What are the main developments of the General Data Protection Regulation (GDPR)?
- 1. Scope
- 2. Principles
- 3. New special categories of data
- 4. Consent
- 5. Child’s consent
- 6. Right to information
- 7. Rights of the data subjects
- 8. Registration and notification of files
- 9. Documentation of the processing operations: records of processing activities
- 10. Data processing contract
- 11. Data protection impact assessments
- 12. Prior consultation
- 13. Data protection by design and by default
- 14. Codes of conduct
- 15. Certification mechanisms
- 16. Data protection officer
- 17. International transfers
- 18. Security measures
- 19. Notification of personal data breaches
- 20. One-stop-shop
The Regulation extends the territorial scope to controllers and processors not established in the European Union when the processing activities are related to offering goods or services or monitoring the behaviour of data subjects who are in the European Union.
The GDPR contains many concepts, principles and mechanisms similar to those established by Directive 95/46 and the national laws that apply it. Consequently, the organisations that now adequately meet the requirements of the Spanish Law on the Protection of Personal Data (LOPD) have a good basis from which to evolve towards proper application of the new Regulation.
Nonetheless, the GDPR modifies certain aspects of the current system and includes new obligations that organisations will need to analyse and apply in accordance with their own circumstances.
The most significant innovation of the GDPR for data controllers is made up of two general elements:
- The “accountability principle”
The GDPR describes this principle as the need for the controller to apply the appropriate technical and organisational measures necessary to ensure, and be able to demonstrate, that processing activities comply with the Regulation.
In practical terms, this principle requires organisations to analyse which data they process, the purposes for which they do so and which types of processing operations they carry out. On the basis of this knowledge they should explicitly decide how they will apply the measures established in the GDPR. They should also ensure that these measures are adequate to comply with the Regulation and should be able to demonstrate such compliance to the data subject and the supervisory authorities.
In short, this principle requires organisations to adopt a conscious, diligent and proactive attitude towards all the processing of personal data that they undertake.
- The “impact assessment”
The GDPR points out that the measures aimed at ensuring compliance must take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
In line with this approach, some of the measures the GDPR establishes need only be applied when there is a high risk to these rights and freedoms, while others should be adopted according to the level and type of risk the processing presents.
Consequently, each organisation must adapt its application of the measures envisaged by the GDPR to its specific characteristics. What is suitable for one enterprise which handles the data of millions of data subjects in complex processing operations that involve sensitive personal information or significant volumes of data pertaining to each data subject may be not be necessary for a small undertaking that carries out a limited amount of processing of non-sensitive data.
These two elements apply to all the obligations that must be met by organisations.
3. New special categories of data
Besides the data with special protection currently provided for in the LOPD, which are now known as “special categories of personal data”, the Regulation includes two new special categories:
- Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
- Biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person (facial images or dactyloscopic data, etc.).
The GDPR requires the data subject to give consent by means of an unambiguous statement or a clear affirmative action. For the purposes of the new Regulation, pre-ticked boxes, tacit consent (silence) or inactivity do not constitute valid consent.
- What will happen to processing carried out on the basis of tacit consent?
Such forms of consent are not compatible with the GDPR, as they are based upon inaction of the data subject. The GDPR also stipulates that processing operations supported by this type of consent and initiated prior to application of the Regulation will continue to be legitimate provided the consent has been given in the way established in the GDPR, in other words, by means of an affirmative act or action.
Consequently, controllers carrying out processing operations based on tacit consent will have to avoid obtaining this type of consent and revise such processing to ensure that, as from May 2018, they have adapted to the provisions of the GDPR. This adaptation may be achieved by obtaining consent in accordance with that established in the GDPR or by evaluating whether the affected processing operations can be based on other legal grounds, such as and among others, where the legitimate interest of the controller or of the transferee of the data overrides the rights of the data subject. In any case, if the latter option is deemed possible, the data subject must be informed so that he or she can exercise the rights specifically applicable to the new legal basis chosen, such as the right to object.
- In what situations must consent be explicit?
The GDPR establishes some situations in which consent must be explicit. This additional safeguard affects the following cases:
- Processing of special categories of personal data
- Automated decision-making
- International transfers
5. Child’s consent
In the area of information society services, consent given by children is only valid if the child is over 16. However, EU Member States may reduce this age limit to 13 years.
