I. Introduction
The EU Regulation 2016/679 of the European Parliament and Council of 27th April 2016, entered into force on 25th May 2016. Said Regulation deals with the protection of individuals regarding the processing of personal data and the free movement of such data (hereinafter referred to as the “European Regulation on Data Protection”), the fulfilment of which shall be obligatory as from 25th May 2018.
II. Scope of application
The European Regulation on Data Protection repeals Council Directive 95/46/EC, transposed into Spanish law pursuant to Organic Law 15/1999 of 13th December, on Personal Data Protection and is directly applicable in Spain.
In this regard, we should note that European Regulations are obligatory in their entirety and are directly applicable in all of the EU countries, and may be invoked by individuals before national courts, unlike Directives, which establish an obligation for EU countries to achieve a certain result, however, with freedom regarding the means by which the results are obtained, and they must be transposed into national laws before becoming applicable.
III. Objectives of the Regulation
As set forth in the Recitals of the European Regulation on Data Protection, a Regulation has been opted for to standardise the protection of individuals, to offer legal security and transparency to economic operators.
As an example, the Regulation affirms that consent should be given via a clear affirmative act, which reflects the expression of the free, specific, informed and unequivocal will of the interested party to accept the personal data processing which concerns them, as a written declaration, including by electronic means, or by a verbal statement. This may also include ticking a box on an Internet website, the selection of technical settings for the use of services of the information society, or any other statement or conduct which clearly indicates in this context that the interested party accepts the proposed processing of their personal data. Therefore, silence, pre-ticked boxes or inaction should not constitute consent.
On the other hand, the Regulation introduces new tools which improve the capacity for the decision and control of citizens themselves over the personal data which they entrust to third parties, such as the right to be forgotten and the right to the portability of their data.
IV. New guidelines and recommendations from the Spanish Data Protection Agency
The Spanish Data Protection Agency (Agencia Española de Protección de Datos – “AEPD”) has introduced new material to help small and medium sized companies (SMEs) to fulfil the European Regulation on Data Protection, which includes a “Guide on the Regulation for Controllers”, “Guidance for drafting contracts between controllers and processors”, and a “Guide for the fulfilment of the duty to inform”.
V. Conclusion
Although the Regulation shall not be applicable until 28th May 2018, it is advisable to start to implement the measures set forth therein.
Carla Villavicencio Goula
Vilá Abogados
For more information, please contact:
24th March 2017