The LOPDGDD modifies the requirements in the treatment of personal information of users and companies. In this article we tell you all the news of this regulation and we give you all the keys to adapt to this regulation.
What is the Organic Law on Data Protection and Guarantee of Digital Rights?
Although many continue to refer to the data protection law as LOPD, the truth is that the full name of the current regulations is Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD) .
This law entered into force on December 6, 2018, replacing the old Organic Law 15/1999 on the Protection of Personal Data. The objective of the LOPDGDD is to adapt legislation to European regulations, defined by the General Data Protection Regulation (RGPD), in force since May 25, 2018.
Therefore, if we talk about data protection, the reference standard is the LOPDGDD.
This law establishes the requirements and obligations regarding data protection in companies on how to proceed with personal information, as well as the rights that users and consumers have.
The purpose of the LOPDGDD is to protect the intimacy, privacy and integrity of the individual , in compliance with article of the Constitution. In the same way, it regulates the obligations of the individual in all data transfer processes to guarantee the security of the exchange.
Personal data is considered to be that information in text, image or audio that allows the identification of a person. There is data that is considered low risk, such as name or email, while others are considered higher risk, for example sensitive data related to religion or personal health.
Data that does not allow a person to be identified is not treated as personal data. For example, machinery manuals, weather forecasts or data that has become anonymous, that is, it can no longer be linked to any individual. In this case, the regulation to comply with is the Regulation of free circulation of non-personal data.
Likewise, another of its main purposes is to establish a legislative framework for the protection of personal data on the Internet . In this sense, it incorporates points to be taken into account, such as the right to be forgotten or to portability, as well as changes in obtaining consent to collect and use personal information.
Main modifications of the LOPDGDD
The LOPDGDD establishes many changes with respect to the previous Data Protection Law (1999). The requirements to obtain, save or share information are modified, and changes are established in relation to the processing of user data on the Internet. We see it better in the next section.
Data protection obligations
The objective of this law is to make companies and organizations have a greater commitment to the processing of data and personal files and to regulate data protection. For this, it establishes a series of obligations.
The information that must be given to users in relation to the processing of their data, as well as their rights in this matter, is expanded.
The concept of privacy is incorporated from the design . This means that the preparation of business procedures must be carried out taking into account the LOPDGDD from the outset.
Security Breach Notification
Security breaches that may affect personal data must be notified within a maximum period of 72 hours to the corresponding Control Authority (Data Protection Agency).
If, in addition, this violation may affect data of a sensitive nature and with great repercussions for those affected, they must also be notified.
Record of treatment activities
The current legislation eliminates the obligation to register the files with the corresponding Control Authority.
However, it requires keeping an internal record of all personal data processing carried out by the entity, provided that it has more than 250 employees or when sensitive data is processed, not occasionally.
Consent, in general, must be free, informed, specific and unequivocal .
Companies should review the way they obtain and store consent.
Currently there are practices that fall under the so-called tacit consent and that are accepted with the current regulations but will cease to be so when the Regulation is applicable.
In order to consider that the consent is “unquestionable”, the General Data Protection Regulation requires that there be a declaration of the interested parties or a positive action that points to the agreement of the interested party.
Acceptance cannot be inferred from the silence or inaction of citizens.
Consent is required to be “manifest” in certain cases. For example, to authorize the processing of sensitive data.
Therefore, the consent must be verifiable and those who collect personal information must be able to prove that the affected party granted them their consent.
Also called Accountability . This obligation refers to the need for prevention by companies that handle personal information.
To comply with the law, measures must be adopted that sufficiently guarantee that they are in a position to comply with the rules, rights and guarantees established by European regulations. It understands that acting only when the infraction has already taken place is not enough as a strategy, since that infraction can cause damage to the interested parties that can be very difficult to compensate or repair.
To do this, all organizations that process files must carry out a risk analysis of their processing in order to establish what measures to apply and how to do it.
These analyzes can be simple procedures in those that do not carry out more than a few elementary treatments that do not involve, for example, specially protected data . Or more complex jobs with which many treatments are developed, which affect a large number of people or which, due to their characteristics, require a careful assessment of their risks.
For the adoption of specific measures, the following risks will be taken into account:
- Significant economic, moral or social damage to those affected by the treatment.
- Deprivation of rights or control of data.
- Mass processing of data or that reveals an evaluation of personal aspects of those affected.
