The General Data Protection Regulation,also known as GDPR,is the European regulation concerning the right to the protection of fully or partially automated personal data. Although it was approved by the European Union in April 2016, the moratorium offered for its application caused a major earthquake in May 2018, when companies were forced to apply it definitively. The implementation of the GDPR forced many companies to hire expert data protection lawyers to elucidate what they did with the databases they already had and that many of them lost.
One of the main novelties of the European data protection regulation is that, in addition to regulating the storage of the same, it prohibits their circulation and possible transfers to third parties. In this way, it ends with a frequent strategy a few years ago: that of selling customer databases to other companies in order to impact them with direct advertising. It also prevents the elaboration of profiles based on cross-data of a person that includes their habits, their hobbies, etc.
One of the most important points of the GDPR is the ‘right to be forgotten’,which is nothing more than the power of users to request the comprehensive draft of all their data in Internet search engines. It is based on a pioneering judgment of the Court of Justice of the EU in May 2014 after a long litigation promoted by the Spanish Agency for Data Protection (AEPD) at the request of a Spanish citizen. This user had suffered numerous inconveniences due to the inclusion of his name in several news related to embargoes that had already been resolved. Following this ruling, Google, Bing and Yahoo included the corresponding forms to request the removal of personal information.
In Spain, many of these measures had already been applied with the entry into force of the Organic Law on the Protection of Personal Data (1999),which represented an important advance in the processing of private information.
The GDPR is mandatory for all bodies, including public companies. For this reason, in most of the agencies dependent on the administration, number and letter calling systems have been established to manage the waiting of patients and users.
What is the GDPR
The application of the GDPR is mandatory for entities with legal personality and those that handle personal data. This last statement affects practically all of them, since they treat and store, at a minimum, information about employees and customers.
The entry into force of the new data protection regulations in May 2018 forced many companies to modify their privacy policies. Therefore, at that time, messages asking for confirmation of consent were accumulated in all e-mail mailboxes in order to receive notifications of an advertising nature.
The GDPR affects a large part of the company’s management areas, as well as others such as marketing and web analytics,by including rules regarding cookies, data retention and data analysis and processing.
Among the main changes introduced by the regulation are the following:
- The obligation to appoint a Data Protection Officer.
- Express consent RGPD: the regulation prohibits activating by default the boxes of transfer of the data and forces the user with an unequivocal action to do it.
- Right to be forgotten.
- Limitation of data processing.
- Right to portability of personal information.
- New special categories of data: genetic data and biometric data (obtained through technical processing, such as fingerprints).
- Users should have the right to information on questions such as for what specific purpose their data will be used, how long they will be stored, the contact details of the data protection officer, etc.
- Obligation to report ‘security breaches’ in the processing and storage of data.
Exceptions in the GDPR
The regulation is mandatory in EU member states, but provides for some exceptions to its application in the following cases, among others:
- The data have been transferred by the interested party for the relevant purpose.
- They are necessary for actions related to labor law and social security and protection, as in the case that the head of human resources of a company must process an employment contract.
- Its treatment is vital for a user who is not physically or legally able.
- They have been made public by the interested party himself.
- For investigation, prevention of crimes or execution of criminal sanctions by the competent authorities, in situations of threat to public security.
Penalties arising from data protection
Together with the rights of users and the obligations of the entities that store personal data, the Regulation contemplates the possible sanctions for a possible non-compliance. Improper management of information could lead to fines ranging from 4% of the company’s annual turnover to 20 million euros. To all this, we should add the corresponding criminal and administrative sanctions.
Recently, the AEPD has sanctioned with 250,000 euros to LaLiga,the body that regulates football competition in Spain, for using the speaker of the mobile phones of the users of its application to listen and determine if the bars to which those people went broadcast football matches without paying the corresponding fee. The AEPD determined that the agency had breached the principle of transparency by not reporting on this functionality of the app.
But the highest sanction so far has been imposed on British Airways by the British Information Commissioner’s Office over a serious security breach that affected 500,000 credit cards in September 2018. The airline will have to pay 204 million euros.
These have been other cases of companies sanctioned for breaching the GDPR in the European Union:
- A Portuguese hospital (Hospital do Barreiro) for having security flaws that allowed access to patient reports by people without authorization. The problem is that he had not removed the keys of the doctors who no longer worked at the center. Fine: a total of 400,000 euros in three different fines.
- An Austrian bookmaker was fined for installing a security camera that recorded much of the sidewalk. Fine: 4,800 euros.
- The German social network Knuddels.de suffered a computer attack that exposed 808,000 email accounts and more than 1.8 million users and passwords that were subsequently published. Fine: 20,000 euros.