The new European General Data Protection Regulation (GDPR), regarding the protection of natural persons and the processing and free circulation of their personal data, was enforced on May 25th, 2018.
The GDPR is the type of E.U. regulation that is directly applied to all member states, which means it is enforceable in Spain as if it were a national law. The current legislation includes new obligations with which companies, freelancers and public and private organizations that process personal data must comply.
In adapting to the legislation, the first step is to identify and analyze areas of risk and document the processing of personal data. If the company fails to comply, there are potential sanctions that can range from 4% of the company’s annual turnover to 20 million euros plus the penal, administrative and corporate consequences as well as the damages and losses that may arise on a national level.
Particular requirements of the GDPR
- Appointment of a Data Protection Delegate (DPD/DPO) in the company/entity
- Impact evaluation in data protection
- Obligation to communicate the security of personal data to the Spanish Agency for Data Protection within 72 hours, and in severe cases, to those affected
- Elimination of tacit consent
- Content extension of the contracts giving data access to third parties: any third party to gain access to personal data for the provision of a service, has to sign a contract in order to regulate the processing of this data
- Eliminating distinctions between personal and professional data.
Main changes of the General Data Protection Regulation
- Information transparency
- Those in charge of the data processing
- The citizen’s rights
- The registry
- The consent in web pages
- Sending commercial communications.
This article is not considered as legal advice