the art of being legal

What is the General Data Protection Regulation (GDPR) and how does it affect me?

The General Data Protection Regulation (GDPR) is a law of the European Union which regulates the way that companies process and use the personal data that they collect from consumers. It is direct EU law, not a directive, so it didn’t need to be implemented by each of the EU states. It came into effect on the 25th of May 2018 and it is the Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales which adapts the Spanish legal system to the GDPR.

Abigail Sked-circulo-1Written by Abigail Sked

Paralegal 

More information

 

Does the GDPR apply to me?

The GDPR clearly applies to you if you are established in the European Economic Area (EEA) and process personal data. It also applies to those who are not established in the EEA but who:

  • Offer goods or services to individuals in the EEA.
  • Monitor behaviour of individuals in the EEA.
  • Are established in a place where EU law applies by virtue of public international law.

 

What counts as 'personal data'?

Personal data is any information related to an identified or indentifiable living person (the data subject). This includes both data that may cause someone to be identified directly (by means of that data) or indirectly (by means of that data in combination with other data).

Children are particularly protected by the GDPR, so you need to bear this in mind if you might be processing the data of children.

 

What are the principles of the GDPR?

There are 7 principles of the GDPR, set out in Article 5 and summarised below.

Personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject”.
    • This is where the legal bases come in (explained below). You must make sure that you choose the correct legal basis/bases before starting to process and that you treat your data subjects fairly and transparently.
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”
    • You must limit the purposes that you use the data for, so make sure you are clear with your data subjects about the possible uses of their data from the start.
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
    • You must minimise the amount of data your process, collecting and processing only that which is necessary.
  4. accurate and, where necessary, kept up to date”
    • You must take steps to identify and correct incorrect data. This links to some of the data subjects rights (explained below).
  5. “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes”
    • You must limit the amount of time that you store personal data.
  6. “processed in a manner that ensures appropriate security of the personal data
    • You must use appropriate technical and organisational measures for security.

And finally, “the controller shall be responsible for, and be able to demonstrate compliance” with the aforementioned principles.

  • Make sure that those other 6 principles are included in policy and practice from the start and that you can demonstrate that this is the case.

 

Am I a controller, a processor or a data protection officer?

  • The controller is the person or body that has decided to process personal data (or caused another entity to process it) and who decides on the purpose and means of the operation. He/she exercises judgement on the processing of personal data.
  • The processor follows instructions from another party (the controller) with regard to the processing of personal data. He/She does not decide what data to process, why to process it, who to collect it from, etc.
  • The data protection officer (DPO) is a position necessary only in cases when the processing is carried out by a public authority or body or when the core activities of the controller or processor consist either of processing which requires regular and systematic monitoring of data subjects on a large scale, or of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10. The DPO informs and advises the controller or processor, monitors copliance with the GDPR, provides advice regarding impact assessments, and communicates and cooperates with the supervisory authorities.

 

What are my obligations as someone who processes personal data?

In short, you are obliged to follow the principles of the GDPR whenever you process personal data, but let’s look at some specific obligations in detail.

 

Demonstrate compliance

The first thing that needs to be borne in mind before you start processing data is that you must comply with GDPR by design (meaning that you ensure that you consider and apply data protection principles from the outset of every project) and by default (meaning that implementing those principles is your default position). The GDPR must be in the foundations of everything you do regarding processing.

However, not only will you have to comply with the GDPR, you will also have to be able to demonstrate that compliance to a regulator. This includes:

  • Keeping records of all of the processing carried out (e.g. the purpose of the processing, the categories of data subjects, who the data is shared with, security measures that are in place etc.). The requirements of these records are set out in Article 30 of the GDPR.
  • Adopting internal policies and measures which support the principle of data protection by design and by default.
  • Carrying out data protection impact assessments in cases when processing operations are likely to result in a high risk to the rights and freedoms of natural persons, and taking action to minimise those risks.
  • Appointing a data protection officer if necessary.

 

Establish your legal bases for processing data

There are 6 main legal bases that you can use to legitimise your collection and processing of personal data (outlined in Article 6).

However, bear in mind that if you are processing any of the special categories of data such as health or religion, you need to refer to the 10 bases in Article 9, and if you are processing data relating to criminal convictions and offences, you need to refer to Article 10.

 

The 6 main legal bases for processing are:

  • Consent
    • “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
  • Necessary for contract
    • “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
  • Necessary for legal obligation
    • “processing is necessary for compliance with a legal obligation to which the controller is subject”
  • Necessary for vital interests
    • “processing is necessary in order to protect the vital interests of the data subject or of another natural person”
  • Necessary for a task in public interest or official authority
    • “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
  • Necessary for legitimate interests
    • “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

 

Protect the data subjects' rights

The GDPR strengthened the rights of data subjects to view, control, correct, and erase the data that you hold on them, so you need to make sure that it is clear to them how they can exercise these rights, and support them to exercise these rights if and when they choose to do so. Some of these rights are absolute, others are not, and you can find more information about them in Chapter III of the GDPR.

 

Bear in mind that data subjects have the right to be informed about the details of the processing of their personal data that is being/will be carried out.  That's why it's so important to draft and make available an easily accessible and understandable privacy policy.  Check out the following article to find out about what you should include in your privacy policy:

WHAT DO I NEED TO INCLUDE IN MY WEBSITE'S PRIVACY POLICY?