- Treatment of data of vulnerable people such as minors or disabled people.
- Others considered by the Responsible or Responsible for Treatment.
A special case : Data Protection Impact Assessment
Impact Assessments are the main measure of proactive responsibility.
It consists of an analysis of the prior risks that a certain information system, product or service may entail with respect to data protection.
News affecting individuals and companies
The essence of the LOPDGDD is to adapt the legal system to the European Data Protection Regulation. For this, the model has had to incorporate some important novelties. Among other issues, new obligations on the processing of personal data in cross- border procedures are included , and it establishes guarantees for biomedical research beyond personal protection.
Below we see the changes introduced by this regulation with respect to the old LOPD of 1999.
Data of deceased persons
They may contact the person responsible or in charge of the treatment in order to request access to the personal data of deceased persons and, where appropriate, its rectification or deletion:
- People linked by family or de facto reasons.
- Institutions or persons that the deceased had expressly designated for this purpose.
- Legal representatives of minors and the Public Prosecutor’s Office.
- Legal representatives of people with disabilities, the Public Prosecutor and support staff.
Therefore, it expands the people who can have access to that data.
And that’s where the controversy arises.
Because it allows, if the deceased has not expressly prohibited it, even people who had a conflict with him to access them.
Consent of minors
The age at which they can consent to the processing of their personal data is 14 years .
That is to say, it is a possibility, not an obligation that they consent to from 14 years onwards. In the case of minors under 14 years of age, their parents or legal guardians must give that consent.
Data processing due to legal obligation, public interest or exercise of public powers
The treatment must be based on a rule that includes that legal obligation, public interest or exercise of public power.
In this regard, the AEPD has analyzed the legal basis of data processing by Public Administrations in a Report. And it points out that the law “ does not consider consent as a valid legal basis for the processing of data by a Public Administration ”.
Special categories of data
Consent alone is not valid to process data of ideology, union affiliation, religion, sexual orientation, beliefs or racial or ethnic origin.
Other requirements are established to process this data:
- It is necessary for the fulfillment of obligations and the exercise of specific rights of the data controller or the interested party. If authorized by the Law of the Union of the Member States or a collective agreement and adequate guarantees of respect for the fundamental rights and interests of the interested party are established.
- It is essential to protect the vital interests of the interested party or of another natural person, in the event that the interested party is not capable, physically or legally, to give their consent.
- It is carried out, within the scope of its legitimate activities and with due guarantees, by a foundation, an association or any other non-profit organization, whose purpose is political, philosophical, religious or trade union. If it refers exclusively to current or former members of such organizations and provided that the personal data is not communicated outside of them without the consent of the interested parties.
- It refers to personal data that the interested party has made manifestly public.
- It is essential for the formulation, exercise or defense of claims or when the courts act in the exercise of their judicial function.
- There are reasons of essential public interest.
Contact details and individual entrepreneurs
The legal basis for processing the data of the self-employed would be the legitimate interest when its purpose is professional.
For example, you can process the contact details of a plumber who is going to carry out an installation in your company.
The processing of data by Public Administrations for filing purposes based on public interest will be lawful. This will be indicated in the sectoral archive and heritage regulations.
Treatment of criminal and administrative offenses
These data may only be processed when:
- Those responsible for treatment are the competent bodies for the instruction of the sanctioning procedure, for the declaration of infractions or the imposition of sanctions. As long as these data are strictly necessary for the purpose pursued by those bodies.
- It is foreseen by a legal norm.
- It is carried out by Lawyers and Solicitors , in order to collect the information provided by their clients in the exercise of their functions.
It is a step prior to deleting the data .
It means that blocked data cannot be used for any purpose, except to make the data available to judges and courts, the Public Prosecutor’s Office or competent Public Administrations.
Data Protection Delegate
According to the LOPDGDD, there is an obligation to appoint a Data Protection Officer (DPD) in three cases:
- In the event that the data processing is carried out by a public authority or body.
- If the main activities and operations of the data controller require regular and systematic monitoring on a large scale.
- When the main activities and operations of the controller require large-scale processing of personal data related to crimes and convictions.
The European Regulation has created a lot of confusion. It is not clear when it is and when it is not mandatory to have a DPD.
The regulations have been cured in health and establish up to 16 specific cases in which, in an exhaustive way, their hiring is required.
