On April 27, 2016, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) was adopted. The same entered into force at European level on May 25, 2016 (twenty days after its approval). However, it will not be applicable in the Member States until two years after its entry into force, that is, until May 25, 2018.
The modification of the current Organic Law on Data Protection, to adapt it to the provisions of the aforementioned Regulation, has already begun, but it is still in its infancy. However, regardless of whether or not the Spanish legislature adapts the legislation to the provisions of the Regulation, it will begin to apply in May 2018. In other words, in a year’s time, all companies must have modified their data protection policy to adapt it to the provisions of the Regulation. Otherwise, they will risk being subject to the application of the new penalty regime provided for in the Regulation. Thus, for example, if a company fails to obtain consent in the terms required by the Regulation, it may face a penalty of 20 million euros or an amount equivalent to a maximum of 4% of the total annual global turnover of the previous financial year.
The Regulation does not simply include amendments to the current legislation, but constitutes a new data protection system inspired by different principles, taking into account the importance of the technological changes facing European companies.
In this document, the most relevant modifications introduced in the General Data Protection Regulation will be succinctly explained.
Territorial scope of application (article 3).
Article 3 of the General Data Protection Regulation guarantees the existence of a unitary legislation throughout the European Union. Until now, in Europe we have a regulation of the protection of personal data different in each of the countries, and that depends on the result of the development of a Directive of the European Union of the year 1995.
The General Data Protection Regulation applies to the processing of personal data carried out in the environment of a legal or natural person established in the Union, regardless of whether the processing takes place inside or outside the Union.
It also applies to the processing of personal data of Union residents carried out by a “controller or processor not established in the Union”, when the processing activities are linked to:
– The offer of goods or services to such interested parties in the Union, regardless of whether they are required to pay for them.
– The control of their behavior, insofar as it takes place in the Union.
In short, the territorial scope of the General Data Protection Regulation is so broad that it covers a wide range of situations related to the European Union.
New concept of consent.
Until now, the Organic Law on Data Protection required the consent of data subjects for data processing, but no other requirements were included.
The General Data Protection Regulation establishes a more exhaustive regulation on consent. The Regulation requires consent, in general, to be free, informed, specific and unambiguous, whereas the Organic Law on Data Protection only required consent to be unambiguous. Firstly, in article 13, it details the information that must be given to those affected (as well as to the workers, or to any interested party whose information is to be collected). Specifically, the following information must be provided:
– The purposes of the processing for which the personal data is intended and the legal basis for the processing.
– The identity of the recipients or categories of recipients of the personal data.
– The identity of the person in charge of the management and, if applicable, of the data protection officer.
– The period of time during which the personal data will be kept.
– The existence of a right to request from the data controller access to the personal data you have provided, its rectification or erasure, or the limitation of its processing.
– The possibility of exercising the right to file a complaint with a supervisory authority.
– The existence of automated decisions, including profiling, meaningful information about the logic applied, as well as the significance and expected consequences of such processing.
– The intention to transfer your personal data to a third country or international organization.
That is to say, contrary to what happens with the application of the current regulation, a mere generic explanation will no longer be sufficient. With the application of the General Data Protection Regulation, it will be necessary to inform in a clear, simple, but complete way of each and every one of the issues exposed.
Consent must be clear and express and, in addition, in the case of processing not directly related to the service provided, it must be specific.
In order for consent to be considered unambiguous, the Regulation requires that there be a declaration by the data subjects or a positive action indicating the data subject’s agreement. Consent cannot be inferred from the silence or inaction of citizens.
It is also stipulated that consent must be explicit, so that it can no longer be understood as given implicitly by means of some kind of positive action. Thus, it will be necessary for the statement or action to refer explicitly to the consent and the treatment in question.
It should be borne in mind that consent must be verifiable and that those collecting personal data must be able to demonstrate that the data subject has given his or her consent. It is therefore important to review the systems for recording consent so that it can be verified in the event of an audit.
3. Privacy by design and privacy by default.
Privacy by design is stated in Article 25 of the Regulation as an obligation. Considering the provisions of Recital 78, we can adopt it as the key to be followed by the controller to demonstrate legislative compliance, since, as stated in that recital “the controller must adopt internal policies and implement measures that comply in particular with the principles of data protection by design and by default”.