Furthermore, the language used to inform children must be clear and plain.
- What other references to children does the GDPR contain?
The GDPR refers to the processing of the personal data of a child in various sections. For example, in the following cases:
- In regulating the legitimate interests of the controller as the legal basis for processing; the Regulation points out however that this does not apply where such interests are overridden by the interests or fundamental rights and freedoms of the data subjects that require protection of personal data, in particular where the data subject is a child.
- Where it indicates that when the data subjects are children, information provided in relation to the processing or to the exercise of rights must be especially concise, transparent, intelligible and easily accessible, using clear and plain language.
- In the context of the right to erasure of personal data.
- In establishing that educational and awareness-raising activities addressed to children should be among the priorities of data protection authorities.
- In the context of the explanations offered by the recitals of the GDPR, in reference to the creation of profiles.
6. Right to information
The new Regulation establishes the right of data subjects to obtain information and extends the issues about which they should be informed, with the following aspects: the contact details of the data protection officer; the legal basis for the processing; where applicable, the legitimate interests pursued by the controller and on which the processing is based; where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the basis for doing so; the period for which the personal data will be stored; the right to request data portability; the right to withdraw consent at any time; whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract; the right to lodge a complaint with a supervisory authority; the existence of automated decision-making, including the logic involved, and the envisaged consequences of such processing for the data subject.
- How should the information be provided to data subjects?
The GDPR stipulates that information provided to data subjects, both with respect to the conditions governing the processing operations that affect them and responses to the exercise of rights, should be concise, transparent, intelligible and easily accessible, using clear and plain language. In this aspect it goes further than the provisions in the LOPD, which only require information to be given explicitly, precisely and unequivocally.
These requirements mean that especially convoluted descriptions and those which include references to legal texts should be avoided. Information clauses should explain the content to which they refer immediately in a manner which is clear and accessible by the data subjects, irrespective of the knowledge they may have of the subject.
The importance the GDPR attaches to the clarity and accessibility of information is reflected in the fact that it provides for information to be offered in combination with standardised icons in order to give a meaningful overview of the intended processing. The design of these icons must be carried out by the European Commission, which is now working on the presentation of a proposal.
The GDPR stipulates that information should be provided in writing, or by other means, including, where appropriate, electronically.
The Catalan Data Protection Authority, the Spanish Data Protection Agency and the Basque Data Protection Agency are preparing a standard information clause to be used by the public administrations. Guidelines for private organisations will also be presented during the transition period.
7. Rights of the data subjects
The GDPR incorporates the right to be forgotten as a right linked to the right to erasure, to restriction of processing and to data portability:
Data subjects have the right to obtain the erasure of personal data (right to be forgotten), when:
- the personal data are no longer necessary in relation to the purposes for which they were collected;
- the data subject withdraws the consent on which the processing was based;
- the data subject objects to the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation;
- the personal data have been collected in relation to the offer of information society services addressed to children.
Where the controller has made the personal data public and is obliged to erase them, that controller must take reasonable steps to inform those processing the personal data that the data subject has requested the erasure.
Exceptions to the exercise of this right are provided to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- for the establishment, exercise or defence of legal claims;
- for exercising the right to restriction of processing.
Restriction of processing is present in the GDPR as a right of data subjects. It should not be confused with the blocking of data that currently exists in Spanish legislation, and its inclusion as a new right does not in itself mean that the concept of data blocking disappears.
Restriction of processing means that, at the request of the data subject, the processing operations that would in each case correspond will not be applied. Restriction may be requested when:
- The data subject has exercised the rights of rectification or objection and while the controller determines whether the request should be granted.
- The processing is unlawful, which would mean the personal data would be erased, but the data subject opposes such erasure.
- The personal data are no longer necessary for the purposes of the processing, which would result in their erasure, but restriction is requested by the data subject because they are required for the establishment, exercise or defence of legal claims.
The same terms and procedures are applied to this right as are applied to all other rights provided in the GDPR.
Where the processing has been restricted, the controller may only process the affected data, with the exception of storage, in the following cases:
- with the data subject's consent;
- for the establishment, exercise or defence of legal claims;
- for the protection of the rights of another natural or legal person;
- or for reasons of important public interest of the Union or of the corresponding Member State.