The Delegates must be known by the AEPD and/or, where appropriate, the regional data protection authorities. These bodies are required to maintain an up-to-date list of those delegates.
And the Delegates must have a university degree that certifies specialized knowledge in data protection law and practice.
- * Professional associations, educational centers, financial credit establishments, insurers, investment services companies, etc. need a DPO.
Modification of the electoral regulations
One of the most controversial points of the LOPDGDD has been the inclusion of the Third Final Provision that modifies the Organic Law of the General Electoral Regime (LOREG) .
It establishes that political parties may collect personal data, within the framework of their electoral activities, related to opinions of a political nature.
And they may use information and personal data obtained from web pages (and other sources accessible to the public) to carry out political activities during the electoral period, among which are:
- The sending of electoral propaganda through messaging systems or by electronic means.
- The hiring of electoral propaganda in social networks or equivalent media, which will not be considered as commercial activity or communication.
Practices that are illegal for the rest of the groups according to the same law.
The new digital rights approved by Congress
These are the digital rights approved by the Congress of Deputies to adapt to the demands of the digital age:
- Right to Internet neutrality : Introduces a concept of neutrality in which all network data must be treated in the same way even if its content is different.
- Right of universal access to the Internet : As the new law says, the State will guarantee “universal, affordable, quality and non-discriminatory access for the entire population”
- Right to digital security : Internet providers must inform their users of their rights and the communications received and transmitted must be secure.
- Right to digital education : From the implementation of the law, all educational plans must include training to use new digital technologies.
- Protection of minors on the Internet : The Congress indicates that guardians and families “will ensure that minors make a balanced and responsible use of digital devices” to “guarantee the proper development of their personality and preserve their dignity and fundamental rights ”.
- Right of rectification on the Internet : The regulation of the violation of honor or privacy will be applied when inaccurate or false data is disseminated on the network.
- Right to update information in digital media : It is recognized that it is possible to “ reasonably request from the digital media the inclusion of a sufficiently visible update notice together with the news that concerns you ”.
- Right to privacy and use of digital devices in the workplace : Companies must establish the criteria for the use of digital devices together with labor representatives.
- Right to digital disconnection in the workplace : Companies will not be able to contact their workers outside working hours or during rest periods.
- Right to privacy against the use of video surveillance and sound recording devices in the workplace : We have dedicated an entire article detailing everything that has to do with the installation of video surveillance systems at work.
- Right to privacy before the use of geolocation systems in the workplace : Workers may be geolocated as long as employees and representatives are duly informed “ about the existence and characteristics of these devices ”.
- Digital rights in collective bargaining : It is specified that collective agreements establish the guarantees and rights for the processing of personal data of workers at work.
- Data protection of minors on the Internet : The minor must have the consent of the legal representatives and from the age of 14 they can give it themselves.
- Right to be forgotten in Internet searches
- Right to be forgotten in social network services and equivalent services : It is an extension of the right to be forgotten to cover social networks. The withdrawal in said means must take place “without delay”.
- Right of portability in social network services and equivalent services : The right to send content and personal data from one social network to another automatically is recognized.
- Right to a digital will : If the deceased has not left a will, family-related persons will be able to access email, social networks and instant messaging services such as Telegram, being able to delete or modify the data they contain. They will also be able to delete the profiles.
We explain in more depth some of the most important digital rights.
Digital disconnection of workers
Workers will have the right to digital disconnection in order to guarantee, outside of the legally or conventionally established working time, respect for: rest and vacation time and their personal and family privacy.
This is intended to avoid computer fatigue of workers as much as possible.
Companies will have to develop a responsible use policy for devices. With this policy, if you have employees who work from home with digital devices, the right to disconnect from work will be guaranteed.
- *Mobile calls, WhatsApp messages or emails, for example, represent a violation of this fundamental right.
For more than 20 years, the Courts have issued rulings that prevent employers from giving instructions to their employees outside of working hours. This was reflected in two judgments of the Superior Court of Justice of the Valencian Community in 1996, and in the Balearic Islands, in 1997.
However, the LOPDGDD supposes the creation by the Congress of a jurisprudence of common application throughout the territory.
Given this situation, companies such as Banco Santander, Banco Popular and its subsidiary, Banco Pastor, have wanted to anticipate events. In June 2018, these entities already agreed with the unions on the new working conditions, which include digital disconnection. The workers of these companies will not be, by agreement, obliged to answer calls, SMS or emails outside of their working hours.
