Implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council on data protection: main adaptations that companies should carry out.

By Dolores Sancha

Before we know it, 25th May 2018 will be here and so the applicable Regulation (EU) 2016/679 (hereinafter referred to as the Regulation). Will you company be ready for this change? The Regulation is directly applicable to all companies and non-compliance thereof will imply serious penalties that may reach 20 millions of Euros or 4% of turnover.

Some questions must be asked:

1) Is your company obliged to fulfil the provisions of the Regulation?

One of the most important developments are the subjects to whom the Regulation applies. To date, the obliged persons under the Regulation were data controllers and processors established in the European Union. With the new Regulation, such companies not within the European Union which may carry out data processing due to offers of goods or services for EU citizens or as a consequence of the monitoring and follow-up of their behaviour will be also affected.

With this new development, the Regulation requires such organizations not domiciled within the Community territory, but which may process data of European citizens to designate a representative in the European Union. The task of these representatives will be to approach the European citizens to the national authorities of the organizations beyond the EU.

Therefore, if the company is not domiciled within the European Union, but it processes data of European citizens, it shall verify the new obligations imposed by the Regulation.

Is your company obliged to fulfil the provisions of the Regulation?

2) Does the privacy policy of the company meet the reporting obligations required by the Regulation?

Another focal point in the new Regulation is the consent and form in which this consent must be obtained by data holders. To date, many companies only needed a tacit consent by the interested parties to start processing their personal data. Upon the effective date of these new European regulations, such conducts will be forbidden. Thereafter and for the consent to be unequivocal, a positive action or declaration by the holder, i.e., an express consent will be required.

Therefore, it is important to remark that consents obtained to this date will be invalid if they have been obtained inconsistently with the criterion established by the Regulation.

3) What must the company do before 25 May 2018?

• To verify the manner how data are being collected.

• To verify if such system complies with the provisions of the Regulation.

• To assess if the current databases of the company may be used after 2018.

4) What are the new regulations as regards minors data processing in the Regulation?

The General Data Protection Regulation imposes the age of 16 years for minors to give consent by themselves. Otherwise, the ones to necessarily give the consent will be the parents or legal guardians of minors.

Notwithstanding the foregoing, the Regulation is flexible on this point and allows Member States to reduce the minimum age down to 13 years. In Spain, the necessary age is currently 14 years. We will see if the new national regulation maintains the age of 14 years or increases it.

5) Does the data protection legend used by the Company conform to the Regulation?

The company will verify:

• The type of language used to inform the interested parties and if the same is intelligible.

• If the information provided fulfils the news requirements of the Regulation. As an example:

o Does the data protection caption reflect the legal base that justifies the data processing?

o Does it correctly inform on the addressees of data collected?

Therefore, the wording for data collection must be reviewed and not only of those obtained through the web, but also on hard copies and by telephone

Does the company comply with the active responsibility measures provided for by the Regulation?

6) Do you know the obligations that the Regulation imposes on data processors?

Companies acting as processors of third-party companies’ data have, as a consequence of the Regulation, additional obligations to those currently existing in the commission agreements.

Therefore, the following shall be verified:

• If there is a processing activity record.

• Depending on the processing carried out, Data Protection Delegates must be designated.

• If the commission agreements entered into by the company conform to the requirements of the Regulation.

7) Does the company comply with the active responsibility measures provided for by the Regulation?

The Regulation not only provides for rights as those mentioned above, but also another type of measures addressed to guarantee and assert such rights. A proactive responsibility is aimed by such companies working with personal data. All this is materialized in codes of conduct, notices of violation of data security or maintaining a record of processing or evaluations of impact on data protection.

For all the foregoing, we can confirm that the Regulation will imply changes in the personal data management which will require greater commitment by companies and public authorities.

Now it is a good time for companies to adapt themselves, implement and plan some of the measures expected, so that they may early detect any problems or deficiencies.