Let's talk about data protection according to GDPR (GDPR).
The General Data Protection Regulation(GDPR) establishes the specific requirements for companies and organizations regarding the collection, storage, and management of data personal. They apply both to European organizations that process the personal data of citizens in the EU, and to organizations that have their headquarters outside the EU and whose activities are directed at people living in the EU.
When does the General Data Protection Regulation (GDPR) apply?
The GDPR applies in the following cases:
What is personal data?
Personal data is any information related to an identified or identifiable person, also called "the data subject". Examples of personal data:
Special categories of data.
It must be kept in mind that there are certain data that cannot be processed under any circumstances, as this would lead to criminal convictions and offenses unless authorized by national or EU law. Some of the data that cannot be processed are the following:
Who can carry out the processing of personal data?
The processing of personal data can go through different companies or organizations, in many cases outside the company that collected them. We give you an idea of what they can be, in this sense we have:
Who oversees how personal data is processed within an organization?
In any company that will have commercial relations with EU countries, you must appoint a data protection officer, who will be responsible for supervising how personal data is processed and for informing and advising employees who process the data about their obligations. The data protection officer also cooperates with the data protection authority and serves as a contact point between these authorities and citizens.
When should a data protection officer be appointed?
Any organization that has commercial relations with EU countries and their citizens has the obligation to appoint a data protection officer when:
It must be taken into account that if personal data is processed to guide search engine advertising based on the behavior of people, the company must have a data protection officer. However, if the company only sends advertising material to its clients once a year, a data protection officer is not necessary.
The same happens in the case of doctors, when collecting data on the health of their patients, a data protection officer is probably not needed, but if personal data on genetics and health are processed for a hospital, then it is necessary. a data protection officer.
The data protection officer may belong to the organization's staff or may have been hired externally through a service contract. A data protection officer can be an individual or can be a part of an organization.
Transfer of data outside the EU
It should be noted that when personal data is transferred outside of the EU, the protection offered by the GDPR will need to support the data. That means that if the data is exported abroad, the company must ensure that one of the following conditions is met:
The company relies on specific reasons for the transfer (exceptions), such as the consent of the data subject.
When is data processing allowed?
EU data protection rules state that data must be processed fairly and lawfully for a specific and legitimate purpose and only data necessary to achieve that purpose. The company must ensure that one of the following conditions is met for the processing of personal data:
Keeping the interested party informed is mandatory.
Data subjects should receive clear information about who processes their personal data and why. They should know at least the following:
The information provided depending on the use of the information must also include:
What happens when the data collected is from minors?
When personal data of minors is collected, which is based on consent, for example, to use a social network or for a content download account, it is necessary to first obtain parental authorization, for example by sending a notification to the father, mother, or guardian. The age up to which a person is considered a minor varies according to the country of residence, but is between 13 and 16 years of age.
Recommended by LinkedIn
Right of access and right to data portability
Citizens should have the right to access their personal data free of charge. When a request of this type is received it is necessary:
The interested party will always have the right to rectification and the right to oppose
If a person considers that his personal data is incorrect, incomplete, or inaccurate, he has the right to rectify or complete it without undue delay. In this case, all recipients of personal data must be notified if any of the data shared with them has been modified or deleted, as well as those who have consulted said data (unless it is considered that it supposes a disproportionate effort).
It must be taken into account that the person providing the information can object at any time to the processing of their personal data for a specific user if the company treats them on the basis of a legitimate interest or for an activity of public interest. The company must stop processing the personal data unless the legitimate interest prevails over the interest of the data subject. Here is the importance of the legal area of the company to analyze the case.
Likewise, a person can request that the processing of their personal data be limited while it is determined whether the legitimate interest of the company prevails over their individual interest. However, in the case of direct commercial purposes, the company always has the obligation to stop processing personal data if requested by the data subject.
Right of deletion of the person who provided the information (right to be forgotten)
The controller may be asked to delete your personal data, for example, if the data is no longer necessary to fulfill the purpose of the processing. However, the company does not have the obligation to do so in the following cases:
Outstanding with automated decisions and profiling
Interested parties have the right not to be subject to a decision based solely on automated processing, which is why it is important that, before proceeding to use personal data for such purposes, they have explicit consent. Except when an automated decision is based on law, the company must:
For example, if a bank automates its decision to grant a loan or not to a person, the person must be informed of the automated decision and have the possibility to challenge the decision and request human intervention.
Data Breach: Providing Proper Notification
One of the risks to individual rights and liberties is a data breach, and when this occurs, it is important to notify the data protection authority within 72 hours from the moment the breach became known. . It is important that in the face of this type of event, the company informs all those affected.
A data breach is considered the accidental or illegal disclosure to unauthorized recipients of data that is the responsibility of a company, as well as its temporary unavailability or its modification.
Importance of responding to requests from individuals who express their desire to exercise their rights
If the company receives a request from an individual who wishes to exercise their rights, it must respond to the request without undue delay, for which there will be a period of one month from the receipt of the request. This term can be extended for a period of two months in the case of complex or multiple requests, provided that the interested party is informed of the extension. These types of requests are processed free of charge. In the event that the company decides to reject the request, it must inform the interested party of the reasons that support the decision.
Impact evaluation to reduce the risk of violation of rights and freedoms of people
It is mandatory to carry out an impact assessment on data protection each time new technologies are implemented, provided that the intended treatment may represent a high risk to the rights and freedoms of individuals. That high risk exists when:
*** Other categories of data processing may be considered high risk by data protection authorities.***
***If the measures indicated in the protection impact assessment do not eliminate all high risks identified, the data protection authority should be consulted before the processing takes place.***
Prevention is the solution, therefore proper record-keeping is the best measure for reducing risks
The company must demonstrate that it acts in accordance with the General Data Protection Regulation and complies with all applicable obligations, especially at the request or inspection of the data protection authority.
One way to do this is to keep detailed records of things such as:
The company must also maintain, and periodically update, the written guidelines and procedures and make them known to its employees.
***If you are an SME or smaller company, you do not need to keep records of processing activities as long as:
The importance of protecting data by design and by default
Data protection by design means that the company must take data protection into account from the early stages of planning a new way of processing personal data. In other words, a data controller must adopt all the technical and organizational measures necessary to apply the principles of data protection and protect the rights of individuals. These measures may consist, for example, of pseudonymization.
Data protection by default means that the company must always adopt the settings that most defend privacy by default. For example, if two privacy settings are possible and one of the settings prevents third parties from accessing personal data, this should be used as the default setting.
What happens if the GDPR is breached?
Failure to comply with the General Data Protection Regulation may result in fines of up to 20 million euros or 4% of the company's worldwide turnover, in certain violations. The data protection authority may impose additional corrective measures, such as forcing the termination of the processing of personal data.
Source: GDPR.
Abogada María Alejandra Tuozzo M.