The new Organic Law on Data Protection and Guarantee of Digital Rights (LOPD-GDD) It entered into force on May 25, 2018, through this Law an adaptation of the respective European Data Protection Regulation is assumed, where new strategies are incorporated, among which the introduction of a new title that is dedicated exclusively to digital rights stands out. such as the Internet, digital education or the right to security of communications, in addition to other aspects.
What is the General Data Protection Regulation (RGPD) about?
The General Data Protection Regulation (RGPD) is a current legislation that is based on everything related to data protection issues at the European level and that must be carried out from May 25, 2018. As of this date, repeals Directive 95/46 / EC of the European Parliament and of the Council, of October 24, 1995.
This Directive was adapted by Organic Law 15/1999, of December 13, in Spain, on the Protection of Personal Data (LOPD) and, later by Royal Decree 1720/2007, of December 21, where they developed additional mandates to concretize some of their principles.
Are considered Data message, to all that information that is presented in text, image or audio, by means of which the identification of a person is allowed. Within this context, there are data that are considered low-risk data, such as name or email, but there are also data that are more vulnerable to being extracted and that are considered higher risk, as is the case of those related to religion or personal health.
Those data that do not allow to identify a person are not treated as personal data, such as cases such as machinery manuals, weather forecasts or those data that have become anonymous, and that are related to an individual. In these cases mentioned, the Regulation of Free Circulation corresponding to non-personal data is complied with.
What are the main objectives of the General Data Protection Regulation?
The new Law on Data Protection and Guarantee of Digital Rights has the main function of making companies and organizations commit to having a better treatment of the data and personal files they handle. In this way, the objective of this Law is focused on establishing improvements regarding the level of data protection for all natural persons. Focused on this primary objective, the Law makes special reference to the following aspects:
- Give information about what happens to personal data once it is shared.
- Facilitate the understanding of privacy policies by using standardized icons that are easy to understand and that generate clear and precise language.
- Make new formulations that adapt to the different rights to improve their access, especially when it comes to minors.
- Increase the rights established over personal data, including portability between service providers.
- Safeguard and support the procedure carried out for archival purposes for further investigation or interest from a statistical point of view.
What changes with the new regulations of the General Data Protection Regulation?
With the new regulations of the General Data Protection Regulation, new specifications are introduced in which new obligations are established with respect to reducing the risk that includes the disclosure of personal data, this new regulation being a bit stricter and generating fines to the that violate the provisions, these fines are provided for by the RGPD. Interested persons will have the opportunity to claim before the corresponding authorities in charge of control when these data protection regulations are not met, taking into account the above, the infringement according to the LOPDGDD and administrative RGPD can reach between 10 and 20 million euros , which is equivalent to 2 and 4% of the global annual business volume. Depending on the offense committed, these are classified as very serious, serious and minor.
The penalties that those responsible must face according to those classified in the previous paragraph will be shown below:
1) Very serious: are those that prescribe after three years and occur when:
- The data is used for a different purpose than the one agreed.
- Omission of the duty to inform the affected party occurs.
- A cancellation is required to access the data that are your own.
- There is an international transfer of the information without any guarantee.
2) Serious: are those that prescribe after two years and are given when:
- Data of a minor is used without consent.
- Lack of adoption of technical and organizational measures to adequately protect data.
- The duty to assign a person in charge or manager to protect the data is breached.
3) Mild: are those that prescribe in a year and occur when:
- There is no transparency of the information.
- There is a failure to notify the affected party when they have requested it.
- There is a breach on the part of the person in charge of carrying out their obligations to protect the data.
Data protection entities and organizations may also file an appeal in certain circumstances presented.
What are the new rights included in the General Data Protection Regulation (RGPD)?
This new Data Protection Law has included a direct extension of the basic factors and rights set forth in Directive 95/96 / EC that specifies aspects such as: access, rectification, cancellation and opposition, in which the following points must be taken into account :
- The right to erasure or to be forgotten: it is when data has been collected that is used for an unauthorized purpose, that is treated illegally or that is withdrawn without full consent. It should be treated in such a way that links, copies or replicas of such data should be deleted.
- The right to limit treatment: this right can be requested when they are treated illicitly or are no longer necessary, for this it must be clearly argued in the system as limited treatment.
- The right to data portability: it is a file that can be requested with a certain format to transmit it to another company or country.
- The right to be informed about possible violations in the respective personal data, within a maximum period of 72 hours, after having verified the security problem that has occurred.
- Consent: by means of which the new regulation establishes that it must be given unequivocally, informed and explicitly by the interested party with respect to each of the treatment activities. If the case is more than one purpose for the data, a request must be made for each of them.
The Data Protection Law is also clear when it establishes that tacit statements are not valid, that is, that the interested party must take a truly affirmative action to give their full consent. However, it is also possible that the interested party or applicant can withdraw their consent at any time and do so in the same way as declared.
What are the internal charges of the General Data Protection Regulation?
Within the General Data Protection Regulation, there are managers who appear internally to protect the data, among which we can mention:
- The person in charge of the treatment is the person who is dedicated to putting into practice all the security measures in order to limit access to the data, so that they are used only for the purposes that have been required, thus ensuring the confidentiality.
- Public authorities and certain companies, which must have the presence of a delegate in charge of data protection, in order to guarantee compliance with the established regulations.
- In the aforementioned cases, a code of conduct will be granted or, failing that, a certification mechanism where it can be demonstrated that the obligations are met and, in addition, that they are willing to cooperate with the control authorities, facilitating them at times timely records, in case they are requested.
- All public bodies, universities, professional associations, insurance companies, and other similar entities, have the obligation to designate a delegate who fulfills the data protection functions, who will be the person responsible for taking charge of informing, advising and supervising the person in charge and to the person in charge to comply with the regulations.
