Translation made by DeepL Traduttore
The RGPD (Reglamento General de Protección de Datos), or GDPR (General Data Protection Regulation), is a new European law that applies as of May 25, 2018.
It concerns all bodies and companies that process personal data of persons in Europe, regardless of the country from which they operate.
Let's talk a little bit about the law
Consent must be "unequivocal"
Consent to data processing is valid if it has been given by a statement of the data subject or by clear affirmative action, not by omission, as it is based on inaction.
In some situations, in addition to being unequivocal, it must be explicit:
• Processing of sensitive data.
• Automated decision making.
• International transfers.
The data will remain legitimate as long as the consent was obtained in the manner provided for in the GDPR, with other words, through a manifestation or affirmative action.
Particularly cumbersome formulations which incorporate references to legal texts should be avoided.
Information should be provided on why and for what purpose such data are obtained.
Procedure for the exercise
Users must be facilitated in the exercise of their rights, and the procedures and forms for this must be visible, accessible and simple.
Those responsible are required to make it possible to submit applications by electronic means, especially when processing is carried out by such means.
The exercise of the rights shall be free of charge.
The person responsible must inform the user of the action taken on his request within one month (two more months may be extended in the case of particularly complex requests and this extension must be notified within the first month).
If the person responsible decides not to comply with a request, he or she shall inform the Commission within one month of its submission, giving the reasons for his or her refusal.
Those responsible should take steps to verify the identity of those requesting access and those exercising rights.
Right of access
Those responsible will be able to comply with this right by providing remote access to a secure system that offers the data subject direct access to their personal data.
The right to obtain a copy of the personal data processed is recognized.
Right to be forgotten
A procedure must be provided for exercising the right to the deletion of personal data.
It is a manifestation of the rights of cancellation or opposition in the online environment.
Limitation of treatment
It consists of not applying your personal data to the processing operations used.
The same time limits and procedures apply to this right as to the other rights provided for in the GDPR.
The right to portability provides the data subject with a copy of his/her data, which must be provided in a structured, commonly used and machine-readable format.
This right can only be exercised:
• When processing is carried out by automated means.
• When processing is based on consent or a contract.
• When the data subject so requests with respect to the data provided to the data controller and concerning him/her, including data derived from the data subject's own activity.
All those responsible must carry out a risk assessment of the processing operations they carry out.
Large organizations: as a general rule, the analysis should be carried out using one of the existing risk analysis methodologies.
Smaller organizations and less complex treatments: the analysis will be the result of a minimally documented reflection on the implications of processing for users' rights and freedoms.
Data protection from the design and by default
Those responsible should take measures and techniques to integrate the principles of GDPR into their treatment.
Decision-makers should take measures to ensure that only the necessary data, the length of processing, the retention periods and the accessibility of the data are processed.
Those responsible and responsible shall establish the appropriate technical and organizational measures to ensure an adequate level of security in accordance with the risks identified in the preliminary analysis.
Notification of "Data breaches"
When a breach of data security occurs, the data controller should notify the competent data protection authority, unless the breach is unlikely to pose a risk to the rights and freedoms of data subjects.
Notification of the bankruptcy to the authorities must be given without undue delay and, if possible, within 72 hours after the person responsible has knowledge of it.
Those responsible must document all security breaches.
In cases where it involves a high risk to the rights or freedoms of users, notification to the supervisory authority shall be supplemented by notification to the latter.
The aim is to enable them to take measures to protect themselves from the consequences. The purpose is always to enable the affected user to react as quickly as possible.
The RGPD adds to the contents of the notification recommendations on the measures that can be taken by the parties concerned to deal with the consequences of breaches.
Impact assessment on data protection
Data controllers shall carry out a Data Protection Impact Assessment.
When the analysis is carried out on processing operations initiated prior to the date of application of the GDPR, these present a high risk to the rights or freedoms of data subjects.
Data Protection Officer
The figure of the Data Protection Officer (DPO) shall be mandatory in the following cases:
• Public authorities and organizations.
• Responsibles or managers whose main activities include processing operations requiring regular and systematic observation of large-scale interested parties.
• Data controllers or data processors who have among their main activities the large-scale processing of sensitive data.
The DPO should be appointed on the basis of its professional qualifications and, in particular, its knowledge of data protection law and practice.
The designation of the DPO and its contact details should be made public by the persons responsible and responsible and should be communicated to the competent supervisory authorities.
Treatment of children's data
Obtaining consent will only be valid from the age of 16 onwards, with the consent of parents or legal guardians under that age.
The GDPR allows member states to set a lower age, provided that it is not less than 13 years old.
In the case of Spain, the LOPD sets the age at 14 years of age as a general rule.
Up to €10,000,000 or 2% of the previous financial year*
• Failure to obtain consent from minors
• Do not apply technical and organizational measures by default
• No record of processing activities available
• Do not report security breaches
• Not conducting the Impact Assessment
• No DPO designation
Serious or Very Serious Infringements
Up to 20,000,000 € or 4% of the previous financial year*
• Failure to comply with RGPD principles
• Failure to comply with Interested Parties' rights
• Failure to comply with international data transfer requirements
• Failure to comply with the Control Authority's resolution
* Applies the highest amount
The AEPD has published a compliance list on the GDPR, to download it click here.