One consequence of this regulation is that it prevents a practice which is occasionally followed and which consists in erasing the personal data when other rights are exercised, such as that of access, since such erasure would impede exercise of the right to restriction of processing.
- Right to data portability:
The right to data portability is an advanced form of the right of access, by which the data subject has the right to receive the personal data he or she has provided to a controller concerning him or her in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller, if the following requirements are met:
- the processing is based on consent or on a contract;
- the processing is carried out by automated means;
- the data subject makes the request with respect to data he or she has provided to the controller, including data deriving from the data subject’s own activity. It is thus not applicable to the data of third parties that a data subject has provided to a controller. Nor will it apply if the data subject requests the portability of data that concern him or her, but have been provided to the controller by third parties.
Where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another.
The European Group of Data Protection Authorities (Article 29 Data Protection Working Party) has adopted an Opinion in which this right is analysed in detail, and which may be consulted here.
What is the procedure for exercising the rights contained in the new Regulation?
In general, the GDPR requires controllers to facilitate data subjects’ exercise of their rights. This mandate means that the procedures and mechanisms of such exercise must be visible, accessible and easy to understand. The GDPR does not establish a specific way of exercising rights, but requires controllers to enable requests to be presented by electronic means, especially when the processing is being carried out by these means.
This obligation requires procedures to be put in place that easily allow data subjects to demonstrate that they have exercised their rights by electronic means, something which on many occasions is currently unfeasible.
The GDPR also provides that the exercise of rights should be free of charge for the data subject. This criterion may not apply in cases in which requests are made that are manifestly unfounded or excessive, in particular because of their repetitive character; in these cases, the controller may charge a reasonable fee based on the administrative costs, or refuse to act on the request. It falls upon the controller to demonstrate the unfounded or excessive character of the request. In any case, the fee may not represent additional income for the controller, but should correspond to the true cost of processing the request.
The controller must provide the data subject with information on action taken on a request within one month of its receipt. That period may be extended by two further months where necessary, taking into account the complexity and number of requests. The controller should inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the controller decides not to take action on the data subject’s request, that controller should inform the data subject of the reasons for not doing so within one month of receipt of the request.
The GDPR establishes that the controller should use all reasonable measures to verify the identity of a data subject who requests access and, in general, of all data subjects that exercise other ARCO rights.
Where a controller processes a large quantity of information concerning the data subject, that controller may request the data subject to specify the information or processing activities to which the request relates.
The controller may be able to count on cooperation from the processors to manage the exercise of data subjects’ rights. This cooperation may be included in the contract commissioning the data processing.
8. Registration and notification of files
The GDPR abolishes, as from 25 May 2018, the need to formally create files and enter them in the General Data Protection Register of the supervisory authorities.
9. Documentation of the processing operations: records of processing activities
The GDPR establishes new obligations with respect to the controllers and processors maintaining records of processing activities. The obligations referred to in paragraphs 1 and 2 of Article 30 shall not apply to the controllers and processors of an enterprise or an organisation employing fewer than 250 persons unless the processing being undertaken is likely to result in a high risk to the rights and freedoms of the data subjects, is not occasional, or includes special categories of personal data or personal data relating to criminal convictions and offences.
These controllers and processors should maintain records of the processing activities they carry out, and for each activity the records should contain the information established in Article 30 of the GDPR.
This information includes such matters as:
- the name and contact details of the controller and, where applicable, the joint controller, and the data protection officer, where applicable;
- the purpose of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- international transfers of personal data;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures.
How should records of processing operations be organised?
One possible way of organising these records of processing activities is based on the files that are currently the subject of compulsory notification by controllers to the Catalan Data Protection Register, and which could be used to detail all the processing operations being carried on every structured set of personal data.
The records could however also be organised around specific processing operations linked to a basic purpose common to all of them (for example, “customer management”, “accounts management” or “human resources management and payroll”), or in accordance with other criteria.
