Data Protection

Lawyers Specialized in Data Protection

What is the GDPR?

The new General Data Protection Regulation is a law directly applicable throughout the European Union on the processing of personal data that aims to establish coherent, homogeneous legislation within the Union, something that has not existed until now.

Which companies must comply with the General Data Protection Regulation?

The new data protection regulation applies to all companies, organizations and freelancers that process personal data in the exercise of their professional or commercial activity, with the sole exception of the processing of personal data for household activity.  The new regulation will apply, as it has until now, to data processors and controllers located in the European Union, but its territorial scope is extended to companies located outside the Union that process the personal data of European citizens in relation to the provision of goods or services or the monitoring of their behavior.

When does the new Data Protection Regulation enter into force?

The European General Data Protection Regulation was published on 24 May 2016 and came into force on 25 May 2018.

What changes does the new General Data Protection Regulation (GDPR) introduce in comparison to the LOPD?

The new Regulation introduces several changes to which we will have to adapt in order to comply with the new data protection law.

One of the main changes introduced by the new Regulation relates to consent: to collect and process personal data, it will be necessary to obtain the express consent of the data subjects, which will require either a statement or a clear affirmative act. Therefore, to process data, the tacit consent or silence of EU data subjects will no longer be valid – in contrast, it was valid under the LOPD.

Another important aspect of the new Regulation is that it requires the consent of the data subjects for each processing purpose; that is, if a client has hired our company to provide him/her with a certain service and we also want to send him/her sales information or advertisements, we must also obtain the consent of the interested party to process his/her data for commercial purposes. Without it, sending such advertisements would be unlawful.

Another major change introduced by the GDPR concerns citizens’ rights in relation to their personal data. While the LOPD granted ARCO rights (access, rectification, cancellation and opposition), the new Regulation adds new data protection rights, which are the right to be forgotten, the right to data portability, and the right to limit data processing.

In addition, when personal data is collected, the information that we will have to provide to the data subjects is more extensive and rigorous than what was required until now under the LOPD. Therefore, we will have to modify all the contract documents with which we usually work.

In addition, the new Regulation requires a risk assessment of the personal data that is processed for the purpose of establishing security and control measures to guarantee individual rights and freedoms, which must be duly documented. Based on the results of the risk assessment, we will conclude whether it is necessary to carry out an impact assessment, bearing in mind that if the impact assessment is deemed unnecessary, we will also have to document why and how that conclusion was reached.

The new GDPR also establishes the obligation to maintain a record of processing activities if certain circumstances provided for in the Regulation occur, and the obligation to record files with the Spanish Data Protection Agency is eliminated.

Likewise, the new Regulation requires all companies to take the appropriate security and control measures to guarantee the integrity and confidentiality of the data that we process, making it mandatory to monitor these measures.

What is a Data Protection Officer and what is his/her purpose under this regulation?

The Data Protection Officer is a role created by the new Regulation, and there are three cases in which it will be mandatory to appoint one:

  1. When data processing is performed by a public authority or body, with the exception of the courts in the exercise of their functions.
  2. When the main activities of the data processor or controller consist of operations that, due to their nature, scope and purposes, require a large-scale, regular and systematic monitoring of individuals.
  3. When the main activities of the data processor or controller consist of the large-scale processing of special categories of data and data related to criminal convictions and offenses.

Notwithstanding the foregoing, any company or organization may appoint a Data Protection Officer if it so desires, even if it is not obligated to do so by the new Regulation.

In any case, the Data Protection Officer is required to have expertise in the field, since his/her functions include informing and advising on data protection issues, overseeing the adherence to the regulation, and providing advice on impact assessments; in addition, he/she is the point of contact with the supervisory authority.

Also, we must bear in mind that if the personal data that we process is interfered with illegitimately, the security breach must be reported to the Spanish Data Protection Agency (Spanish acronym: AEPD) and to the party whose data was compromised in a maximum of 72 hours after its detection.

In cases of infringement, what fines will I face?

We also find changes in the penalties for non-compliance, because from 25 May 2018, fines can reach up to 20 million euros or 4% of the worldwide annual revenue of the prior financial year, with the Regulation opting for whichever penalty is higher.

The European General Data Protection Regulation was published on 24 May 2016 and came into force on 25 May 2018.

Our Data Protection Law Team

At Caruncho y Tomé, our lawyers specialized in data protection are responsible for implementing all the necessary procedures to enable companies and organizations to comply with the new General Data Protection Regulation, preparing records of processing activities, modifying contractual clauses and sections of websites concerning data protection, performing risk assessments, and advising on the appropriate control measures to guarantee data security.

At our firm, we assist companies not only in adapting to the new Regulation, but also in maintaining data protection compliance by providing regular legal guidance to all our clients to ensure their compliance with the GDPR.

Contact our legal team