What is GDPR or RGPD?
It is the new norm at European level that regulates the treatment of personal data of citizens by companies and public authorities or bodies, and also their free circulation. It is a regulation and replaces the old Directive of 1995, year in which “social networks” or “big data” were still very distant concepts. It is directly applicable in the national legislations of the Member States: the own laws (in Spain, the LOPD and its regulation) will have to adapt, incorporate certain things and develop others that in the regulation are outlined in a general way.
What are the key points?
– Right to be forgotten. Another novelty This is the right of suppression and until now was only reflected in court rulings (many related to removing news from Google), but not in a law. A person may request a company or a public authority to remove the personal data that they have in their possession if they are no longer necessary; if you have decided to withdraw your consent or you oppose the use of more; if they have been used illegally, etc. This, of course, can clash with the right to information, the public interest or the law and will have to be weighed.
– Portability and Limitation. Two other important rights for citizens, in addition to those of access, rectification, cancellation and opposition (ARCO), which were already contemplated in the legislation. Portability allows a person to request, receive and directly transfer their automated data from one entity to another. The limitation is a kind of temporary suspension of the processing of the data in order to make checks, demonstrate a legitimate interest, resolve a claim, etc.
– DPO. The regulation introduces the figure of the Delegate for Data Protection. It is mandatory in the case of public bodies, but not in all companies, only in those that deal with large-scale data or very sensitive data. If, in addition, the company has less than 250 workers, you will not have to keep a record. In any case, if they are going to process personal data, all the entities have to think, even before entering the work, in the GDPR: they are required to be proactive.
– Minors. Children under 16 years of age, in the case of “information society services” (on the Internet, for example), can not consent to the processing of their personal data: their parents or guardians must do so. In any case, countries can lower the age, if they want, up to 13 years. In Spain it is at 14.