10. Data processing contract
The Regulation extends the minimum content of the processing contract. Among other aspects, the contract must include the following points in addition to those established in the LOPD: the purpose and duration of the proposed processing operation or operations; the nature of the processing; the type of personal data; the categories of data subjects; the obligations and rights of the data controller, and the provision that the persons authorised to process the personal data have committed themselves to confidentiality. The contract should also stipulate whether the processor will assist the controller in the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights; will delete or return all the personal data at the end of the processing; will make available to the controller all information necessary to demonstrate compliance with the obligations of the processor and to allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
- Specific obligations of the processors
Directive 95/46 and, in general, national transposition laws, focus on the activity of data controllers. However, the GDPR contains obligations specifically addressed to the processors. Ultimate responsibility for the processing continues to rest with the controller, which is the figure that determines the existence and purpose of the processing. But in certain matters established by the GDPR the processors have their own obligations which are not circumscribed by the scope of the contract linking them to the controller and which data protection authorities must supervise separately. For example, processors should maintain records of processing activities, determine the security measures applicable to the processing they undertake and designate a data protection officer in those cases where this is provided by the GDPR.
The GDPR also establishes that the processor may adhere to an approved code of conduct or an approved certification mechanism as provided in the Regulation.
The GDPR explicitly establishes that controllers should use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation. This provision also applies to processors when they subcontract processing operations to other processors or sub-processors.
Though in the Spanish case the Regulation for the development of the Data Protection Law (LOPD) already establishes the need for due diligence in the selection of processors, the innovation with respect to this provision in the GDPR derives from its relationship with the accountability principle. According to this principle, the controller must adopt appropriate measures, including in the choice of processors, that will guarantee and make it possible to demonstrate that the processing is undertaken in accordance with the GDPR.
The fact that processors or sub-processors have adhered to a code of conduct or are certified with a scheme provided for in the GDPR may be used to demonstrate that they offer the sufficient guarantees required by the Regulation.
The Catalan Data Protection Authority, the Spanish Data Protection Agency and the Basque Data Protection Agency have prepared materials to help in drafting processing commissions, which may be consulted here. These materials are designed to help controllers and processors during the transition period until the GDPR’s entry into force. Subsequently and according to that envisaged in the Regulation, data protection authorities will be able to prepare standard contractual clauses which must be approved by the future European Data Protection Committee. The European Commission may also draw up such clauses.
- What about processing contracts entered into prior to application of the GDPR?
Processing contracts entered into prior to application of the GDPR in May 2018 should be adapted to respect the content of the Regulation. Though many of the obligations deriving from the system established in the GDPR are already contained in Spanish law, existing contracts will have to be modified to ensure their clauses reflect all the Regulation content, bearing in mind that generic referrals to the Article of the GDPR that regulates them will not be valid.
According to the second transitional provision of Royal Decree-Law 5/2018, of 27 July, on urgent measures for the adaptation of Spanish law to European regulations on data protection, the contracts and agreements for processing entered into prior to 25 May 2018 maintain their validity until their expiration date.
Indefinite contracts maintain their validity for four years, counting from 25 May 2018.
In any case, during the validity of the contract or agreement, any of the parties may ask for its modification to adapt it to that established in Article 28 of the GDPR.
11. Data protection impact assessments
Where a processing operation is likely to result in a high risk to the rights and freedoms of natural persons, due to the nature, context, scope and purposes of the processing and in particular if the use of new technologies is involved, the controller will be responsible for conducting a personal data protection impact assessment to evaluate the impact of the processing prior to its initiation.
- How is the need to conduct a data protection impact assessment determined and what must the assessment contain?
The GDPR contains a detailed list of the three situations in which processing operations are considered to be of high risk:
- profiling on which decisions are based that produce legal effects concerning the natural person or similarly significantly affects him or her;
- processing on a large scale of special categories of data;
- a systematic monitoring of a publicly accessible area on a large scale.
These criteria include the notion of “large scale”. The GDPR does not define what constitutes “large-scale”. In its guidelines on the designation of data protection officers (which will be referred to in subsequent sections), the Article 29 Working Party considers that the following must be taken into consideration to determine whether processing is carried out on a large scale:
- the number of data subjects concerned – either as a specific number or as a proportion of the relevant population;
- the volume of data and/or the range of different data items being processed;
- the duration, or permanence, of the data processing activity;
- the geographical extent of the processing activity.
Together with the aforementioned three situations, the GDPR obliges data protection authorities to establish additional lists of the kind of processing operations which are subject to the requirement for a data protection impact assessment.
The GDPR also provides that authorities may establish lists of the kind of processing operations for which no data protection impact assessment is required.
