DPR: keys of the European regulation of data protection 2018

Posted on Posted in Blog


What is GDPR or RGPD?

It is the new norm at European level that regulates the treatment of personal data of citizens by companies and public authorities or bodies, and also their free circulation. It is a regulation and replaces the old Directive of 1995, year in which “social networks” or “big data” were still very distant concepts. It is directly applicable in the national legislations of the Member States: the own laws (in Spain, the LOPD and its regulation) will have to adapt, incorporate certain things and develop others that in the regulation are outlined in a general way.


What are the key points?
Consent. In order to have and process a person’s data, their express consent (not tacit) must be obtained. This must be free and unambiguous, but also informed and individual; and it must be able to prove that it was received. This means that at the moment of collecting the data, it is necessary to explain to the citizen in a clear and simple way what they will be used for, for how long and who will be responsible for the treatment, among other things. In addition, the person must say “yes” in an active and express way, because if not, it will not be worth it. If the data will be used for various purposes, separate consents will be requested. There are exceptions: no consent is required if there is a legal obligation, half vital or public interest, there is a contract or if the company or public authority claims “legitimate interest”, which will have to argue.

– Right to be forgotten. Another novelty This is the right of suppression and until now was only reflected in court rulings (many related to removing news from Google), but not in a law. A person may request a company or a public authority to remove the personal data that they have in their possession if they are no longer necessary; if you have decided to withdraw your consent or you oppose the use of more; if they have been used illegally, etc. This, of course, can clash with the right to information, the public interest or the law and will have to be weighed.

– Portability and Limitation. Two other important rights for citizens, in addition to those of access, rectification, cancellation and opposition (ARCO), which were already contemplated in the legislation. Portability allows a person to request, receive and directly transfer their automated data from one entity to another. The limitation is a kind of temporary suspension of the processing of the data in order to make checks, demonstrate a legitimate interest, resolve a claim, etc.

DPO. The regulation introduces the figure of the Delegate for Data Protection. It is mandatory in the case of public bodies, but not in all companies, only in those that deal with large-scale data or very sensitive data. If, in addition, the company has less than 250 workers, you will not have to keep a record. In any case, if they are going to process personal data, all the entities have to think, even before entering the work, in the GDPR: they are required to be proactive.

– Minors. Children under 16 years of age, in the case of “information society services” (on the Internet, for example), can not consent to the processing of their personal data: their parents or guardians must do so. In any case, countries can lower the age, if they want, up to 13 years. In Spain it is at 14.

Leave a Reply