Last April, approval was given to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union [OJEU] 4.5.2016).
This new legislation which, for the first time, is being implemented through a European Regulation, entails significant changes in the protection of personal data, both as regards the rights of natural persons as well as in the obligations of the people and organisations that process such data.
This section provides information on the most relevant aspects of the content and entry into force of the new Regulation. It also contains a link to the Regulation text in English and Spanish, as well as an unofficial Catalan translation.
CAT /ES / EN / General Data Protection Regulation
Scope
The Regulation extends the territorial scope to controllers and processors not established in the European Union when the processing activities are related to offering goods or services or monitoring people’s behaviour, in so far as their behaviour takes place within the European Union.
New special categories of personal data
Besides the data with special protection provided for in the LOPD, which are now known as “special categories of personal data”, the Regulation includes two new special categories of personal data:
▪ genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
▪ biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person (facial images or dactyloscopic data, etc.).
Consent
The GDPR requires the data subject to give consent by means of an unambiguous statement or a clear affirmative action. For the purposes of the new Regulation, pre-ticked boxes, tacit consent (silence) or inactivity do not constitute valid consent.
Child’s consent
In the area of information society services, consent given by children is only valid if the child is over 16. However, Member States may provide by law for a lower age for those purposes, as long as such lower age is not below 13 years. Furthermore, the language used to inform children must be clear and plain.
Right of information
The new Regulation establishes the right of data subjects to obtain information and extends the issues about which they must be informed, with the following aspects: the contact details of the data protection officer; the legal basis for the processing; where applicable, the legitimate interests pursued by the controller or by a third party; where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the basis for doing so; the period for which the personal data will be stored; the right to data portability; the right to withdraw consent at any time; whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract; the right to lodge a complaint with a supervisory authority; the existence of automated decision-making, including the logic involved, and the envisaged consequences of such processing for the data subject.
Rights of the data subjects
The GDPR incorporates the ‘right to be forgotten’ as a right linked to the right to erasure, and the right to data portability:
▪ data subjects have the right to obtain the erasure of personal data (‘right to be forgotten’), when:
- the personal data are no longer necessary in relation to the purposes for which they were collected;
- the data subject withdraws consent on which the processing was based;
- the data subject objects to the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation;
- the personal data have been collected in relation to the offer of information society services addressed to children.
Where the controller has made the personal data public and is obliged to erase them, the controller must take reasonable steps to inform controllers which are processing the personal data that the data subject has requested the erasure.
Exceptions to the exercise of this right are provided to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- for the establishment, exercise or defence of legal claims.
▪ Right to data portability:
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller where:
- the processing is based on consent or on a contract;
- the processing is carried out by automated means.
The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Registration and notification of files
The GDPR abolishes, as from 25 May 2018, the need to formally create files and enter them in the General Data Protection Register of the supervisory authorities.
Need to maintain a record of all categories of processing activities
The GDPR establishes new obligations with respect to controllers and processors maintaining records of processing activities when any of the following conditions apply:
▪ the enterprise or organisation employs 250 persons or more;
▪ the enterprise or organisation employs fewer than 250 persons but carries out processing which:
- is likely to result in a risk to the rights and freedoms of data subjects, and the processing is not occasional;
- includes special categories of data;
- includes personal data relating to criminal convictions and offences.
These data controllers and processors must maintain a record of all the processing activities they carry out, which must contain, with respect to each activity, the information established in Article 30 of the GDPR.
Processing contract
The Regulation extends the minimum content of the processing contract. Among other aspects, the contract must include the following points in addition to those established in the LOPD: the purpose and duration of the proposed processing operation or operations; the nature of the processing; the type of personal data; the categories of data subjects; the obligations and rights of the data controller; the provision that the persons authorised to process the personal data have committed themselves to confidentiality. The contract must also stipulate that the processor: will assist the controller in the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights; will delete or return all the personal data at the end of the processing; will make available to the controller all information necessary to demonstrate compliance with the obligations of the processor and to allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Data protection impact assessments
Where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, in particular if the use of new technologies is involved due to the nature, context, scope and purposes of the processing, the controller will be responsible for carrying out a data protection impact assessment to evaluate the impact of the processing prior to its initiation.