The existence of these lists does not exclude controllers from having to carry out the corresponding risk analysis and, if they conclude that there exists a high risk to the rights and freedoms of natural persons, conducting an impact assessment even if the processing operation in question is not included in either of the aforementioned lists. The basis of the GDPR is the accountability principle, which states that the controller is always ultimately responsible for deciding which measures must be applied and how to apply them. The interventions of supervisory authorities or provisions of the GDPR itself may help clarify or specify the dispositions, but do not substitute the responsibility and liability of the controller.
In addition to the lists expressly provided by the GDPR, during the transition period the Catalan Data Protection Authority, the Spanish Data Protection Agency and the Basque Data Protection Agency will publish resources to help controllers determine the need to conduct an impact assessment.
The GDPR establishes a minimum content of data protection impact assessments, though it fails to provide any methodology for carrying them out.
It should be borne in mind that a single assessment may be conducted to address a set of similar processing operations that present similar high risks.
Definition of the notion of “high risk” for the purposes of determining the obligation to carry out a Data Protection Impact Assessment (DPIA) and a description of the criteria that should be used to do so may be found in the Guidelines on Data Protection Impact Assessment (DPIA), adopted by the Article 29 Working Party on 4 April 2017, which may be found here.
- What will happen with processing operations initiated prior to 25 May 2018 for which according to the new Regulation a data protection impact assessment (DPIA) isrequired?
If these processing operations continue beyond 25 May 2018 and the risk analysis the organisation conducts on the processing initiated prior to the date of application of the GDPR indicates that they are likely to present a high risk to the rights and freedoms of natural persons, the Guidelines on Data Protection Impact Assessment (DPIA), adopted by the Article 29 Working Party also recommends a DPIA be carried out “for data processing [operations] which have taken place before May 2018 and were therefore not subject to a DPIA, to make sure that 3 years after this date or sooner, depending on the context, the risks for the rights and freedoms are still mitigated.”
12. Prior consultation
Where the data protection impact assessment (DPIA) indicates that the intended processing may infringe the GDPR, in particular where the controller has insufficiently identified or mitigated the risk, the controller must consult the competent data protection supervisory authority.
In cases where the DPIA identifies a high risk which, in the opinion of the controller, cannot be mitigated by appropriate measures in terms of available technology and costs of implementation, a consultation of the competent data protection authority should take place prior to the processing. This consultation must include the documentation stipulated by the GDPR, including the impact assessment.
The supervisory authority must provide written advice to the controller and, where applicable, to the processor, and may use any of its powers laid down in the Regulation, among them that of prohibiting the processing operation.
13. Data protection by design and by default
The Regulation introduces the principles of data protection by design and by default.
This means that the controller must, both when determining the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures designed to effectively implement data-protection principles (such as pseudonymisation) and to integrate the necessary safeguards into the processing in order to meet the requirements of the Regulation.
The controller must therefore implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
14. Codes of conduct
The GDPR also regulates codes of conduct that may be drawn up by associations or other bodies representing categories of data controllers or processors to facilitate the effective application of the Regulation.
The code of conduct must be submitted to the competent supervisory authority for approval, registration and publication. The supervisory authority will also accredit the certification body stipulated in the code.
The adherence and compliance of the processor to an approved code of conduct may be taken into account as an element to demonstrate compliance with the obligations of the controller, in particular when drawing up the data protection impact assessment.
15. Certification mechanisms
The Regulation also encourages the establishment of certification mechanisms and data protection seals and marks as a mechanism for demonstrating compliance with the GDPR.
16. Data protection officer
The Regulation introduces the concept of the data protection officer, who may be a member of staff of the controller or processor, or may fulfil the tasks on the basis of a service contract. A data protection officer must be designated in the following cases:
- where the processing is carried out by a public authority or body (except for courts acting in their judicial capacity). In this case, a single data protection officer may be designated for several such authorities or bodies;
- where the processing operations require regular and systematic monitoring of data subjects on a large scale;
- where the operations consist of processing special categories of data or personal data relating to criminal convictions and offences.
The data protection officer has at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations under the Regulation and other data protection provisions;
- to monitor compliance with the different regulations;
- to provide advice as regards the data protection impact assessment;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing.
