17 Apr THE NEW DATA PROTECTION REGULATION IS HARD, COMES INTO EFFECT IN A FEW WEEKS AND WILL CHANGE YOUR LIFE: SUMMARY OF WHAT COMES TO US.
The RGPD, summarized
The main areas of the General regulation of data protection (RGPD) are the following, more specifically in relation to the Directive 95/46/CE for the protection of personal data.
PEOPLE’S RIGHTS AND HOW TO REPORT THEM
The current standard for data protection in the EU (Directive 95/46/EC) gives natural persons rights over their personal data and details the information that they must receive from companies, including the purposes they are going to give to those Data. In many cases, this communication consists of privacy statements or notifications provided on a Web page.
The RGPD increases the protection abundantly, since it establishes more rights that, along with those that already existed, must be communicated to the interested parties. Specifically, stakeholders should be informed that they have the following rights (the list is not complete):
- To complain at the control authorities, such as the Spanish Data protection Agency.
- To withdraw the consent to the processing of your personal data.
- To access to your personal data, as well as rectification or deletion (“right to Oblivion”) by the company and by third parties who have had access to them.
- To the knowledge of the existence of any automated treatment of personal data (including the elaboration of profiles).
- To oppose to certain types of treatment, such as direct marketing or decisions based solely on automated treatment.
- To be informed of how long personal data will be retained.
- To know the contact details of the designated data protection delegates (discussed below).
Also, natural persons have the right to have, on their behalf, non-profit organizations exercising rights and submitting claims (NGOs or law firms in collective defences).
Although the laws of the EU have always required that the consent of persons to collect their data is to be free, concrete and informed, the RGPD requires that it must be confirmed by a declaration or other clear affirmative action. That is, the boxes already marked in the Web pages, the silence or the inaction of the interested party after reading a declaration of privacy do not constitute consent.
In addition, consent may not be generic, so that a consent granted to a company by a person for a particular management may not serve other types of personal data processing. Independent consents are needed for different treatment operations.
Finally, it is not only compulsory to inform people that they have the right to revoke their consent at any time, but it must also be as easy to revoke it as to grant it.
The consents of those who have already granted these have to be reviewed to verify that they meet the requirements of the RGPD. If there are conflicts or ambiguities in this area, companies must establish a new legitimate platform for the processing of personal data (for example, if necessary for the realization of a contract), reach a new consent or terminate the Processing of such data.
RIGHT TO CIRCULATION OR TRANSFER (PORTABILITY) OF PERSONAL DATA
People now have the right to move, copy or transfer their personal data from one place to another, even to a competitor of the company to which they initially contributed it. For example, if an interested person has created a playlist in a movie, book, or music service and changes providers, he can take it with him. Thus, personal data must have an organized, common-use and mechanical-readable format to be easy to use and share.
EXPANDING THE APPLICATION SPACE
In summary, the RGPD makes responsible not only the company that accumulates the personal data, but also to any third that processes them on behalf of it, for the breaches in the security of the personal data, be it another company, an organism or a natural person. But that does not imply that a company can limit itself to transmitting the personal data to a third party and forget. The company must ensure that the third party also complies with the RGPD.
In addition, the potential territorial scope of application extends beyond the EU to any enterprise — or, again, any third party who processes personal data on its behalf — that provides goods or services to individuals resident in the EU or that controls the behaviour of them. It should be stressed that it is indifferent to pay for goods or services or not; so the application of RGPD also affects beneficial organisms and ONG´s.
Since the EU is a trading partner of the generality of the countries, the extension of the RGPD’s application space has scope for countless companies around the world and, in practice, will require them to comply if they intend to operate in EU Member States either directly or by providing service to others.
But it is not enough to simply comply with the RGPD. Companies must demonstrate that they comply with the requirement of “proactive responsibility”, which brings with it certain rather expensive records-keeping duties. Specifically, records must be maintained that detail treatment activities *, requests for access by stakeholders, security breaches, how to obtain consents and impact assessments related to protection of data (see below).
Once again, this requirement also affects third parties who process personal data on behalf of an enterprise, although the specification is not so detailed.
* Applies to companies employing more than 250 people, or those who employ less but where the treatment is likely to pose a risk to the rights and freedoms of those concerned, is not occasional or includes special categories of data, such as Information about health, religion or sexual orientation.
PRIVACY FROM BEGINNING TO END
During the lifetime of the personal data — from its collection to the definitive cessation of its use — technical and organisational measures must be taken in accordance with the expectations of the privacy of the interested parties. This is designated as “Data protection from design” and implies that respect for the privacy parameters must be incorporated in all aspects of that treatment from the design.
In the same way, only the personal data strictly necessary for the intended purpose should be treated, which is called “Data protection by default“.
In practice and by default, the application of data protection from design will involve continuous training, constant auditing, minimization of data collected, access to personal data only when necessary, and implementation of appropriate technical and organisational security measures, such as the widespread use of pseudonyms or encryption.
NECESSARY COMMUNICATION OF SECURITY VIOLATIONS
In the event of violations of the RGPD, companies that collect personal data must inform the control authorities, the AEPD in Spain, within 72 hours of their knowledge. Third party companies that process personal data on behalf of other companies must notify them without undue delay.
If the violation carries a high risk for the interested parties, the companies must notify to them without undue delay.
DATA PROTECTION DELEGATE (DPD)
In accordance with the RGPD, companies and third parties that process personal data on behalf of these shall appoint a data protection delegate (DPD) provided that:
(i) they are a public body; Or
(ii) The main activities of the company or the third party consist of observing large-scale stakeholders; Or
(iii) Its main activities consist of the large-scale treatment of special categories of personal data, such as data relating to ideology, convictions or criminal offences. The DPD must have specialized knowledge of data protection legislation, although it is not imperative that he be employed directly, but he can perform this function by means of a service contract. The DPD contact data must be communicated to the control authority, such as the AEPD in Spain.
The penalties for non-compliance with the RGPD are very high and could amount to 4% of the annual turnover of the company in the whole world, or to 20 million of euros, whichever is higher. The penalty may be imposed even if the data is not objectively misled. It should be noted that there are no exclusions or exceptions for small businesses. In addition, individuals have the possibility of filing a collective lawsuit requesting a formal investigation if a company fails to comply with the RGPD.
For more information: