Following on from when new Data Protection Laws were first reported, this is a reminder that the deadline for these laws to come into force is now extremely close. After four years of debate, new regulations were approved which means that in line with European Directives, come the 25th May 2018, we say goodbye to the old system and say hello to the General Data Protection Regulation (GDPR). In Spain, this means the Ley Orgánica de Protección de Datos (LOPD) is being replaced by the Reglamento General de Protección de Datos (RGPD).
What Constitutes Personal Data?: This refers to any information related to a natural person or “Data Subject”, that can be used directly or indirectly to identify them. This could be something as simple as their name, a photo, an email address, bank details, medical details, posts on social media, computer IP address etc.
What is the Purpose of these Directives?: The official statement issued by the EU is that, “the EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy”. The newly drafted directive includes situations that were not previously contemplated and highlights principles of accountability and transparency.
In other words, the data subject whose information has been collected must know for what purpose this has been done and it must be for a legitimate reason; the information must only be used in the manner in which it was entrusted; it is prohibited to send personal data to countries outside ot the EU if they do not offer the same guarantees.
Who is Obligated to Register?: In Spain the LOPD came into effect in 1999, however, misinterpretations led many to believe these laws only applied to lawyers, doctors and others who receive personal data of a high level but this is not the case, which means, as per directives, the following are also obligated to register:
- Organizations with physical presence in at least one EU member state
- Organizations that process or store data on natural persons that reside in the EU
- Organizations that use third-party services that process or store information on natural persons that reside in the EU
Just to be clear and to avoid further misinterpretations to these new laws, this encompasses ALL businesses, corporations, sole-traders, communities, associations and Public Administration Offices within the EU.
Business Obligations and Overview:
- To register at the Spanish Data Protection Authority
- To have the corresponding Security Documents and Annexes
- To have informative material available and the corresponding forms
- To maintain their Security Documents updated at all times and to carry out the obligatory Audits that verify data protection regulations are being fulfilled
- Data Subjects have the right to know the purpose for and the treatment of their personal data.
- Data Subjects have the right to access, modify, oppose and cancel their personal information as long as they forward written and clear instructions.
- They also have the right to transfer their data to another company
- Persons or companies who have collected data may only use the information for the purpose stated at the start of their agreement.
- If said persons or companies are in breach of data protection regulations, the damaged party must inform the authorities within 72 hours.
- Data Protection Officers (DPOs) must be appointed in the case of public authorities, organizations that engage in large scale systematic monitoring or organizations that engage in large scale processing of sensitive personal data. If this is not your case, you are not obligated to engage this type of service.
- eCommerce businesses and those that have a website must pay special attention to these regulations and update their privacy and third-party policies as well as cookie notices.
Last but not least, Penalties for Non-Compliance:
Any breach of Data Protection Laws will be met with much stiffer fines than before.
|Type of Fine||Previous Fines (€)||Current Fines (€)|
|Mild||601 – 60.000||900 – 40.000|
|Serious||60.001 – 300.000||40.001 – 300.000|
|Very Serious||300.001 – 600.000||300.001 – 600.000|
From the 25th May 2018, the maximum fines that can be imposed will be calculated in two tiers:
- Up to 2% of annual global turnover of the previous tax year or 10 million euros (whichever is greater)
- Up to 4% of annual global turnover of the previous tax year or 20 million euros (whichever is greater)
Factors that will influence any penalties to be incurred for non-fulfillment include:
- the gravity/ duration of the violation
- the number of data subjects affected and level of damage suffered by them
- the intentional character of the infringement
- any actions taken to mitigate the damage
- the degree of co-operation with the supervisory authority
It is noteworthy that despite the astronomical potential fines the authorities can be issued, they may choose to issue a warning, a reprimand or a temporary ban on processing instead, however, extraordinary measures may be taken where a monetary fine may be imposed in addition to the reprimand.
A Spanish school was fined this year the amount of 3.000 euros for not removing images of a minor on a YouTube video that was posted on their official channel.
Given the seriousness of this law, if you are unsure of your obligations and do not know how to proceed to ensure your business complies with General Data Protection Regulations, the best course of action would be to contract the services of a reputable consultancy that deals with these matters. Canary Admin Services can provide contact information for a company that provides such services so you can sleep easy.