The concern for privacy does not expire. Furthermore, citizens and at the same time consumers are becoming aware and demand from both the authorities and the business sector guarantees in the use and treatment of their data. From Europe, a review of the previously existing law has been carried out, generating a new European data protection regulation.
This regulation obtained the final approval last April 14, 2016 by the European Parliament. The reform aims to give citizens back control of their personal data and guarantee high protection standards throughout the EU, adapted to the digital environment.
The main changes it introduces are listed below:
Extension of the scope of application
- It is extended to data controllers or managers not established in the EU whenever they carry out treatments derived from an offer of goods or services intended for EU citizens or as a result of monitoring and tracking their behavior.
- Additional guarantee for European citizens adapted to the reality of the Internet world.
New rights for citizens
- Recognition of right to be forgotten, as a consequence of the right that citizens have to request, and obtain from those responsible, that personal data be deleted when, among other cases, these are no longer necessary for the purpose for which they were collected, when consent has been withdrawn or when these have been collected illegally. Likewise, according to the ruling of the Court of Justice of the European Union of May 13, 2014, which recognized for the first time the right to be forgotten now included in the European Regulation, it means that the interested party can request to be blocked in search engine results lists the links that lead to information that affects you that is obsolete, incomplete, false or irrelevant and is not of public interest, among other reasons.
- Recognition of straight to portability It implies that the interested party who has provided their data to a person in charge who is treating them in an automated way may request to recover that data in a format that allows it to be transferred to another person in charge. When this is technically possible, the person in charge must transfer the data directly to the new person in charge designated by the interested party.
- Right to be informed if the data has been hacked.
The regulation establishes facilities for users
- Information provided with a clear and concise language . For example, it will be necessary to explain the legal basis for the treatment of the data, the retention periods of the same and that the interested parties can direct their claims to the Data Protection Authorities, if they believe that there is a problem with the way in which they are managing their data.
- Need to clear and affirmative consent of the person concerned with the processing of your personal data. In order to consider that the consent is “unequivocal”, it will be required that there be a declaration of the interested parties or a positive action that indicates the agreement of the interested party. Consent cannot be deduced from the silence or inaction of citizens. Companies should review the way they obtain and record consent. Practices that fall within the so-called tacit consent and that are accepted under the current regulations will cease to be so when the Regulation is applicable.
Paradigm shift: from a sanctioning approach to a preventive approach
- Active responsibility ( accountability ). Companies must adopt measures that reasonably ensure that they are in a position to comply with the principles, rights and guarantees that the Regulation establishes. The Regulation understands that acting only when an infringement has already occurred is insufficient as a strategy, since that infringement can cause damage to the interested parties that can be very difficult to compensate or repair.
- Risk assessment through assessment of the impact on data protection (DPIA – Data Privacy Impact Assessments) to determine the need and proportionality of the treatment.
- Privacy by design and by default (“Privacy by Design” and “Privacy by Default”) instead of adequacy.
- The creation of the figure of Data Protection Officer (DPO – Data Protection Officer) and anticipation of the creation of certification mechanisms (at least, in the public sphere).
- Promotion of codes of conduct and certification schemes.
Control, supervision and sanctioning regime
- Notification mechanisms security breaches in companies in critical sectors that provide essential services.
- Joint responsibility between the Responsible and the Managers regarding the breach of data protection.
- Prior authorization of the supervisory authority for certain types of processing and, in particular, when the result of the data protection impact assessment (DPIA) determines a high risk.
- Application of the concept “ Single Window “(One-stop-shop), so that interested citizens can carry out procedures, even if they affect authorities in the matter of other member states.
- Increase in the amount of sanctions : fines of up to € 20 million or 4% of the turnover.
Entry into force and date of application of the new European data protection regulation:
As had been advanced when the draft was released, the app of the new text will not be effective until May 25, 2018 . The EU countries have a period of two years to translate the changes of the directive into national legislation.
At Edor Team, we are very concerned about the repercussions of these changes for companies. For this reason, our advisory service is aware of these modifications and provides advice with the necessary actions so that our clients do not have to worry about it.