The technological changes taking place during the last few years have made it necessary for the European Parliament and Council to update European legislation for the protection of data given the existence of ever greater risks. This legislative update has given rise to the General Data Protection Regulation (hereinafter referred to the “Regulation”).
The Regulation shall be automatically applied as from 25th May 2018 in all of the member states, that is to say without the need for transposition. Accordingly, companies have had to adopt the necessary measures in order to comply with the provisions of the Regulation.
The major new developments are projected in two elements:
1) The principle of proactive responsibility:
The person responsible for data processing should apply appropriate technical and organisational measures in order to guarantee and be able to demonstrate that the processing is in line with the Regulation. This principle requires organisations to analyse what data they process, for what purposes and what type of processing operations they carry out.
2) Focus on risk:
The measures directed at guaranteeing compliance with the Regulation must take into account the nature, the field, the context and the purposes of the processing, and likewise the risk to the rights and freedoms of persons.
In accordance with this focus there are measures set forth in the Regulation, which must be applied when a high risk to rights and freedoms exists and other measures which must adapt to the level and type of risk.
DEVELOPMENT OF PREVIOUS PRINCIPLES:
In general, the Regulation does not introduce new principles, however, it does develop, in a more efficient, manner the already existing principles:
1) Prohibition, unless authorised: any personal data processing is prohibited unless it has been expressly permitted. With the Regulation, this principle of prohibition is indiscriminately applied to any kind of personal data.
2) Purpose limitation: companies may only collect and edit data with specific objectives. In order to do so, when starting to collect data, they must formulate their objective and document their future use.
3) Minimisation of data: it is not possible to collect more data than necessary to achieve the anticipated goal. This avoids the excessive collection of data.
4) Transparency: the information for the interested parties must be concise, transparent, intelligible and of easy access, with a clear and simple language. Previously it was only necessary to be precise and transparent.
5) Confidentiality: companies are obliged to protect the personal data of their clients from theft, in a technical and organisational manner, which is a new development. In the case of information theft, it is important that the technical and organisational protection measures are appropriate for the associated risk and the type of data stored.
COMPANY DELEGATES:
Directive 95/46 focused on the activity of the delegates for data protection. However, the Regulation contains obligations for them, such as maintaining a register of activities of data processing and determining the applicable security measures to be applied to the data processing which they carry out.
As far as companies are concerned, even when the principle activity is not related to data processing, the Reglulation establishes the obligation to appoint a data protection delegate for companies when at least 10 people attend to the automated processing of data. This affects many medium-sized companies.
Furthermore, the Regulation establishes the obligation for the person responsible for the data to sign a contract with the delegates. The Regulation also goes further in this area and establishes the minimum content that such contracts should have.
The people responsible must also carry out an evaluation of the risk of the data that they process, in order to set forth the measures to be applied and how to do so. The type of analysis shall vary depending on the data being processed, but large organisations must carry out said analysis using one of the existing risk analysis methodologies.
NOTIFICATION OF SECURITY BREACHS:
The Regulation extensisvely defines the security breaches, including any incident causing “the destruction, loss or accidental or illicit alteration of transmitted, conserved personal data or personal data processed in any other way, or the communication, or the non-authorised communication or access to said data”. In practice, the loss of a personal computer which contains client’s data, the non-authorised access to the data base of an organisation (including for personal use) or the accidental deleting of some registers are deemed to be security breaches in accordance with the Regulation.
When a security breach occurs, companies must notify the competent data protection authorities within 72 hours following the discovery of the security breach.
Hugo Ester
Vilá Abogados
For more information, please contact:
23rd of March 2018
