General Regulation of Data Protection – main concepts
The General Regulation on Data Protection (RGPD), which enters into force on 25 May, regulates the protection of natural persons with regard to the processing of personal data and the free movement of such data. This regulation introduces not only new rules but also high fines in case of non-compliance, which requires careful attention from organizations dealing with personal data.
The great challenge is to ensure control over the privacy of data in our information society, where the increasing adoption of the internet, social networks and digital business models creates a duality. On the one hand, people are attracted to and share data from their personal lives; on the other, organizations are increasingly capturing information about their customers, usually with the aim of providing more and better services, or as a way of monetizing information.
The RGPD represents an essential change in the way the EU regards the processing and access to personal data, in a new approach that maintains the focus on the self-responsibility of Organizations. In the EU it is believed that companies exploit personal data in an excessive way and mainly for their own benefit, with a lack of transparency on the way and the purpose of the treatment.
The new regulations are complex and represent a challenge for all companies and organizations, public and private, that will have to implement specific control tools and procedures for the management and protection of their customers’ data.
In this technical article, we propose to know the main specificities brought by the RGPD regulatory framework.
The RGPD regulates the processing of personal data either by means wholly or partly automated means or by non-automated means.
• not subject to EU law;
• natural persons in the exercise of personal or domestic activities;
• authorities for the purpose of prevention, investigation, detection and prosecution of offenses or for the enforcement of sanctions.
It is applicable in establishments in the EU, or even in establishments outside the EU, which: (a) offer goods or services in the European area, whether citizens of Europe or citizens of third countries; b) control the behavior of citizens in the European area.
Key concepts namely:
• Personal data
“information concerning a holder of personal data” “any information relating to an individual identified or identifiable through them”
• Sensitive data
“philosophical or political beliefs, party or trade union membership, faith religious, private and racial or ethnic origin, health and sex life, genetic data ”
• Data processing
“Operation or a set of operations carried out on personal data”, in particular “collection, registration, organization, structuring, preservation, adaptation or alteration, extraction, consultation, use, dissemination through transmission, dissemination or any other form of making available, comparison or combination, restriction, erasure or destruction ”
person – natural or legal person
– individually or jointly with others
– determines the purposes and means of treatment of personal data
– natural or legal person
– treats personal data on behalf of the controller
• Data breach
– accidentally or unlawfully
– causes destruction, loss, alteration, disclosure, unauthorized access
Rights of holders (New)
• Transparency and accessible language (more information, more communications, more exercise of rights)
• Right to information
• Right of access
• Right to correct, erase (oblivion) and limit
• Right of opposition
• Right not to be the subject of automated decisions
• The right to portability
• Communication of violation of personal data to the holder
Obligations of the person responsible for the treatment
• Licitation of the treatment:
– Consent: it becomes a free, specific, informed and explicit (opt-in) consent, unlike the current pre-validated options or silence (opt-out)
• Measures technical and organizational measures to ensure and prove the treatment in accordance with RGPD
• Privacy by design:
– technical and organizational measures, as pseudonymisation and anonymisation
– guarantees necessary for the fulfillment of RGPD (lawfulness of processing, policies, procedures, codes of conduct)
• Privacy by default: technical and organizational measures such as minimization and access control
• Notification of violation to the Control Authority in 72 hours
• Adequate guarantees from the subcontractor
• Company with more than 250 employees: mandatory registration of treatment activities
• Privacy Impact Assessment: mandatory if there is profiling, sensitive data, large-scale treatment. Prior consultation required by the CNPD
• International transfers
DPO – Data Protection Officer
The existence of a DPO is mandatory in the following organizations:
• Authority or Public Body (except Courts and OPCs)
• Large data
processing • Large-scale treatment of sensitive data and / or related to infractions or convictions
• Information / Awareness
• RGPD compliance control
• Advice and control of IPP implementation – Privacy Impact Assessment
• Cooperation and point of contact with the Control Authority
Fines and Control Authority
• More independence of the Authority
– Responsibility for monitoring the application of the RGPD
– Preventive activity for the controller and / or subcontractor
– Requests for authorization in different MS with different decisions
– Delay in obtaining a response
– Harmonization of rules, in particular on international transfers
• More international cooperation between MS Authorities and the European Commission
• Research power | Power of correction | Power of attorney and authorization
– Conduct of audits
– Warnings, reprimands and ordering the satisfaction of requests for the exercise of rights of the holders
– deliver opinions; authorize treatment; approve codes of conduct
Application of sanctions
The maximum limit for the imposition of fines was defined by the RGPD, with each Member State defining a minimum ceiling. In Portugal, the frame has not yet been defined, so at this moment the application of any fine is illegal and unconstitutional.
Limits on fines:
• Lowest severity: 10 million euros, or 2% of annual turnover (of the two, the highest)
• Highest severity: 20 million euros, or 4% of the annual turnover two, the highest value)
In addition to the application of sanctions by the competent authority, one of the main issues which is likely to raise problems for organizations is the right to compensation of the holder for material and / or moral damages.
Follow the RGPD, step by step
1. Diagnostic Phase
Read the regulation. Identify the data that exists in the company and the treatment that is done. What types of data are there? For what purpose? And what is the shelf life? Understand what data flows exist. Are there vendors with access to them?
2. Review Phase
3. Phase of the DPO Find out
if the company meets the requirements to have to appoint a Data Protection Officer (DPO). Name a DPO if necessary and involve it in the preparation process.
4. Implementation Phase
Identify the measures to be taken. Evaluate whether IT systems need to be replaced. Acquire the necessary systems. Draw an implementation plan. Implement the new measures and assess whether everything is in compliance.
5. Phase of compliance
Training for employees. Ensure continued compliance with the RGPD. Business as usual from May 25.