 

Prepare for personal data breaches

You must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, protecting the data you process as much as possible. This might look like encryption, prevention against loss or destruction of data, regular testing of security measures, etc.

However, breaches do happen and so you need to know exactly what you will do if it happens to you. After becoming aware of the personal data breach, the breach must be documented and the data controller must report said breach to the competent supervisory authority within 72 hours, unless the breach “is unlikely to result in a risk to the rights and freedoms of natural persons”.

If the breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also communicate it to the data subject in a timely manner.

 

Am I fulfilling my obligations as a Data Controller? 

The Spanish Data Protection Agency (Agencia Española de Protección de Datos (AEPD)) has published in its Guide to the Data Protection Regulation for Data Controllers a series of questions which, taken together, constitute a useful tool to start considering your current level of compliance

Lawfulness of Processing 

  • Have you clearly identified the lawful basis for the processing operations you carry out and have you documented in some way the way in which you have determined this basis?
  • If any of the processing operations you carry out are based on the consent of data subjects, have you verified that this consent meets the requirements of the GDPR? If it does not, have you made arrangements to obtain consent in a GDPR-compliant manner, or have you found another appropriate legal basis for such processing operations?

Information and rights 

  • Is the information provided to data subjects presented in a clear, concise, transparent and easily accessible form?
  • Does the information contain all the elements required by the GDPR?
  • Do you provide mechanisms for the exercise of rights that are visible, accessible and simple, and can data subjects' rights be exercised electronically?
  • Do you have procedures or mechanisms in place that allow you to verify the identity of those requesting access or exercising their other rights (right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, right not to be subject to a decision based solely on automated processing)?
  • Do you have procedures in place to enable you to respond to the exercise of rights within the time limits provided for by the GDPR? Have you assessed whether the cooperation of processors would be necessary to respond to data subjects' requests and, if so, do you plan to include such cooperation in the processing contracts?
  • In particular, do you intend to have mechanisms in place to deal with the possible exercise of the right to restriction of processing, so that the data concerned can be retained without being subject to the processing operations that would correspond to it?
  • Have you assessed whether the data processing operations you carry out may be subject to the right to portability? If so, have you planned for procedures or mechanisms that would enable you to comply with this right and to provide the data to the data subject (or to another controller) in a structured, commonly used and machine-readable format?

Relationship between the Data Controller and the Data Processor 

  • Have you considered how to assess whether the processors you have contracted or will contract to carry out processing operations offer guarantees of compliance with the GDPR?
  • Do your current processing contracts contain all the elements required by the GDPR? 

Accountability measures 

  • Have you made an assessment of the risks to citizens' rights and freedoms posed by the processing operations you carry out? Have you determined which accountability measures are appropriate for your risk situation and how they should be implemented?
  • Have you made provisions for the establishment of the record of processing activities in your organisation?
  • Have you assessed whether any of the exceptions to this obligation apply to you? Have you identified who will be responsible for keeping the record up to date? 
  • Have you reviewed the security measures you apply to your processing operations in the light of the results of the risk assessment of your processing operations? Have you sufficiently assessed the possibility of introducing additional measures depending on the type of processing or the context in which it is carried out?
  • In view of the type of processing operations you carry out, have you put in place mechanisms to promptly detect personal data breaches?
  • Do you have measures in place to respond to different types of personal data breaches, including procedures for assessing the risk to the rights and freedoms of data subjects? Have you established procedures for notifying data protection authorities and, where necessary, data subjects of personal data breaches? 
  • Do you have a register or similar tool where you can document potential breaches of security that occur, even if they are not notified to the data protection authorities?
  • Have you assessed whether the processing operations you carry out require a Data Protection Impact Assessment because they pose a high risk to the rights and freedoms of data subjects?
  • Have you adopted a specific methodology for carrying out the Impact Assessment?
  • Depending on the type of processing you carry out and the results of the prior risk assessment, are you required to appoint a Data Protection Officer (DPO)? 
  • Have you established the criteria for selecting the Data Protection Officer and, in particular, for assessing his or her professional qualifications and knowledge?
  • Does the position of DPO as it is currently defined in your organisation meet the GDPR requirements of independence in the exercise of duties, position in the organisational structure, absence of conflict of interest and availability of the necessary resources?
  • Have you made the appointment of the DPO and his or her contact details public and communicated them to the data protection authority?
  • Have you put procedures in place for data subjects to contact the DPO? 

 

Penalties 

With these increased rights and protections for data subjects have come increased penalties as well. Maximum fines for incompletion of the obligations under GDPR are €20 million or 4% of the undertaking’s annual turnover, whichever is higher, and then there is the possible cost to reputation.

It’s incredibly important to take data protection seriously and to bear it in mind even before you start processing personal data. Should you feel the need for support to create and carry out your company’s privacy framework, Conesa Legal can help you. We offer advice about how to implement it legally in Spain.

Get in touch here: 

Abigail Sked

Date published: 17 July 2023

Last updated: 25 June 2024

Abigail Sked Civil law, Data protection
Abigail Sked

Abigail Sked

Search

    RECENT POSTS

    Posts by Tag

    See all

     © Conesa Legal, S.L.P.U.