due to the methods used, only the data necessary for each specific purpose will be processed.
  • Security breaches: The obligation to communicate any security breach in data processing to the supervisory authority is extended, meaning the destruction or loss of personal data stored or sent or unauthorised access or communication of these data. Any security violation must be communicated to the supervisory authority in a maximum deadline of 72 hours from when it is recorded.
  • ARCO rights: Refers to the classic rights of access, rectification, cancellation and opposition. The interested party continues to be freely able to exercise these rights, however, what is new is that if the request is obviously excessive, the person responsible for the data may refuse to respond or impose a reasonable fee based on the administrative costs faced to provide the information. As a new feature, the inclusion of the right to removal is highlighted, which is commonly referred to as the right to be forgotten, which up until now only had jurisprudential recognition. In addition, it introduces the possibility that heirs may exercise the ARCO rights that belonged to the deceased.
  • Compliance check: The person responsible is required to be able to prove at any time that each and every instance of data processing that has taken place complied with the established legal requirements. This involves, therefore, a strengthening of the checking of this compliance.
  • Data Protection Officer: The Regulation creates this officer who will inform the person responsible for data processing of the obligations that apply to them by virtue of the Regulation and will supervise the due compliance of these obligations. Public entities that process data must expect this person, as well as private companies that process data on a large scale.
  • Codes of conduct: Its presence is strengthened for general confidence among the interested parties. The companies that comply with the necessary requirements in relation to data protection may adhere to their sector’s code of conduct.

Although there are more changes brought by the European Data Protection Regulation, and the explanations of each of them are extensive, this article aims to provide just a few hints so that companies do not disregard the importance of the regulation that is about to fully come into force.

Due to the aforementioned regulation, there is already a proposal for the new LOPD, which will replace that of 1999 and will fully adapt to the provisions of the new Regulation.