The aforementioned article 25 establishes some criteria to be considered in the application of the principle of privacy by design, which are related to the following:
– The state of the art; – The cost of implementation;
– The nature, scope, context and purposes of the processing, as well as
– The risks of varying likelihood and severity posed by the processing to the rights and freedoms of natural persons.
In other words, it can be stated that the principle of data protection by design must be one of the axes on which to develop a data protection compliance program, so that the risk management involved in any processing of personal data is considered at the very moment of the conception of an idea that gives rise to the design or development of applications, services and products.
In short, data protection by design is a strategic issue that both the data controller and the data processor (although especially the former) must consider in order to ensure the fundamental right to data protection by adopting and implementing technical and organizational measures that take into account the individual, the data subject, from the beginning or even from the very moment an idea is generated that could lead to an application, service or product.
4. Privacy impact assessment.
Closely related to the above, the General Data Protection Regulation establishes the obligation to draw up and prepare a register of processing operations, including all the processing of personal data to be carried out by the data processor. The register must also include an assessment of the risk involved in each processing operation.
Where a type of processing, in particular if it uses new technologies, is likely to involve a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the processing operations on the protection of personal data. A single assessment may address a number of similar processing operations involving similar high data protection risks.
The purpose of a privacy impact assessment is to analyze and identify the risks that a particular information system, product or service may pose to data protection.
The data protection impact assessment will be required in particular in case of:
(a) systematic and comprehensive evaluation of personal aspects of natural persons which is based on automated processing, such as profiling
, and on the basis of which decisions are taken which produce legal effects for natural persons or which significantly affect them in a similar way;
(b) large-scale processing of the special categories of data referred to in Article 9(1) or of personal data relating to convictions and criminal offences referred to in Article 10; or
(c) large-scale systematic observation of a publicly accessible area.
The evaluation shall include at a minimum:
(a) a systematic description of the intended processing operations and the purposes of the processing, including, where appropriate, the legitimate interest pursued by the controller;
b) an assessment of the necessity and proportionality of the processing operations in relation to their purpose;
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1, and
d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data, and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.
How should it be done?
– It must be carried out prior to the implementation of the new product, service or system.
– It must be systematic and must be oriented to carry out an effective review of the processes.
– It should allow for clear identification of those responsible for the different tasks.
– It must identify and classify the information to determine the personal data being processed and its characteristics.
– You must identify who will have access to and how they will process the personal data.
– All those affected by the project in question must participate.
– The controls that will be put in place to ensure 1) that only necessary personal data will be processed 2) that it will only be processed for the intended and defined legitimate purposes should be described.
Main phases included in the General Data Protection Regulation Guide for data controllers that must be carried out in order to perform a correct assessment:
1) Preliminary phase: Analysis of the need for the evaluation: (The Guide includes an indicative list of the situations in which it would be advisable to carry it out).
2) Determination of the work team and terms of reference: It is advisable that the work team be made up of at least: a representative of the business area and of the product involved, a representative of the ICT department and a data protection delegate. The functions of each of the members must also be determined and the project defined.
3) Description of the project and information flows: Main characteristics of the project and objectives, participants, data category, information access profiles…
4) Identification and assessment of risks: analysis of documentation, monitoring of the life cycle of personal data, uses and purposes of data processing, technology used and identification of users, identification of risks (the Guide includes an indicative list of usual or possible risks), considering two main categories, those affecting individuals and those faced by the organization.
5) Consultation with affected parties (internal and external): for example, if the planned services process employee data, it will be mandatory to include employee representatives in internal consultations.
6) Management of identified risks: Once the risks have been identified, they must be managed in accordance with the terms of the Guide prepared by the Spanish Agency. Likewise, if there is non-compliance with any regulation, the data processing involving the risk must be eliminated.
7) Regulatory compliance analysis: verify compliance with the LOPD and the RLOPD.
8) Final Report: The team responsible for the evaluation shall issue a final report that summarizes, as simply and concisely as possible, the main aspects of the project and the evaluation carried out.
9) Implementation of recommendations
10) Review of results and feedback.
A novelty is also included with respect to communications with the authorities and with the holders of personal data. Security breaches that occur, as established in the new Regulation, must be communicated to the authorities within 72 hours. Likewise, they must also be communicated to the affected parties, who must be informed of the nature of the security breach and of the recommendations to mitigate the potential adverse effects.