Company access to employee content
The company is allowed to access the contents of the digital devices provided to its workers only in order to control compliance with labor obligations , in addition to guaranteeing the integrity of said devices.
For this, some requirements must be met:
- The company will develop a protocol for the use of digital devices and will communicate it directly to the workers.
- The rules for the use of digital devices must precisely regulate the scope of the worker’s privacy.
- In order for the company to be able to access the content of its workers’ digital devices, it is necessary for the protocol for the use of these devices to precisely indicate the permitted uses and the measures envisaged to guarantee the privacy of the workers.
Actual Sentence :
A clear example of the importance of establishing internal protocols known by the workers is a ruling by the Supreme Court on March 17, 2017. The company Quorum Gestión Empresarial SL intended to review the reduction in working hours that the Court had granted to a worker . The employee claimed that this reduction in work was required due to her motherhood. However, the company found an email with her lawyer in the employee’s corporate email, in which it was verified that the real reason for requesting the reduction in working hours it was not maternity, but to force the company to fire her and pay her said severance pay.
To get into the employee’s email, the company claimed that she needed access to finish her pending work while she was on maternity leave.
Despite the company’s allegations, the Supreme Court agreed with the worker, considering that the company had not established any prior instructions for the use of digital media, nor had it communicated to its employee the reasons for entering your email.
The law contemplates that the company can treat the recordings obtained by photographic and video cameras . In addition to those data related to the location of the worker, provided that it is for the exercise of the control functions of the employees provided for in the Workers’ Statute and is exercised within the law.
- * There can be no cameras in rest areas, bathrooms, changing rooms, toilets, etc.
The purpose of video surveillance will be to guarantee the safety of people and goods, as well as its facilities.
The data must be deleted within a period of 1 month and the right to information can be fulfilled with a poster that includes:
- The treatment
- Responsible for treatment
- Place to exercise rights
- Place to find more information
In general, they are prohibited in recreation and rest areas.
In addition, it obliges the company to inform its employees of the existence and location of these recording devices, and what it will mean to discover certain actions through them.
Practical case :
One of the most well-known recent examples of video surveillance of workers is the López Ribalta case . Let’s see what the facts were. In a food chain, the managers observed a mismatch between the stock and the turnover of the cases. To detect where this difference was coming from, the supermarket installed two types of security cameras.
- Visible cameras that focused on customers.
- Hidden cameras that recorded employees at checkout.
The tests determined that five employees were involved in the theft of money in boxes, and they were fired.
The employees sued the supermarket, alleging that the dismissal violated article 8 of their agreement, which required respect for private life. However, the Superior Court of Justice of Catalonia ruled in favor of the businessman, alleging that he had well-founded suspicions to install the cameras and the control measures were proportionate.
However, the European Court of Human Rights has ended up agreeing with the workers, in a sentence that has created a precedent. The ECHR considered that the company had violated article 5 of the Organic Law on the Protection of Personal Data.
Right to be forgotten
As a novelty, the right to be forgotten is also regulated . This right assists the citizen in defending their privacy, intimacy and the protection of their data on the Internet.
In this sense, the right to be forgotten allows the user to claim those data present on the internet or in search engines that contain obsolete or outdated information (even if it is true).
According to this right, users can demand the deletion of personal data in certain cases.
The request to remove information from the Internet can be made when:
- The data is no longer necessary for the purpose for which it was collected.
- The interested user withdraws his consent for the continued use of these data.
- The data has been obtained or processed illegally.
This right may not be exercised in a number of cases:
- When the right to freedom of expression and information should prevail
- For reasons of public interest
Minors and digital education
This new law sets the minimum age for minors to access social networks without parental consent at 14 years, compared to 13 years in the initial text.
The European law leaves it to the regulation of each Member State to set that age in a range of between 13 and 16 years .
On the other hand, the dissemination of images of minors on social networks that may entail an illegitimate interference with their fundamental rights may end in an intervention by the Public Prosecutor’s Office.
Regarding digital education , it establishes the need for the safe use of digital media to be guaranteed in the educational field. And the rights recognized in the Constitution are respected.
To cite some worrying data: 50% of minors upload content to the Internet without any type of supervision, nine out of ten parents do not know what pages their children visit on the Internet and one in three minors between 12 and 14 years old receives images of content sex on your mobile.