Prior consultation
Where the data protection impact assessment indicates that the intended processing may infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the controller must consult the competent data protection supervisory authority.
The supervisory authority must provide written advice to the controller and, where applicable, to the processor, and may use any of its powers laid down in this Regulation.
Data protection by design and by default
The Regulation introduces the principles of data protection by design and by default.
This means that the controller must, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures (such as pseudonymisation), which are designed to implement data-protection principles and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation.
The controller must therefore implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
Codes of conduct
The GDPR also regulates codes of conduct that may be drawn up by associations or other bodies representing categories of data controllers or processors to facilitate the effective application of this Regulation.
The code of conduct must be submitted to the competent supervisory authority for approval, registration and publication. The supervisory authority will also accredit the certification body stipulated in the code.
The adherence of the processor to an approved code of conduct may be used as an element to demonstrate compliance with the obligations of the controller, in particular when drawing up the data protection impact assessment.
Certification mechanisms
The Regulation also encourages the establishment of certification mechanisms and data protection seals and marks as a mechanism for demonstrating compliance with the GDPR.
Data protection officer
The Regulation introduces the concept of the data protection officer, who may be a member of staff of the controller or processor, or may fulfil the tasks on the basis of a service contract. A data protection officer must be designated in the following cases:
▪ where the processing is carried out by a public authority, or body (except for courts acting in their judicial capacity). In this case, a single data protection officer may be designated for several such authorities or bodies;
▪ where the processing operations require regular and systematic monitoring of data subjects on a large scale;
▪ where the operations consist of processing special categories of data or personal data relating to criminal convictions and offences.
The data protection officer has at least the following tasks:
▪ to inform and advise the controller or the processor and the employees who carry out processing of their obligations under the Regulation and other data protection provisions;
▪ to monitor compliance with the different regulations;
▪ to provide advice as regards the data protection impact assessment;
▪ to cooperate with the supervisory authority;
▪ to act as the contact point for the supervisory authority on issues relating to processing.
International transfers
The Regulation has also introduced modifications in this area, such as the express recognition of binding corporate rules as a basis for the transfer of personal data within a group of undertakings or a group of enterprises. However, certain new exceptions are provided, such as cases in which the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject and, once all circumstances surrounding the data transfer have been assessed, the controller has provided suitable safeguards with regard to the protection of the personal data.
Security measures
In contrast to the current law, the Regulation does not provide a list of the security measures to be applied according to the types of data which are being processed, but establishes that the controller and processor must apply adequate technical and organisational measures to ensure a level of security appropriate to the risk involved in the processing. This means an impact assessment must be carried out to evaluate the risk inherent in each processing operation, in order to determine the security measures to be implemented.
Notification of personal data breaches
If a personal data breach occurs the controller must, within 72 hours of having become aware of it, notify the competent supervisory authority unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach in clear and plain language to the data subjects without undue delay, except when:
▪ the controller has implemented protection measures rendering the personal data unintelligible to any person who is not authorised to access it;
▪ the controller has taken subsequent measures which ensure that the high risk is no longer likely to materialise;
▪ it would involve disproportionate effort.
One-stop-shop mechanism
This system enables people, including controllers established in different Member States or that carry out processing which affects different Member States, to have a sole data protection authority as their interlocutor.
Despite entering into force on 25 May 2016, the General Data Protection Regulation (GDPR) will be applicable as from 25 May 2018. Until that date, a transition period has been opened for adaptation to the new Regulation.
Until 25 May 2018, Organic Law 15/1999, of 13 December, on the protection of personal data (LOPD) and the Regulation implementing it (RLOPD), approved by Royal Decree 1720/2007, of 21 December, will continue to be fully applicable.
As from 25 May 2018, some aspects of the LOPD and the RLOPD will be replaced by the GDPR. Other elements however will continue to be applicable, either because they fall outside the scope of the GDPR or because the Regulation allows such regulation at Member State level.
The GDPR expressly provides for the possibility of several data protection authorities existing within a Member State. In any case, the GDPR does not affect the scope of action of the Catalan Data Protection Authority (APDCAT) established the Statute of Autonomy of Catalonia (EAC) and Law 32/2010, though it may be necessary to adapt that Law to the new regulation of the functions of supervisory authorities.
