The importance of privacy has been elevated to a priority level for both businesses and users in the digital age. Recognising the fundamental value of personal data and the need to safeguard your privacy, the European Union decided to create the General Data Protection Regulation (GDPR), designed to establish a common framework for data protection.
Below, we highlight the ten key points of the GDPR that every organisation should take into account in order to adapt to this regulatory framework:
1. Purpose
One of the basic aspects established by the GDPR is the obligation for personal data to be processed for one or more specified, explicit and legitimate purposes and prohibits the same data from being further processed in a way that is incompatible with these purposes.
2. Consent
With the implementation of the GDPR, the concept of consent underwent several significant modifications. Now, for consent to be valid, it must be freely given, specific, informed and unambiguous. Consents known as ‘tacit’, based on the data subject’s inaction, are not valid.
3. Legitimation
The GDPR maintains the principle that all data processing must be based on a legitimate ground, which may be the consent of the data subject, a contractual relationship, the vital interests of the data subject and others, the performance of legal obligations by the data controller, the public interest or the exercise of public authority, as well as the overriding legitimate interests of the data controller or third parties to whom the data are disclosed.
4. Duty to inform
The obligation to inform data subjects about the circumstances relating to the processing of their data rests with the Controller.
In order to comply with the requirements of the GDPR to provide detailed information in a clear and concise manner, a layered information model is recommended. In any case, information to data subjects should be provided in clear and plain language, in a concise, transparent, intelligible and easily accessible manner.
5. Data Processors
The processor is the natural or legal person, public authority, service or body that provides a service to the Controller involving the processing of personal data on behalf of the latter. The regulation of the relationship between the Controller and the Processor must be established by means of a contract or similar legal act binding them.
6. Register of Processing Activities
Depending on the size of the entity, or the level of risk to the rights and freedoms of data subjects posed by the processing operations carried out, the Controller shall draw up a Register of Processing Activities. This register shall contain information on the type of personal data collected, the purpose of the processing, the time periods foreseen for erasure, the technical and organisational measures adopted by the entity, among other aspects.
7. Rights of data subjects
Data protection regulations allow data subjects to exercise their rights of access, rectification, objection, erasure, restriction of processing, portability and the right not to be subject to individualised decisions before the Data Controller. The Data Controller
The Data Controller is obliged to respond to the data subject’s requests without undue delay and at the latest within one month, and to explain its reasons in the event that it does not comply with the request.
8. Security breaches
According to the GDPR, a security breach is ‘any breach of security leading to the accidental or unlawful destruction, loss or alteration of, or unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed’.
Notification of a personal data breach is not required where the Controller can ensure that the personal data breach is unlikely to present a risk to the rights and freedoms of data subjects. Otherwise, the notification must be made without delay and at the latest within 72 hours after the incident has come to the Controller’s attention.
9. Data Protection Officer
One of the new figures introduced by the GDPR was the Data Protection Officer (DPO). It will be necessary to appoint a DPD depending on the type of entity, main activity and processing carried out. The DPD will be responsible for supervising and advising the Data Controller, as well as acting as a liaison with the Data Protection Control Authority.
10.-International transfers
The GDPR contemplates the possibility of making an international transfer of data to a third country or internationalorganisation , when the European Commission has determined that such country or international organisation provides an adequate level of protection. In the absence of such a decision, the transfer of data may be carried out provided that adequate safeguards have been implemented, and the affected data subjects have enforceable rights and effective legal remedies.
Remember thatMetricson can help you to adapt your business to data protection regulations, as well as to clear up any doubts that may arise in the process.
Article written by
Lawyer – Privacy and Technology Contracts.
About Metricson
With offices in Barcelona, Madrid, Valencia and Seville and a significant international presence, Metricson is a pioneering firm in legal services for innovative and technology companies. Since its inception in 2009, it has advised more than 1,400 clients from 15 different countries, including startups, investors, large corporations, universities, institutions and governments.
If you would like to contact us, please do not hesitate to write to us at contacto@metricson.com. We look forward to talking to you!