To do this, teachers must be trained in this subject.
And in addition, the safe use of digital media must be included in the subjects to be studied in the Universities and in the syllabi of oppositions to higher bodies of the Public Administration when it is related to the exercise of their functions.
In this sense, initiatives such as those carried out by Internet Segura for Kids are important . This is a project that organizes school days in schools, where teachers and students can learn to use the Internet safely. There are different types of courses:
- Workshops for teachers outside of school hours (3 hours long).
- Workshops for students from 3rd ESO to 2nd Baccalaureate, within school hours (2 classes of 50 minutes).
Help to access the Internet
Internet and mobile companies continue to increase the number of services that we can hire. Despite this, there are still families who cannot access the network from their homes, especially in rural areas.
The problems are varied: lack of technology in sparsely populated areas, prices that are too high, etc. Hence the need to establish discounts on these Internet access fees based on the situation or family income.
As a novelty is the possible entry into force of a social bond to facilitate Internet access to all sectors of the population.
It would be social bonds similar to those offered in electricity bills. The sectors of the population that would have access to the discounts would be large families, with low income levels, the unemployed or pensioners. The planned investment is 50 million euros and it is intended to guarantee a minimum speed of 30 mbps.
Right to internet neutrality
Providers must provide a transparent offer of services without discrimination on technical or economic grounds.
And guarantee the security of communications that users either receive or transmit through the network.
In other words, it is the right for Internet service providers and the governments that regulate it to treat all data traffic that passes through the network without discrimination. Without charging users a fee depending on the content, web page, platform or application they access.
Nor should the type of equipment, device or communication method used for access be taken into account.
Likewise, Internet content providers may not hinder users’ access to competing services. For example, Movistar cannot prevent or hinder a user’s access to Netflix.
Therefore, net neutrality prevents the contracted provider from charging additional fees for visiting a website. If this right is violated, not only will you lose the freedom to see what you want on the network, but you will also be charged more.
Right to digital will
The relatives or heirs of the deceased can transfer to the services of the information society the will on the destination or the deletion of the data, unless the deceased person had expressly prohibited it.
With this right, citizens will be allowed to designate their digital heirs in their wills so that they can claim the information posted by the deceased person before the companies.
This digital testament will include, for example, passwords for access to bank accounts, social networks or online stores.
Real case :
One of the most anticipated rulings on the digital will and that has established jurisprudence for the next data protection law, is the resolution of a German court on the case of some parents who wanted to enter their deceased daughter’s Facebook .
Initially, the Berlin Court agreed with the parents. However, the appeal of Facebook (which refused to allow access to the minor’s data) convinced the Berlin Court.
Finally, the Federal Court of Karlsruhe has ruled in favor of the family, arguing that it is a user account and not a specific person. Therefore, according to this court, it is expected that, at some point, due to some circumstance, the entry of third parties into said account is required.
Digital heritage is an ethical issue that urgently needs regulation. So far, the companies have acted as they wished. For example, Apple in 2016 denied the FBI access to an iPhone that was owned by the alleged perpetrator of an attack. However, he had no problem unlocking the terminal of a child who had died of cancer so that her parents could access photos or videos of remembrance.
Access to public and ecclesiastical files
The LOPDGDD will facilitate the access of the families of the group known as stolen babies to files with their data, including ecclesiastical ones.
In fact, the regulations include an additional provision with an express reference to requests for access to public and ecclesiastical archives that are the subject of police or judicial investigations.
On the other hand, the law will also guarantee that the right to privacy does not harm biomedical research.
Depending on the infraction, the LOPDGDD and RGPD administrative sanctions can reach between 10 and 20 million euros, or between 2 and 4% of the global annual turnover. Violations are divided into very serious, serious and minor.
Very serious : prescribed after three years.
- Use of the data for a purpose other than the one announced
- Omission of the duty to inform the affected party
- Requirement of a payment to be able to access the stored data
- International transfer of information without guarantees…
Graves : prescribe after two years.
- Data of a minor collected without consent
- Failure to adopt the necessary technical and organizational measures for effective data protection
- Failure to comply with the obligation to appoint data controller or data processor
Mild : prescribed in one year
- Non-transparency of information
- Failure to inform the affected party when requested
- Non-compliance by the person in charge of his obligations
To prevent our company from receiving any of these sanctions and if we do not have the right staff or knowledge to do so, then it is mandatory to hire a data protection company , not doing so can be much more expensive.
