The countdown’s over: the EU General Data Protection Regulation (GDPR) became compulsory as from 25 May 2018. Decisions need to be taken to ensure compliance with the Regulation. Not doing so involves not just the risk of a penalty but also a reputational risk. As business heads towards digital transformation so must it meet this new challenge.
We organize different types of events with specialized expert speakers who will provide an overview of the new regulatory environment from various viewpoints, with the following principal thresholds:
X-ray of the GPDR: solving the puzzle
¿What is GDPR?
- The General Data Protection Regulation of the European Union, is directly applicable in all EU Member States and will be mandatory from May 25, 2018. It replaces all prior national legislation and any other industry laws containing personal data protection regulations.
Data Protection Officer (DPO)
- This is a new figure introduced by the GDPR, whose function is to monitor and advise businesses on compliance with data protection legislation. He/she may be internal or external and must have an in-depth knowledge of data protection law and experience and knowledge of the industry in question. The DPD may take on other duties, provided that there is no conflict of interest and he/she has sufficient time to perform the duties of a DPD.
Record of Processing Activities
- This is the central document of a GDPR compliance program. It is compulsory for businesses with over 250 employees, or which process data on a regular basis or sensitive data. It contains specific details of all the activities of the business that involve processing personal data.
- The GDPR allows us to process personal data provided that certain requirements, which are all equally valid, are met. The most important are: consent (clear affirmative actions); the performance of a contract; compliance with a legal obligation; to protect the vital interests of a data subject or others; for the performance of a task carried out in the public interest; the legitimate interest of the controller.
- One of the legal bases to process personal data. It must consist of clear affirmative action by the data subject. Tacit consent or inactivity are not valid. When obtaining consent, clear, transparent and specific information should be given on, inter alia, the purposes of collecting the data, how long the processing will last, and the rights available to data subjects.
- One of the legal bases for the processing of personal data. This legal basis may be used after weighing up the interest of the controller or a third party and the fundamental rights of the data subject, bearing in mind the relationship between them and the data subject’s expectation that his/her data will be processed for a specific purpose. It is necessary to inform the data subject in advance and offer him/her the right to object.
- The national administrative data protection authority in each EU Member State. Its duties include supervising compliance by controllers and processors with the GDPR, performing inspections, the power to impose penalties, to issue reprimands, demands and orders, or validate binding corporate rules for international data transfers.
- The transfer of personal data by a company outside the European Union. In these cases, it is necessary to ensure that the data will be protected in the same way as if they were inside the EU. This guarantee can be obtained in several ways: through a statement by the European Commission, through the signature of standard contractual clauses approved at a European level or through the use of binding corporate rules validated by a supervisory authority.
Binding corporate rules (BCRs)
- A mandatory binding agreement used as a basis for international data transfers. Their contents are regulated in the GDPR and must be validated by a control authority.
Privacy impact asessment (PIA)
- A specific analysis that must be carried out where the processing entails a high risk for data subjects’ rights.
Liability and penalties
- Supervisory authorities have the power to issue reprimands, demands or orders. However, the most important power they have is issuing fines. Fines can amount to up to 20 million euros or 4% of the infringer’s annual billings. The supervisory authority can act on its own initiative or following a complaint by data subjects.
The Ministry of Health and Social Protection, in a resolution dated February 20, 2019, has established that due to the private and reserved nature of medical records, health care entities (EPS) cannot order employers to provide the medical records of their employees and employers cannot request said records from their employees to process incapacity to work.
The National Data Protection Commission has published on its website a model of record of processing activities for controllers and a model for processors, in accordance with the requirements set forth in article 30 of the General Data Protection Regulation (Regulation (EU) 2016/679), which can be consulted aqui.
The Portuguese Data Protection Agency (CNPD, pursuant to its Portuguese acronym) has imposed a 400,000 euro fine on Centro Hospitalario Barreiro-Montijo due to two breaches of the General Data Protection Regulation (GDPR) which has been in force since May 25, 2018.