Agencia española de protección de datos

Regulation of data protection in 12 questions

The General Regulation of data protection has entered into force on 25 may 2016. The AEPD has drafted this document simplified answer back response follows the format, in order to facilitate understanding of the new regulatory framework to citizens and help organizations to adapt to changes that incorporates and fulfill their obligations.

1. The entry into force of the regulation, Is that the organic law of spanish Data protection?

Not. The regulation has entered into force on 25 may 2016 but will not be applied until two years later, the 25 may 2018. Until then, both the directive 95 / 46 as national rules which transposed into the, including the spanish constitution, remain fully valid and applicable.

2. What, then, is the meaning of that regulation has entered into force?

The period of two years until the implementation of the regulation aims to enable states of the european union, the european institutions and also organizations seeking data are preparing and adapt to the time the regulation is applicable.

In those two years, for example, member states may adopt or initiate the development of certain standards necessary to ensure or facilitate the implementation of the regulation. Those rules may not contravene the provisions of the current directive nor go beyond the policy powers that the regulation itself stipulate explicitly or implicitly.

3. Why enterprises or organizations is applicable?

The regulation will apply as usual to responsible and processing of data set out in the european union, and extends to accountable and responsible not established in the eu always make treatments provided of an offer of goods or services to citizens of the union or as a result of a monitoring and follow-up of their behaviour.

For this extension of the scope to be effective, these organizations shall appoint a representative in the european union, which will act as a contact point for the supervisory authorities and the citizens and which, if necessary, may be targeted by the supervisory actions to develop these authorities. Contact details of that representative within the union should be provided to stakeholders of the information concerning the treatment of their personal data.

4. What means for citizens who regulation expand the scope of territorial application?

This development does provide additional guarantees to european citizens. Today, to address data is not necessary to maintain a physical presence over a territory, so the Regulation aims to adapt the criteria for determining which companies must comply with it into the world of the internet.

This enables the regulation apply to businesses which, until now, could be dealing with data on persons in the union and, however, are governed by regulations of other regions or countries that do not always provide the same level of protection that european legislation.

5. What new tools for control of their data possess citizens?

Regulation introduces new elements, such as the right to oblivion and the right to number portability, which improve the capacity of decision and control of citizens on personal data they entrust to third parties.

The right to oblivion is presented as the consequence of the right of citizens to seek and obtain from those responsible, that personal data are deleted when, among other things, these are no longer necessary for the purpose for which it was collected, when it has withdrawn the consent or when they have been collected illegally. Furthermore, according to the judgment of the court of Justice of the european union of 13 may 2014, that first acknowledged the right to oblivion now adopted in the european regulation means that the person concerned can request they lock in the lists of results of prospectors the bridges leading to information affecting obsolete that are incomplete, false or irrelevant and not in the public interest, among other reasons.

For its part, the right to the transferability implies that the party having provided their data to a responsible is addressing the computerization may request recover these data in a format that allows their transfer to another responsible. Where it is technically possible, the person shall transfer data directly to the new head appointed by the person concerned.

6. What age may children give their consent for the processing of their personal data?

The regulation provides that the age at which minors may provide for themselves their consent for the processing of their personal data in the area of the information society (for example, social networks) is 16 years. However, allows this age and that each member state establish their own, establishing a lower limit of 13 years. In the case of spain, this ceiling continues in 14 years. Below this age, the consent of parents or guardians.

In the case of companies that collect personal data, it is important to remember that consent must be verifiable and that the notice of privacy must be written in a language that children can understand.

7. What does active responsibility regulation?

One of the essential aspects of the regulation is based on the prevention on the part of organizations seeking data. Is what is known as the responsibility active. Companies must take reasonable measures to ensure that are in a position to comply with the principles, rights and guarantees that the regulation states. Regulation understands that only act if there has already been an infringement is inadequate as a strategy, given that such breach can cause damage to stakeholders which can be very difficult to compensate or repair. To this end, the Regulation provides for a complete battery of measures:

- Data protection by design

- Data protection by default

- Safety measures

- Maintenance of a register of treatments

- Carrying-out of impact assessments on data protection

-- Appointment of one delegate data protection

- Notification of violations of data security

- Promotion of codes of conduct and certification schemes.

8. Then, Is a greater burden of obligations for undertakings?

The regulation is a greater commitment to organisations, public or private, with data protection. But this does not necessarily involve or in all cases a greater burden. In many cases it will only be one way of managing data protection different from that which has been in use now.

Firstly, some measures introduced by the regulation are a continuation or supersede existing other, as is the case of security measures or the obligation of documentation and, to some extent, the impact assessment and consultation of Supervisory authorities.