The future of data protection
In view of the changes that are taking place in this sector such as this new European regulation, we consider how the Data Protection Law will evolve in our country.
Differences between LOPDGDD and RGPD
The Law on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) is nothing more than the adaptation to territory of the General Data Protection Regulation (RGPD) that applies at European level.
In other words, the LOPDGDD delves into some more specific aspects that apply only within the country’s borders. In this sense, it includes specific information on certain specific treatments:
- Contact information for entrepreneurs and liberal professionals
- credit information systems
- commercial operations
- video surveillance at work
- Advertising exclusion
- internal complaints
- Public statistics function
- Archive of public interest
- Administrative infractions and sanctions
In addition, the LOPDGDD, in its articles 34 to 37, indicates that the certification of the Data Protection Delegate is not mandatory, something that the RGPD does not refer to.
For its part, the European regulation, in article 37, establishes the role played by the Data Protection Officer or DPD in the event of a claim. Two situations can occur:
- That the affected person addresses the DPD so that it forwards the complaint to the Agency for Data Protection
- That the AEPD addresses the Data Protection Officer by sending the affected party’s complaint.
Basically, these are the differences between the LOPDGDD and the RGPD at the content level. Later, regulations also stop at adapting the basic precepts of European law to the sphere.
Summary of the European Data Protection Regulation (RGPD)
We must ensure that decision makers and key people in our organization are aware of the change with the GDPR. You have to appreciate the impact this can have and identify areas that could cause compliance issues under the GDPR.
It is very useful to start by reviewing our organization’s risk register , if we have one.
The implementation of the EU Regulation has significant resource implications, especially for larger and more complex organisations.
2. Information we process
We must document the personal data we hold , where it comes from and with whom we share it. We may need to organize an audit of information, across the organization or in particular business areas.
The RGPD updates the rights of a networked world.
For example, if we have inaccurate personal data and we have shared this with another organization, we need to tell the other organization about the inaccuracy so that it can correct its own records. We will not be able to do this unless we know what personal data we have, where it came from and with whom we share it. Hence the need to document it.
It will also help us comply with the GDPR accountability principle , which requires organizations to be able to show how they comply with data protection principles, for example through effective policies and procedures.
3. Communication of privacy information
We must review the privacy notices and make the necessary changes with the implementation of the Regulation.
With GDPR there are some additional things we need to report. For example, you have to explain:
- Your legal basis for processing the data
- Data retention periods
- The right of people to lodge a complaint with the supervisory authority if they think there is a problem with the way their data is being handled.
In addition, the GDPR requires that information be provided in concise, easy-to-understand and clear language .
The EU establishes a code of practice on privacy notices that reflects the new requirements of the GDPR.
4. Rights of individuals
It is necessary to review the procedures to ensure that they cover all the rights that individuals have, including how to delete personal data or how to provide data electronically.
Rights with the GDPR
The main rights of individuals under the GDPR are:
- Correction of inaccuracies
- Possibility to delete information
- Avoid direct marketing
- Prevent automated decision making and profiling
- data portability
In general, the rights that individuals enjoy under the GDPR are the same as those existing in the past regulations (LOPD; currently there is the LOPDGDD), but with some significant improvements.
This is a good time to review the procedures and find out how you would react, if you haven’t already, if someone asks for your personal data to be erased, for example.
Will the systems help you locate and delete the data? Who will make the decisions about disposal?
Right to portability
The right to data portability is new .
This is an enhanced form of the right of access where the subject has to provide the data electronically and in a commonly used format. Many organizations will already supply data this way, but if you’re using paper printouts or an unusual electronic format, you should make the necessary changes.
5. Access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
The rules for dealing with subject access requests have changed with the GDPR.
In most cases you cannot be charged for complying with a request and you normally have one month to comply , instead of the 40 days of the last LOPD.
There are different reasons to deny compliance with the subject access request: manifestly unfounded or excessive requests may be charged or rejected. If you want to reject a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria.
Additional information must also be provided to persons making requests, such as data retention periods and the right to correct inaccurate data.
You must develop systems that allow people to easily access their information online. Organizations should consider conducting a cost/benefit analysis of providing online access.
