cybersecurity and encryption
General Data Protection Regulation
The GDPR provides protection to natural persons, regardless of their nationality or place of residence, in relation to the processing of their personal data. Are you really complying with it?
What is the GDPR?
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, better known as GDPR, is the regulatory scenario on data protection, directly applicable to all European Union (EU) Member States since May 25, 2018, which entails the need to adopt organizational and technical decisions to foster compliance, both in the public and private sectors.
Unlike the previous Directive 95/46/EC, it does not need to be transposed into Spanish law. However, the GDPR allows Member States to transpose into national law provisions specifically contained in the GDPR, insofar as this is necessary for reasons of consistency and comprehensibility for its addressees.
It is for this reason that Spain passed Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), which has almost entirely replaced, since it is still partly in force, Organic Law 15/1999, of December 13, on Personal Data Protection.
What does the GDPR regulate?
The GDPR involves the revision of the legal bases of the European data protection model beyond a mere updating of the regulations. The GDPR provides protection to natural persons, regardless of their nationality or place of residence, in relation to the processing of their personal data.
The GDPR does not regulate the processing of personal data relating to legal entities and in particular to companies incorporated as legal entities.
The GDPR reinforces legal certainty and transparency while ensuring a uniform and high level of protection for individuals. This implies that it must be ensured throughout the EU that the application of the rules for the protection of the fundamental rights and freedoms of natural persons in relation to the processing of personal data is consistent and homogeneous.
Effective protection of personal data requires that the rights of natural persons and the obligations of those who process and determine the processing of personal data be strengthened and specified, and that equivalent powers be recognized in the Member States to monitor and ensure compliance with the rules on the protection of personal data and that infringements be punishable by equivalent penalties.
Who must comply with these regulations?
The obligations imposed by the GDPR must be complied with by controllers (natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data) and/or processors (natural or legal person, public authority, service or other body processing personal data on behalf of the controller) where any of the following circumstances apply:
- Processing of personal data by controllers and/or processors established in the EU, regardless of whether the processing takes place in the EU or not.
- Processing of personal data of data subjects residing in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to such data subjects in the EU, regardless of whether they are required to pay and/or to monitor their behavior, insofar as this takes place in the EU.
- Processing of personal data by a controller who is not established in the EU but in a place where the law of the Member States applies by virtue of public international law.
What are the consequences of not complying with the Regulation?
Any controller involved in the processing of personal data shall be liable for damages in the event that such processing does not comply with the provisions of the GDPR.
A processor shall only be liable for damages caused by the processing if it has not complied with the obligations of the GDPR specifically addressed to processors or has acted outside or contrary to the lawful instructions of the controller.
The GDPR establishes a sanctioning regime whereby any data subject has the right to lodge a complaint with a Supervisory Authority (in the case of Spain, the Spanish Data Protection Agency, AEPD), in particular in the Member State in which he/she has his/her habitual residence, place of work or place of the alleged infringement, if he/she considers that the processing of personal data concerning him/her is in breach of the provisions of the GDPR.
The consequences of failing to comply with the provisions of the GDPR is the opening of a disciplinary proceeding by the Control Authority, which may result in the imposition of administrative fines (private sector) or warnings and corrective measures (public sector).
In addition, any person who has suffered material or immaterial damages as a result of a breach of the GDPR shall be entitled to receive compensation from the controller or processor for the damages suffered.
Make sure your organization complies with the General Data Protection Regulation (GDPR).
Contact our specialist
How to comply with the GDPR?
Our proposed solution for regulatory compliance with both the RGPD and the LOPDGDD allows us to adapt and implement the requirements of these regulations.
This solution is based on the planning of a roadmap that contemplates the services and actions to be developed and executed to ensure compliance.
The concept of data protection will be taken into account at all times from the design and by default in order to comply with the requirements defined in the RGPD, to respect the rights of data subjects from the first stages of data processing and to establish the necessary technical and organizational measures to ensure respect for the rights of the persons involved.
In addition to ensuring the lawfulness, purpose limitation, minimization, accuracy and retention of data, special consideration shall be given to all processing of personal data which, due to their nature, are of special protection in relation to fundamental rights and freedoms (special categories of data) and which, due to the context of their processing, may entail a high risk to the rights and freedoms of individuals.
The analysis of the level of security of personal data undergoing processing shall be based on the risks arising from the processing of personal data, such as accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure of or access to such data, which may in particular result in physical, material or non-material damage.
In this regard, control mechanisms will be established to ensure confidentiality, integrity, availability and resilience, restore availability and access to personal data in the event of a physical or technical incident, ensure the security of processing and enable pseudonymization and encryption of personal data.
Benefits of complying with the Regulation
The benefits of complying with the provisions of the GDPR are based on compliance with the principle of proactive responsibility that allows the controller or processor to demonstrate that it effectively complies with the obligations established in the GDPR and the concept of data protection by design and by default in order to ensure that appropriate technical and organizational measures are applied so that only personal data that are necessary for each of the specific purposes of the processing are processed.
In addition, such compliance will allow the data controller or processor to obtain a systematic, methodical and documented control of the level of risk assumed in each processing operation, an improvement in the overall management of its processes and generate knowledge and culture of data protection in its organization.
These benefits will therefore provide:
- Establishment of a model of compliance with the RGPD and the LOPDGDD.
- Prevention in the application of penalties and indemnities
- Guarantee of compliance with the right to personal data protection.
Latest GDPR updates
The new guidelines for obtaining consent imposed by the GDPR have affected certain matters such as the regulation of cookies, especially with regard to the validity of the “opt-in” option.keep on sailing”. as a way of providing consent by users and the possibility of using the so-called “cookie walls”.
In the first case, references to “if you continue browsing the site, you accept the installation of cookies”. does not under any circumstances constitute a valid form of consent, insofar as such actions may be difficult to distinguish from other activities or interactions of the user, so that it would not be possible to understand that the consent is unambiguous.
It will be necessary for the user to perform an action that can be qualified as a clear affirmative action in order for the informed consent to be considered validly granted. Simply remaining on the screen or scrolling is also not considered a clear affirmative action under any circumstances.
Penalties for non-compliance with the GDPR
In Spain, the complaints most frequently raised by citizens refer to Internet services, improper inclusion in delinquency files, video surveillance, receipt of advertising (except spam) and debt claims.
The most frequent areas of sanctioning procedures are video surveillance, internet services, public administrations and telecommunications.
The sectors that received the most fines were financial institutions/creditors and telecommunications.
In 2020, we can highlight, among the fines imposed by the AEPD, the one imposed on the Professional Football League (250,000 euros), or Vodafone (120,000 euros).
However, at the beginning of the year 2021, the amount of fines imposed has increased significantly. Between the end of December and the beginning of January, two historic sanctions were imposed on two large Spanish banks:
5 million to BBVA first and 6 million to CaixaBank later.
A new record came in March 2021:
8 million euros to Vodafone for violating the GDPR.
The highest fine imposed to date for a breach of the GDPR has been of 50,000,000 to Google in 2019. by the Commission Nationale de l’Informatique et des Libertés (CNIL), the French equivalent of the AEPD, which fined the well-known search engine for lack of transparency, breach of the duty to inform and lack of valid consent to personalize advertising.
Learn how you can comply with
Contact our specialists and they will advise you on what is best for your company.