Others constitute the formalization in legislation in practice already widespread in companies or, in any event, would form part of a proper launching of a processing of data, such as privacy by design and by default, the impact assessment on data protection in certain cases or the existence of one delegate of data protection.

In all cases, the regulation provides that the obligation of these measures, or the way in which they are implemented, will depend on factors such as the type of treatment, the costs of implementation of the measures or the risk that treatment introduced to the rights and freedoms of the data.

It is therefore necessary that all organizations seeking a data risk analysis of their treatments in order to determine what measures applied and how. These analyses could be very simple operations in entities that are not doing more than a few simple treatments not involving, for example, sensitive data, or most complex in many treatments develop affecting large number of stakeholders or that by their nature require careful appraisal of their risks.

Protection authorities european data collectively, and the spanish agency individually, we are already working on the development of tools to facilitate the identification and risk assessment and recommendations on the implementation of measures, particularly in relation to smes that carry out data processing operations more common in business management.

9. DOES Change the way in which we must obtain the consent?

One of the fundamental bases for processing personal data is consent. The regulation calls for the consent, in general, is free, informed, specific and unequivocal. To consider that consent is? unequivocal?, the regulation requires a statement of stakeholders or positive action indicating the agreement of the person concerned. Consent cannot be deducted from the silence or inaction of citizens.

Companies should revise the way in received and recorded consent. Practices that fall under the so-called tacit consent and are accepted under the current regulation will no longer be so once the Regulation apply.

In addition, the regulation provides that consent be? explicit? in some cases, as it may be to authorize the processing sensitive data. This is a requirement tightened, because consent cannot be understood as implicitly granted through some kind of positive action. Thus, the statement or action relate specifically to consent and to treatment in question.

We must bear in mind that the consent must be verifiable and that those who collect personal data must be able to show that the individual concerned them their consent. It is therefore important to review the systems of registration of consent for possible be verified before an audit.

10. Companies Should review their privacy notices?

In general, yes. The regulation provides for to be included in the information provided to stakeholders a number of issues with the directive, and many national laws for transposition were not necessarily mandatory. For example, we will have to explain the legal basis for the treatment of data, the retention periods that stakeholders can take their complaints to the authorities of data protection. If you think there is a problem with the way in which are handling their data. It is important to remember that the regulation requires that the information provided is readily understood and presented in language that is clear and concise.

11. What is the system of “ one-stop shop ’?

This system is designed to ensure that those responsible established in several member states, or, at a single member state, so treatments that significantly affect citizens in several eu member states have a single data protection authority as a partner. Also implies that each Data protection authority, on a complaint or authorise treatment of purely national, from the application of the regulation will assess whether the alleged has transboundary character, in which case we will have to open a cooperation procedure between all authorities concerned seeking a solution acceptable to all of them. Discrepancies insurmountable, the case can rise to the european committee of data protection, a union body comprising the heads of all the Data protection authorities of the union. That Committee will solve the dispute through decisions binding on the Authorities concerned.

This new system does not mean that the citizens have to interact with several authorities or with different authorities of the state where they live. They can always raise their claims or complaints to its own national Authority (in the case of spain, the spanish agency of data protection). the management will be carried out by that authority, which will also be responsible for informing the person concerned of the final result of its claim or complaint.

The one-stop shop shall, in any case, does not affect companies that are only in a member state and make new treatments affecting only interested in that state.

12. Have businesses that start implementing the measures referred to in the regulation?

Not. The regulation is in force, but shall not apply until 2018.

However, it may be useful for organizations seeking data already start to assess the implementation of some of the measures envisaged, provided that these measures are not contradictory with the provisions of the LOPD, which remains the standard to be covered data processing operations in spain.

For example, the organisations should bear in mind that since may 2018 should undertake risk analysis of their treatments and which could be useful for them to identify the type of treatment, the degree of complexity of the analysis to be carried out, etc. In this task could use the tools and resources that are developed gradually the Data protection authorities.

Similarly, nothing prevents the organizations begin to plan or to establish the register of treatments or to introduce the impact assessments or any other measures required.

Similarly, the organizations could start to develop and implement procedures for notice adequately to the data protection authorities concerned or bankruptcies of security that.

In general, organizations seeking personal data should begin to prepare for the implementation of these measures, as well as other modifications practices of the regulation. For example, the regulation calls for the perpetrators to provide treatment to those concerned the exercise of their rights. The interpretation? facilitate? may vary according to the case, in all these includes some sort of positive action by those responsible to make them more accessible and simple ways to the exercise of rights.

The advantage of a rapid deployment is that would help detect difficulties, shortcomings or errors in a phase in which these measures are not mandatory and, consequently, its correction or effectiveness would not be subject to supervision. This would correct errors to the time the Regulation apply.