6. Legal basis for the processing of personal data
It is necessary to analyze the various types of data processing that we carry out, identify their legal basis for carrying it out and document them.
Many organizations have not thought about their legal basis for processing personal data.
The rights of some individuals are modified depending on their legal basis for the processing of their personal data. The most obvious example is that individuals have a stronger right to have their data erased when they use consent as their legal basis for processing.
You also have to explain your legal basis for processing personal data in your privacy notice and when you respond to a subject access request.
The legal bases in the GDPR are generally the same so it should be possible to look at the various types of data processing that you carry out and identify your legal basis for doing so.
Again, you must document this in order to help you meet the “ accountability ” requirements.
It should be reviewed how consent is being sought, obtained and recorded and whether we need to make any changes.
The GDPR has references to both “consent” and “explicit consent” .
The difference between the two is not clear as both forms of consent have to be freely given, specific, informed and unequivocal. Consent also has to be a positive indication according to the personal data being processed.
We must ensure that we comply with the standards required by the GDPR. If not, we have to modify the consent mechanisms.
Keep in mind that consent has to be verifiable .
We must have systems in place to verify the age of individuals and to obtain parental or guardian consent for data processing activity.
For the first time, the GDPR offers special protection for the personal data of children, especially in the context of commercial Internet services, such as social networks .
In short, if we collect information about children we will need the consent of a parent or guardian to lawfully process their personal data. This could have significant implications if the organization seeks services from children and collects their personal data.
Remember that consent must be verifiable and that when you collect data from children, your privacy notice must be written in a language that children understand.
9. Data breaches
We must have appropriate procedures in place to detect, report and investigate a personal data breach.
The GDPR has a personal data breach notification obligation in all cases.
Not all breaches have to be reported, only those where the individual is likely to suffer some type of harm, such as identity theft or a breach of confidentiality.
Therefore, we must ensure that we have the appropriate procedures in place to detect, report and investigate a personal data breach. This could involve evaluating the types of data you hold and documenting what would be included in the notification requirement in the event of a breach.
In some cases, individuals whose data has been breached will need to be notified directly, for example where the breach could leave them open to financial loss.
Larger organizations need to develop policies and procedures to handle data breaches, whether at the central or local level. Please note, failure to report a violation when required could result in a fine.
10. Data Protection by Design and Impact Assessments
You need to know about Privacy Impact Assessments (PIAs) and find out how to implement them in your organization.
These can be linked to other organizational processes such as risk management and project management. We must begin to assess the situations in which a PIA will be necessary.
Who will do it? Who else needs to participate? Will the process be executed centrally or locally?
It has always been good practice to take a privacy-by-design approach and conduct a privacy impact assessment as part of this. A privacy by design and data minimization approach has always been an implicit requirement of data protection principles. However, the GDPR makes this an express legal requirement .
Note that a PIA does not always need to be performed, it is required in high-risk situations, for example when new technology is being implemented or where a profiling operation is likely to significantly affect people. Where a PIA indicates high-risk data processing, you will be required to consult the ICO for its opinion on whether the processing operation is GDPR compliant.
11. Data Protection Delegates
Designate a DPO, if necessary, or someone else to take responsibility for data protection compliance and assess where this role will fit within your organization’s structure and governance arrangements.
The GDPR requires some organizations to appoint a data protection officer, for example, public authorities or those whose activities involve the regular and systematic monitoring of data on a large scale.
The important thing is to ensure that someone within the organization, or an external data protection advisor, takes responsibility for data protection compliance and has the knowledge, support and authority to do so effectively.
Therefore, we need to determine if we will need a Data Protection Officer and, if so, assess whether your current approach to data protection compliance will meet GDPR requirements.
If our organization operates internationally, we need to determine which data protection supervisory authority it should report to.
The GDPR contains quite complex provisions to determine which data protection supervisory authority takes the lead when investigating a complaint with an international aspect, for example, when a data processing operation affects individuals from several Member States.
In a nutshell, primary authority is determined by where the organization has its primary management or where data processing decisions are made. In a traditional venue this is easy to determine. It is more difficult for complex multi-site businesses where decisions about different processing activities are made in different locations.
The above content published at Collaborative Research Group is for informational purposes only and has been developed by referring to reliable sources and recommendations from experts. We do not have any contact with official entities nor do we intend to replace the information that they emit.