The controller or the processor must publish the designation and contact details of the data protection officer and communicate them to the supervisory authority.
The position of Data Protection Officers in the organisation must fulfil the requirements expressly established in the GDPR. These requirements include their complete autonomy in the performance of their duties, the need for DPOs to report to the highest management level of the controller or the processor and the obligation for the controller and the processor to provide them with the resources necessary to carry out their tasks.
The Article 29 Working Party has published an Opinion on designation of the DPO, which may be consulted here and which includes FAQs on diverse aspects of this official.
- What requirements or qualifications must the data protection officer meet or hold?
The DPO should be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. This does not mean the DPO should hold any specific qualification. Bearing in mind that advising the controller or processor on all matters relating to data protection rules and regulations are included among the functions of the DPO, possession of legal knowledge in the subject is undoubtedly necessary; but the DPO should also have knowledge outside the strictly judicial field, such as in the area of technology applied to data processing or in relation to the activity of the organisation in which he or she works.
17. International transfers
The model of international or cross-border transfers designed by the GDPR follows the same criteria established in Directive 95/46 and national transposition laws. According to this model, personal data may only be disclosed outside the European Union in the following cases:
- To third countries, territories and specified sectors within a third country (the GDPR also includes international organisations) for which the Commission has decided that an adequate level of protection is ensured.
- When adequate safeguards have been offered about the protection the data will receive at their destination.
- When one of the exceptions is applied that allow data to be transferred without adequate safeguards for protection, for reasons of necessity linked to the interest of the data subject or the general interest.
From the point of view of controllers and processors that currently make international transfers or will make them in the framework of the GDPR, there are certain developments that should be taken into account:
- Adequacy decisions adopted by the Commission prior to application of the GDPR remain valid; consequently, until such time as the Commission replaces or repeals them, transfers may continue to be made based on these decisions.
- Decisions of the Commission that establish standard data protection clauses for contracts in which safeguards are offered for international transfers remain valid until such time as the Commission replaces or repeals them.
- Transfer authorisations by Member States or supervisory authorities based on contractual guarantees remain valid until such time as the authorities revoke them.
- Guarantees of the protection that the personal data will receive at their destination must be given by the data exporter, which may be either a data controller or a processor.
- The list of instruments that may be used to offer safeguards has been extended. It now includes, among others, corporate rules that are binding upon controllers and processors, codes of conduct and certification mechanisms, and standard data protection contractual clauses approved by a supervisory authority.
- In the cases of binding corporate rules, standard data protection contractual clauses, codes of conduct and certification mechanisms, the transfer does not require authorisation by the supervisory authorities.
- An exception has been added to the list established by Directive 95/46. It refers to the possibility that the controller may transfer data to a country without the adequate level of protection when such transfer is not repetitive, concerns only a limited number of data subjects and is necessary for the purposes of compelling legitimate interests pursued by the controller. In any case, the transfer is only possible if the aforementioned interests are not overridden by the interests or rights and freedoms of the data subjects, and the controller must inform the supervisory authority of the transfer.
18. Security measures
In contrast to the current law, the Regulation does not provide a list of the security measures to be applied according to the types of data which are being processed, but states that the controller and processor should apply adequate technical and organisational measures to ensure a level of security appropriate to the risk involved in the processing. This means an analysis must be made of the risk inherent in each processing operation, in order to determine the security measures to be implemented.
- How is risk analysis conducted?
From the point of view of information security, a risk analysis requires identification of the threats (unauthorised access to the personal data, for instance), assessment of the likelihood they will occur and of the impact this would have on the people affected.
The type of analysis varies according to:
- the type of processing;
- the nature of the data being processed;
- the number of data subjects affected;
- the quantity and variety of processing operations being conducted by one same organisation;
- the technologies being used.
As a general rule, in large organisations this analysis and determination of measures/controls to be implemented can be conducted using one of the existing risk analysis methodologies or standards: MAGERIT, ISO, etc. For controllers of processing operations of smaller dimensions and reduced complexity, the analysis can be the result of documented reflection on the implications of the processing for the rights and freedoms of the data subjects. This reflection should analyse the context in which the processing is taking place (means, premises, users, etc.) and answer the following questions.
- Are special categories of data being processed?
- Are the data of vulnerable groups being processed (children, for instance)?
