Personal data protection

RGPD – “The General Data Protection Regulation (REGULATION (EU) 2016/679″

Based on the new General Data Protection Regulation (REGULATION (EU) 2016/679 – “GDPR”), any person responsible for or in charge of the processing of personal data (SMEs, public organizations, NGOs, etc.) must comply with the GDPR.

The GDPR is important because, among others:

• It replaces the previous legislation, bringing all EU states under a single legal framework;
• increases the level of personal data (PD) protection and implies a greater commitment to PD by companies or organisations:
  • In this sense, the “active liability” is introduced: it is not enough to react only when an infringement has occurred, but companies must take all necessary measures to reasonably ensure that they are able to comply with the principles, rights and guarantees of the GDPR.
• It applies not only to data controllers and processors established in the EU, but also to those outside the EU if the processing in question is related to:
  • Offers of goods and services intended for EU citizens, or
  • monitoring and follow-up of their behaviour.
• It broadens the very definition of “personal data”: it now covers any “information about an identified or identifiable natural person” (economic, cultural, health, etc.).
  • It can even affect the processing of data carried out using pseudonyms, when it is easy to identify who they belong to.
• It introduces new rights to improve the decision-making capacity and control of EU citizens over their personal data, for example:
  • The right to be forgotten: the data subject can request that links that lead to false, incomplete, irrelevant, obsolete information, etc., be blocked in a list of search engine results.
  • The right to portability: personal data already provided may be transferred to another person or company through a request for direct transmission or through its retrieval in a format that allows its transfer.
• It strengthens the general principle of the need for the consent of the data subject for any processing of personal data:
  • must be “free, specific, informed and unambiguous”:
    • “Tacit consent” is no longer accepted: a positive action or a statement expressing the approval of the person concerned is required.
    • And the consent must be explicit in the case of sensitive data.
  • It establishes that the data controller is also responsible for complying with the provisions of the GDPR.
  • It provides for severe fines for breaches of the obligations of the controller and the data processor, among others:
    • EUR 10 million or 2% of the overall total annual turnover for failure to report possible breaches to the data protection authority.
    • EUR 20 million or 4% of total annual global turnover for any breach of the basic data-processing principles.

    In both cases: “whichever is higher” (art. 83)

Are you sure you already meet the GDPR?

• Non-compliance can be expensive.
• It is not just a question of information technology, but also of law.
• The GDPR also affects companies established outside the EU.

If you wish, we can help you with our specialised legal advice for compliance with the Personal Data Protection regulations.