If the notification to the supervisory authority does not take place within 72 hours, it must be accompanied by an indication of the reasons for the delay.
10 million or an amount equal to a maximum of 2 % of the total annual aggregate turnover of the previous financial year may be imposed in the event of non-compliance with the reporting obligation.
5. Data Protection Delegate.
A new figure is created, regulated in Article 37, which must be established in companies that are in any of the situations listed in the first paragraph and which the Regulation calls Data Protection Officer. The person appointed as Data Protection Officer must be a person with specialized knowledge of law and, specifically, of data protection. These officers may or may not be employees but, in any case, they must perform their duties with complete independence.
The functions of the Data Protection Officer, which are regulated in Article 39 of the Regulation, are as follows:
– To inform and advise the data controller of the obligations that must be carried out to comply with the General Data Protection Regulation.
– Supervise the implementation of the rules by the data processor in terms of personal data protection (assignment of responsibilities, staff training, audits, etc.).
– Monitor the implementation of the General Data Protection Regulation and, in particular, the requirements related to data protection.
– Ensure the preservation of documentation.
– Oversee the documentation, notification and communication of personal data breaches.
– Supervise the response to requests from the supervisory authority and cooperate with it, at its request or on its own initiative.
– To act as a point of contact with the supervisory authority on issues related to processing.
In short, the Data Protection Officer will ensure that data protection regulations are complied with in companies. In other words, it is another instrument that contributes to the prevention of non-compliance with data protection regulations.
Likewise, the regulation establishes that the data protection officer shall not be dismissed or sanctioned by the controller or the person in charge for performing his or her duties.
6. Penalties.
One of the most notable modifications is the introduction of an aggravated sanctioning regime with respect to the Organic Law on Data Protection, which will begin to be applicable to all those who have not adapted their activity to the provisions of the Data Protection Regulation before May 2018.
The penalties provided for in the General Data Protection Regulation range up to EUR 20 million, or 4% of the total annual turnover of the previous year (whichever is higher).
7. Citizens’ rights.
Citizens’ rights are extended. Until now there were the so-called ARCO rights (Access, Rectification, Cancellation and Opposition). Well, the new Regulation contains the following:
– Transparency: which is specified in the obligation to adopt all necessary measures to provide the interested party with all information indicated in articles 13 and 14 (right to information).
– Information: obligation to provide the data subject with the information required in article 13 of the Regulation when personal data are obtained. Likewise, certain information must be provided in those cases in which the data have not been obtained directly from the data subject, as set forth in article 14.
– Access: the right to know confirmation of whether or not personal data concerning him/her are being processed and a series of information.
– Rectification: rectification of inaccurate personal data concerning you.
– Deletion or right to be forgotten: deletion of personal data concerning you when one of the circumstances of article 17 of the Regulation applies.
– Limitation of processing: in certain circumstances, the data subject has the right to obtain from the data controller the limitation of data processing.
– Data portability: The data subject shall have the right to receive personal data concerning him/her, which he/she has provided to a controller, in a structured, commonly used and machine-readable format, and to transmit it to another controller without being prevented from doing so by the controller to whom he/she has provided it.
– Opposition: the right to object to the processing of data.
Conclusions.
The changes introduced in the General Data Protection Regulation entail a different conception of data protection at the European level. The European Parliament Regulation introduces new concepts, which imply new obligations for companies. Above all, it should be remembered that the Regulation aims at a prior and effective control of data protection, and therefore, the aim is no longer just to resolve the dangers created, but to ensure that such dangers do not arise, and that companies, by means of an effective compliance system, can avoid possible security threats. In other words, the new regulation requires companies to make a real effort to ensure compliance. In this sense, it is no longer sufficient to merely comply with the provisions of the Organic Law on Data Protection, but operators who process personal data must have an effective prevention system in place.
To conclude, it only remains for us to inform you that on June 23, 2017, the Council of Ministers approved the preliminary draft of the new Organic Law on the Protection of Personal Data. However, the full enforceability of the new Regulation to all companies operating in the Member States in May 2018 as a directly applicable regulation, requires companies to establish as soon as possible an adaptation agenda that should run parallel to the approval procedure of the new law.