The General Data Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, hereinafter “the Regulation”) aims at marking a turning point for several aspects of data protection in the European Union, among which we can stress out the liability of companies processing personal data, whether they do so as a controller, or a processor.
This turning point is articulated around several core concepts such as the accountability principle, data protection by design and by default, data minimisation, modification of the Data Protection Authorities’ responsibilities and functions, and an increase of administrative fines amounts for infringements, among others.
To explain further, the previous European Data Protection system was set by Directive 95/46 that, as such, only stated an obligation, for Member States, to transpose faithfully its content by means of an internal legal rule. Theoretically, it could not be applied directly in the Member States territories, by the Authorities or by individuals. This directive was transposed into the Spanish domestic law through Organic Law 15/99 on Personal Data Protection, currently in force in our country, which will need to be modified as soon as possible in order to adapt to the Regulation.
By contrast, a regulation has direct application on the Member States territories and is directly incorporated to the domestic law with no need of any other legal instrument to transpose it. That is, the Regulation is in force in Spain, the authorities could require from the individuals to fulfil the obligations stated in the Regulation and the latter could invoke its content to ground their claims and rights, with no need of any domestic regulation to transpose its content. However, it will not be applicable before not May, 25th, 2018.
At first glance, one could think the enforceability of the Regulation will only take place in a long time, and that companies have enough time to adapt to its dispositions. Nonetheless, if we analyse it from the perspective of the responsibilities and obligations the Regulation is charging organizations processing personal data with, the prism changes and the timeframe is pretty tight.
As regards responsibilities and duties of controllers and processors, there is a big difference between the Organic Law and the Regulation. With the first one, it is enough with respecting the applicable principles to data processing, fulfilling the obligations that permit to lighten the burden of the liability, such as registering personal data before the Spanish Data Protection Agency, asking for the compulsory authorisations when applicable and handing out the security document (obligation emerging from the Royal Decree 1720/2007, regulating the Organic Law on Data Protection).
However, the Regulation does not contain any activity with which processors or controllers can discharge their responsibilities; on the contrary, pursuant to the accountability principles, the respect of data processing rules and the fulfilment of the Regulation’s obligations for companies processing data will imply their active participation in the personal data protection, that will necessarily occupy a specific position within the organization.
We can use as an example the security measures, which are not ranked into different levels (which make determination and fulfilment easier) because it is the controller himself who will need to assess the risk and the necessary measures depending on the circumstances of the processing; or the proof of the infringement, that will not rely on who invokes it but on the entrepreneur; or the records, which will not only concern the files but also all the processing activities, and will need to be kept by the controller and not by the data protection authority.
We could also mention differences concerning the applicable principles to the processing, the specially protected data, the consent of the data subject, the relationship between controllers and Data Protection Authorities, the rights of the data subjects and other topics, among which there is the position of the personal data processing activities in respect to all the activities carried out by the company.
Besides, the infringement of the provisions of the Regulation by controllers and processors can entail administrative fines up to €20,000,000 or 4% of the global annual turnover (whichever is higher) and to determine its amount, compliance of all the dispositions of the Regulation will be taken into account among other factors, and not only one or two specific aspects of the same.
In short, time flies and it is worth starting to get some advice on the changes to be implemented in our company in order to prevent and avoid higher costs.