Sanctions for non-adaptation to the new Data Protection Regulation. On May 25, 2016, the General Data Protection Regulations (RGPD) came into force, which will replace the current regulations in force and which will begin to be applied on May 25, 2018.
Identification, analysis and recommendations on the novelties introduced.
Regulations currently in force
EU: Directive 95/46 / EC, of the European Parliament and of the Council, of 24 October 1995, concerning the protection of natural persons with regard to the processing of their personal data and the free circulation of these data.
Spain: Organic Law 15/1999, of December 13, Protection of Personal Data (LOPD)
Spain: Royal Decree 1720/2007, of October 21, by which the Regulation of development of the Organic Law 15/1999, of December 13, of Protection of Personal Data is approved.
New general regulation of data protection
EU: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data by which repeals Directive 95/46 / EC
Came into force last May 2016 and will be applicable from May 25, 2018. Until that date, the provisions of Directive 95/46 and national development regulations will continue in force.
Purpose: What is intended through the margin of two years granted by the regulation is to allow companies and agencies gradually adjust to what was introduced by its provisions. It is convenient to start the implementation with character prior to its applicability.
Main changes and novelties
- The territorial scope
LO 15/1999: The LOPD required the concurrence of at least one link or national link for the application of the protection.
The territorial spectrum of protection for companies outside the EU that treat data of EU citizens is expanded when:
1) The data are derived from an offer of goods or services intended for citizens of the European Union
2) Obtaining it is the result of a monitoring and monitoring of their behaviour
- Consent (articles 6 and ss. rgpd)
LO 15/1999: The LOPD allowed the tacit consent.
RGPD 2016/679: In order to validly obtain the consent, there must be a statement from the interested party or a positive action that expresses its agreement (the tacit consent is no longer allowed).
- The duty of information (ARTS 13 and SS.RGPD)
Duty of information about:
- Identity and data of those responsible
- DPO contact details
- Purpose of data collection and legal basis of treatment
- Recipients or categories of recipients
- Rights available to interested parties
- Transfers to third countries
- Conservation deadlines
- Existence of automated decisions
- If providing the data responds to a legal or contractual requirement, or is a requirement to sign a contract; if it is obliged to provide them and the consequences of not doing so.
- Requirements to provide the information:
- Concise, transparent and intelligible form
- Easy access
- Clear and simple language
The deadline for information to interested parties about obtaining their data from third parties is reduced: maximum one month (or at the time of the first communication with the interested party or communication to a third party, whichever occurs first).
- The rights of the interested party (ARTS 15 and SS RGPD)
To the ARCO rights scheme (rights of access, rectification, cancellation and opposition) the following powers are added:
- Right to transparency of information (Article 15) Clear and simple language
- Right of suppression (Article 17) Obtain without undue delay the elimination of personal data of the interested party
- Right to limitation (Article 18) Suspension of data processing
- Right to portability (Article 20) Right to the interested party to receive the data that concerns him / her.
- Data protection from design and default (Article 25 rgpd)
- Implementation of previous measures that translate into guarantees
- Organizational and technical nature
- Codes of conduct: determine the application of the obligations contained in the RGPD
- Certification mechanisms: means to demonstrate compliance with the RGPD. Maximum term of 3 years.
- Registration of data processing activities (Article 30 rgpd)
LO 15/1999: Registration of the files in the General Data Protection Registry of the AEPD.
- In the new system it will be enough to make a record of data processing, whose responsibility falls on the person responsible for them.
- It must contain information regarding the purposes of the treatment, the personal data processed, the recipients of the same, the deadlines for the deletion and the technical and organizational measures adopted.
- Security measures (Article 32 rgpd)
LO 15/1999: Basic, medium or high levels of protection
RGPD 2016/679: Levels of protection appropriate to risk. Appropriate technical and organizational measures. Determination factors:
- Cost of the technique
- Cost of the application
- Nature, scope, context and purposes
- Risks to rights and freedoms
- Notification of judgments (articles 33 and following Rgpd)
Content of the notification: nature of the violation, category of data and interested parties affected, measures adopted and applied so far.
Communication to the AEPD: Deadline of 72 hours from its detection, unless it is unlikely that it constitutes a risk for the rights and freedoms of the interested parties.
Communication to stakeholders: Only if it is likely to entail a high risk to your rights and freedoms.
- The evaluation of the impact on data protection (ARTS., 35 and SS.RGPD)
Prior evaluation in high risk treatments in the following cases:
- Automated treatment
- Special category data
- Public access areas
If a high risk is determined, appropriate measures must be taken in this regard.
Duty to consult the authority if the organization or organization cannot cope with the contingencies that derive from the treatment.
- The new figure of the data protection officer or the delegate of data protection (articles 37 and following Rgpd)
Regarding the DPO, it is designated by the person in charge and the person in charge of the data processing in question.
It is only necessary for those cases in which the data processing is carried out by a public entity or body, or in which the activity of the responsible party and the manager consists of treatment operations that require regular observation or refer to categories special data
To inform and advise, both the person responsible and the employees, of the obligations incumbent upon them under the Regulation itself and to supervise its compliance
The party has no hierarchical superior, so they cannot perceive any instruction regarding the performance of their duties. In any case, the duty remains to maintain secrecy or confidentiality about the activity
- International transfers (articles 44 and following Rgpd)
They are prohibited as a general rule.
- Based on decision of adequacy
- Adequate guarantees
- Explicit consent of the interested party
- Countries excluded from the EEA: obligation to recognize the level of protection by the Commission
- Exception to the prohibition of data transfer to third countries without standard.
- Satisfying legitimate interest
- Non-repetitive transfer
- Affects a limited number of stakeholders
- The sanctioning regime (articles 83)
- Fines up to 10,000,000 or 2% of the global turnover of the previous year:
- For violation of the obligations of the responsible person and the manager
- Violation of certification obligations
- Violation of control obligations
- Fines up to 20,000,000 or 4% of the global turnover of the previous year
- Violation of the basic principles of treatment
- Violation of the rights of the interested parties
- Transfer to third countries
- Failure to comply with a resolution
* In case of concurrence, the highest fine will be imposed