European Data Protection Regulation
On May 4, 2016, the Official Journal of the European Communities published European Regulation 2016/679 of April 27, 2016, in relation to the protection of personal data. This Regulation, which came into force on May 25, will be directly applicable in all EU Member States as from May 2018. Consequently, the supervisory authorities, as well as the public authorities and the world of business have two years to come into line with the new Regulation. During this two-year period the current Personal Data Protection Organic Law will continue to be applicable in Spain.
One of the principal aims of the Regulation is to harmonize the legislation of the Member States on the subject, with a view to unifying criteria and improving legal and practical certainty, both for citizens (who will have greater control over their data and additional safeguards in the exercise of their rights), and also for businesses and the public authorities.
The main new features of the Regulation include the new rights acquired by citizens such as the right to erasure or “right to be forgotten”, the portability of data between data controllers and the right to be informed of data breaches where they may affect an individuals’ rights and freedoms.
In relation to data controllers, the aspects to be borne in mind in data processing contracts with service providers and their level of control and liability have been increased (they are responsible for and must be able to demonstrate compliance with the rules). The need for unambiguous consent to the processing of personal data (i.e., a clear affirmative action) is established and in certain cases the need to appoint a data protection officer. In the event of a breach of the regulation or of decisions by the supervisory authority, controllers may face fines of up to twenty million euros or 4% of their annual worldwide turnover.
A Data Protection Board has also been set up, comprised of the heads of all the supervisory authorities of each Member State and the European Data Protection Supervisor. In addition, the “one-stop-shop-mechanism ” will enable data subjects and data processors to contact a single supervisory authority.
Departamento de Mercantil de Garrigues