In May 2016 the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or GDPR) was approved, it is a new law from the European Union which is directly applied to every Member State from 25 May 2018. Although it is already effective, companies shall start applying it on said date and, therefore, they must begin their preparation by anticipating their alignment with this new Regulation by 25 May 2018.
At Belzuz Abogados, we offer a comprehensive solution for adapting to the GDPR (General Data Protection Regulation (EU) 2016/679), providing services targeting the needs of every customer, training, follow-up, audit and, therefore, the maximum guarantee that the company will be truly adapted to the regulation.
The areas included in this adaptation services are:
a) Initial diagnosis and impact assessment by an specialised professional
b) Elaborate the Data Protection Management System
c) Train and raise awareness among the staff
d) Follow-up and audit
e) Legal advice and defence
MAIN CHANGES WITH REGARD TO CURRENT LAW
1) Inform the data subjects and obtain their consent
No longer is it allowed to obtain the consent by default.
The legal basis to collect data for processing must be recorded.
The information provided to the data subjects must be intelligible, concise and transparent as well as express, precise and unambiguous, as it was required up until now.
2) The exercise by data subjects of their rights
The right to obtain a copy of the personal data is generally recognised under the right of access.
The so called right to be forgotten is introduced (data erasure in Internet).
The data subject may request a restriction of the data processing.
Right to data portability when the processing is made by automated means and is based on consent or an agreement.
3) Relationship between the data controller and the data processor
There are new specific duties for data controllers.
It is required that the controller is in a position to guarantee and prove that data processing is made by the processor in accordance to the law.
Changes in the minimum content of processors’ agreements are introduced. Agreements prior to GDPR effective date shall be changed and adapted to the new requirements.
4) Controllers are required to have a proactive stance on GDPR compliance
Risk and impact assessments on data processing shall be made in order to set out measures to implement.
It shall be necessary to keep a data processing operations log.
The concept of data protection by default is introduced, which implies having a data protection preview before the processing.
Security measures to be adopted in data processing shall depend on the risk assessment previously made and those implemented under current law may not be sufficient under the new law.
Security infringements of personal data access shall be notified to the data protection authority within 72 hours.
The new figure of the Data Protection Officer (DPO) is introduced and it shall be compulsorily adopted in some cases.
BELZUZ ABOGADOS S.L.P. IT Law Department has qualified professionals to provide legal advice necessary to comprehensively implement and comply with every obligation and procedure set out by the GDPR.
SANCTIONS FOR INFRINGEMENTS
Depending on the infringed GDPR article, and without prejudice to compensation rights that the data subject may judicially claim, the sanctions for GDPR infringements vary considerably from the LOPD (Spanish Data Protection Law) and they may amount to €10,000,000 (up to 2 % of the total worldwide annual turnover), as a consequence of, among others: lack of consent from minors, not applying the default technical and organisational protection measures, not having the data processing operations log; not notifying security breaches; not making Impact assessments; not appointing a DPO; and to €20,000,000 (up to 4% of the total worldwide annual turnover), as a consequence of, among others: not complying with the GDRP principles; not complying with the data subjects’ interests; not complying with the requirements for international data transfer; not complying with the Supervisory Authority resolutions.
|Applicable law||Minor sanctions||Serious sanctions||Very serious sanctions|
|GDPR||No minimum amount range is established||Administrative fine up to €10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.||Administrative fine up to €20,000,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.|
The legal advice provided to the companies operating in Spain and Portugal is guaranteed by a team of multidisciplinary professionals at Belzuz Abogados with extensive experience in matters related to company management and structuring, tax framework, labour matters, industrial and intellectual property, and data protection and privacy.
Belzuz Abogados SLP
La presente publicación contiene información de carácter general sin que constituya opinión profesional ni asesoría jurídica. © Belzuz Abogados, S.L.P., quedan reservados todos los derechos. Se prohíbe la explotación, reproducción, distribución, comunicación pública y transformación total o parcial, de esta obra, sin autorización escrita de Belzuz Abogados, S.L.P.