New Regulation – General Data Protection Regulation (GDPR)

The GDPR applies to you if:

• Your company is established in the European Union and processes personal data as part of its activity, regardless of where the data are processed; or

• Your company is established outside the European Union and offers products or services (whether paid or free), or monitors the behavior of individuals in the European Union.

In any case, the answers to the following questions may help determine whether your company processes personal data, as well as the scope of such processing:

• What data are processed?

• Whose data are being processed?

• For what purpose are they processed?

• By what means are they processed?

• Who carries out this processing?

• Where is the processing carried out?

The concept of “personal data” refers to any information relating to an identified or identifiable natural person, either directly or indirectly. Unlike the current Spanish Data Protection Act (LOPD), the GDPR includes within the very definition of personal data examples of what would be considered such data: a name, an identification number, location data, an online identifier, or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The GDPR defines “processing” as any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

What’s new in the GDPR?
Among the most important changes are the following:

• Proactive responsibility of the controller.
  The data controller must not only ensure compliance with the GDPR but must also be able to demonstrate such compliance.

• Form of obtaining the data subject’s consent.
  While tacit consent has been accepted until now, the GDPR requires consent to be given through a clear affirmative act, and the controller must be able to prove that such consent was obtained.

• RAT – Record of Processing Activities.
  The obligation to register files disappears and is replaced by the obligation to keep a written Record of Processing Activities (RAT).
  The RAT specifies, among other things, which processing operations are carried out, making it essential to complete it accurately. Otherwise, any processing not identified in the RAT will appear nonexistent. Previously registered files under the General Data Protection Register can serve as a basis for creating the RAT.
  Although the GDPR defines situations in which keeping a RAT is mandatory, in practice very few cases will be exempt.

• Rights of the data subject.
  New rights include the right to erasure (“right to be forgotten”), the right to restriction of processing, the right to data portability, and the right to human intervention in automated processes affecting rights and freedoms.
  Procedures for exercising these rights and for the controller’s response must be reviewed and adapted to the new legal framework.

• Risk analysis for security measures.
  Under the previous system, processing was categorized as low, medium, or high level. Now, the GDPR requires a risk analysis to determine the type of security measures that must be adopted depending on the processing carried out.

• Data Protection Impact Assessments (DPIA).
  “In order to enhance compliance with this Regulation in cases where processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for carrying out a data protection impact assessment, which should evaluate, in particular, the origin, nature, particularity, and severity of that risk (…).” (Recital 84 GDPR).
  The DPIA is required where processing involves high risks to individuals’ rights and freedoms and must be carried out before such processing begins.
  The GDPR specifies the following as high-risk processing requiring a DPIA:

  • Systematic and extensive evaluation of personal aspects of natural persons based on automated processing, including profiling, and on which decisions producing legal effects concerning individuals are made or which significantly affect them.

  • Large-scale processing of special categories of personal data or personal data relating to criminal convictions and offenses.

  • Systematic large-scale monitoring of a publicly accessible area.
    In addition to the above, each national supervisory authority (in Spain, the Spanish Data Protection Agency) may establish other types of processing that require a DPIA.

• Notification of security breaches.
  In the event of a personal data breach, it must be reported to the Spanish Data Protection Agency and to the affected data subjects—where the breach is likely to result in a “high risk” to their rights and freedoms—without undue delay and, where feasible, no later than 72 hours after becoming aware of it.
  This obligation does not apply if it can be demonstrated that the breach is unlikely to result in a risk to data subjects’ rights and freedoms. In any case, the controller must document any personal data breach. Therefore, establishing an internal procedure for handling security breaches is essential to ensure compliance with GDPR requirements.

• Appointment of a Data Protection Officer (DPO).
  The GDPR introduces the role of the DPO, who must have specialized legal knowledge and whose functions include informing and advising the controller, processor, and staff of their obligations under the GDPR and other applicable national provisions (such as the new Spanish LOPD), as well as monitoring compliance.
  The controller and processor must appoint a DPO in the following cases:

  • Where processing is carried out by a public authority or body, except for courts acting in their judicial capacity.

  • Where the core activities of the controller or processor consist of processing operations which, by their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale.

  • Where the core activities of the controller or processor consist of large-scale processing of special categories of data or personal data relating to criminal convictions and offenses.

  • In other cases established by Member State law or required under EU law.

  • By voluntary designation by the controller and/or processor.
    It will therefore be necessary to assess whether appointing a DPO is mandatory, exempt, or advisable even when not required.
    The DPO does not necessarily need to be an employee of the controller but may be an external service provider, including a legal entity offering DPO services.

Unlike the LOPD, the GDPR does not categorize sanctions as minor, serious, or very serious, nor does it set minimum fines, but instead establishes maximums. The new Spanish LOPD will adapt GDPR provisions on infringements and sanctions to the Spanish legal framework.

For clarity, here is a comparison of sanction amounts under the LOPD and the GDPR: