The Spanish Data Protection Agency (AGPD) has published a document on the new regulatory framework adopted by the European Union (EU) to guarantee the privacy and protect the data of European citizens.
These are some of the main points emphasized by the Spanish Data Protection Agency and included on its web site:
- Entry into force of the Regulation.
The Regulation came into force on 25 May 2016 but shall not start to be applied until a further two years have passed, on 25 May 2018. Until then, both Directive 95/46 and the national regulations transposing it, including the Spanish ones, remain fully valid and applicable. The period of two years before it becomes applicable is designed to allow European Union states, European institutions and organizations that process data to prepare and adapt.
- Companies affected..
Not only those belonging to the European Union. The regulation is applicable to companies that, until now, could process data of people in the Union but be governed by the regulations of other regions or countries not always offering the same level of protection as European regulations (as for example in the United States).
- Right to be forgotten.
The regulation introduces new elements, such as the right to be forgotten and the right to portability, which improve the capacity of citizens to control and decide what personal data they entrust to third parties.
The right to be forgotten is presented as the consequence of the right that citizens have to request and obtain from the people responsible the removal of their personal data when, among other cases, this data is no longer necessary for the ends for which it was gathered, when consent has been withdrawn, or when it has been gathered illegally.
The right to portability means that individuals who provided their data to a manager that processes it automatically may request the retrieval of this data in a format suitable for its transfer to another manager.
The age at which minors may themselves consent to their personal data being processed in the area of information society services (e.g. social networks) is 16 years. However, this age may be lowered by each member state, with a bottom limit of 13 years. In Spain's case, this limit continues to be 14 years. Below this age, the consent of parents or guardians is required.
One of the fundamental bases for processing personal data is consent. The Regulation calls for consent, in general, to be free, informed, specific and unequivocal. For consent to be considered "unequivocal", the regulation requires there to be a statement of interest or a positive action indicating the agreement of the person concerned. Consent can not be inferred from the silence or inaction of citizens.
- Active responsibility
One of the key elements of the regulation.
Companies must take steps to ensure reasonably that they are able to comply with the principles, rights and guarantees that the regulation establishes. They must not only take action when an infraction occurs, but must also take preventive action. To this end companies must ensure the following:
- Data protection in designing.
- Data protection by default.
- Security measures.
- Keeping a record of processing.
- Carrying out of impact assessments on data protection.
- Appointment of a data protection officer.
- Notification of data security breaches.
- Promoting codes of conduct and certification schemes.