- Are the data of a large number of people being processed??
- Does the processed data enable the creation of profiles?
- Could the disclosure, alteration or loss of the data entail serious consequences for the data subjects?
- Are the data being processed by equipment or in premises other than those of the controller?
- Do third parties who provide services on behalf of the controller have access to the data?
- Are highly privacy-invasive technologies being employed, such as those connected with geolocation, large-scale video surveillance or certain applications of the Internet of Things (IoT)?
There are many issues that can have a negative impact on people’s rights and freedoms if their data are no processed appropriately. Therefore, if a method is employed which is not standard, easily auditable and objectively verifiable it is extremely important to document in detail all matters taken into account when determining the risk level and the security measures to be applied. This will assist in compliance with the accountability principle.
Obviously the greater the number of affirmative answers to the above questions, the higher the risk that may arise from the processing.
Does this change of focus brought about by the GDPR mean that the measures an organisation applied in line with the RLOPD are no longer correct? No. They may be suitable, but a risk analysis should be performed to establish that the measures implemented are adequate, or whether there is some kind of shortcoming.
In any case, the specific measures to be applied should ensure:
- the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- the existence of a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
19. Notification of personal data breaches
If a personal data breach occurs the controller must notify the competent supervisory authority within 72 hours of having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller should communicate the breach in clear and plain language to the data subjects without undue delay, except when:
- the controller has implemented adequate protection measures, such as rendering the personal data unintelligible to any person who is not authorised to access it;
- the controller has taken subsequent measures which ensure that the high risk is no longer likely to materialise;
- it would involve disproportionate effort.
- What is the term for notification of a data breach to the supervisory authority?
In the case of a personal data breach, the controller must notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. This criterion may be open to various interpretations. In general, the controller is deemed to be aware of a data breach when that controller is certain it has occurred and knows enough about its nature and scope. The mere suspicion that something has failed or realisation that some kind of incident has taken place, without knowing the exact circumstances, should not give rise to notification since, in most cases, it is impossible in these conditions to ascertain to what extent there may be risk to the rights and freedoms of the data subjects.
Notwithstanding the above, in cases which may have significant impact due to their characteristics it may be recommendable to contact the supervisory authority as soon as evidence appears that an anomalous situation has occurred with respect to data security. These first contacts should however be completed with a formal, more comprehensive, notification within the term established in the Regulation.
Situations may exist in which notification within the first 72 hours is not possible because, for example, of the complexity in fully determining the scope of the breach. In such cases notification may be made at a later time, accompanied by an explanation of the reasons for the delay.
- What information should notification of a personal data breach to the supervisory authority contain?
The notification should contain the information established by the GDPR, which includes such elements as the nature of the personal data breach, the categories of data and data subjects concerned, the measures adopted by the controller to resolve the breach and, where applicable, the measures applied to mitigate the possible effects on the data subjects. When full information cannot be given at the time of the notification it may be provided in various stages.
The Article 29 Working Party will prepare a standardised notification form for use in the EU, both to help controllers present complete notifications in accordance with the GDPR criteria and to ensure such notifications are made in a uniform manner.
Irrespective of the notification to the supervisory authorities, controllers must document all personal data breaches. This is an obligation established by the GDPR and is very similar to the Incident Register provided by the Regulation implementing the LOPD.
- When is it probable that a security breach represents a high risk to the rights of the data subjects?
The criteria for high risk contained in the GDPR should be understood in the sense that the data breach is likely to cause serious damage to natural persons. This could occur, for example, if confidential information is disclosed such as passwords or participation in certain activities, if sensitive data are disclosed on a large scale or if financial damage may be caused to those concerned.
- What are the legal rules covering notification of a personal data breach to those concerned?
The aim of this notification is to enable data subjects to take measures to protect themselves from the consequences of the personal data breach. Thus the GDPR stipulates that they should be notified without undue delay and without reference either to when the controller became aware of the breach or to the possibility of making the notification within 72 hours. The intention is always that the data subject should be able to react as soon as possible.
For the same reasons, the GDPR adds that the content of the notification should include recommendations on the measures that data subjects can take to mitigate the consequences of the personal data breach.
This system enables people, including controllers established in different Member States or that carry out processing which affects different Member States, to have a sole data protection authority as their interlocutor.