In the period from the entry into effect until 25 May 2018, data controllers and processors must take at least the following actions:
Records of processing activities
The controllers and processors of data processing operations which, in accordance with the Regulation, are expected to be maintained beyond 25 May 2018, must create prior to that date a record of the processing activities they carry out, in which they must also record those processing activities they initiate as from that date.
Review of consent collection mechanisms
In those cases where consent is the legal basis for the processing which they carry out, the controllers and, where applicable, the processors, must examine the manner in which consent is obtained. Cases in which consent is given through pre-ticked boxes or silence, among other aspects, must be reviewed. As from 25 May 2018, processing operations carried out previously and those initiated from that date must meet the requirements of the new Regulation.
Revise information clauses
The new requirements for the transparency of processing mean the content of clauses used until now to provide information to the persons concerned must be revised.
In the case of information collected prior to the entry into force of the GDPR, it is recommended that any mediums available be used to complete the information provided with the additional content established by the Regulation. For example, the appropriate information clauses could be published on the organisation’s website or the information provided could be completed in communications maintained with the persons concerned.
Revise processing clauses
Organisations that have processing contracts established which will foreseeably be in effect beyond 25 May 2018 must adapt those contracts to the requirements of the new Regulation.
Conduct a data protection impact assessment
When processing which is being carried out and is expected to continue beyond 25 May 2018 is likely to result in a high risk to the rights and freedoms of natural persons, the controller must conduct a data protection impact assessment of the processing operations prior to that date and adopt such corrective measures as the assessment shows to be necessary. This assessment may be common for all similar processing operations.
Any impact assessment conducted on processing operations initiated prior to the Regulation becoming applicable and continuing beyond the month of May 2018 must be completed by 25 May 2018.
Consult the Data Protection Authority
Where a data protection impact assessment indicates that the processing could result in a high risk that has not been mitigated, the Catalan Data Protection Authority should be consulted prior to the start of processing activities.
Examine the mechanisms employed to transfer personal data to third countries
Prior to 25 May 2018, the mechanisms employed to transfer personal data to third countries should be examined to ensure they comply with the new Regulation.
Assess and introduce security measures
The personal data security aspect of the new Regulation requires a risk assessment for those processing activities that are expected to continue beyond 25 May 2018, in order to determine the security measures that must be implemented prior to that date, in accordance with the new law.
Establish a protocol to notify personal data breaches
A protocol should be put in place to immediately notify any personal data breach to the supervisory authority and, where applicable, the data subjects concerned. This will be a requirement as from 25 May 2018.
Designate a data protection officer
Prior to 25 May 2018, public bodies and other organisations of which it may be required must designate a data protection officer who will form part of their staff or fulfil the tasks on the basis of a service contract. In the case of public authorities or bodies, a single data protection officer may be designated for several such authorities or bodies.
Train staff
In order to effectively comply with the obligations deriving from the new Regulation, a training programme should be established for staff involved in the personal data processing and, in particular, staff with responsibilities in this area attributed to them within the organisation.
The GDPR introduces new rights for the persons concerned, with the right to be forgotten, which is linked to the right of erasure, as well as the right to data portability and the right to restriction of processing.
But the new Regulation also creates other guarantees for the people concerned.
It establishes the applicability of European Union rules not only in cases in which the establishment of the data controller or processor is in an EU Member State, but also in any other case in which the processing has been carried out in the context of an offer of goods or services aimed at data subjects or the monitoring of their behaviour specifically in the EU. This especially reinforces the applicability of European rules covering services offered online.
Moreover, the Regulation also ensures people’s right to be informed, without undue delay, of any security breach that may involve a high risk to their rights and freedoms, so that they can take appropriate measures.
Finally, in processing activities in which there are international dimensions, the one-stop-shop mechanism provided in the GDPR enables people to avoid having to deal with a supervisory authority other than that of the Member State in which they live, when they wish to make a claim or complaint.
Is the GDPR applicable to processing undertaken in the area of law enforcement and criminal justice?
No. It should be borne in mind that this field is covered by Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.