GDPR special

The countdown’s over: the EU General Data Protection Regulation (GDPR) became compulsory as from 25 May 2018. Decisions need to be taken to ensure compliance with the Regulation. Not doing so involves not just the risk of a penalty but also a reputational risk. As business heads towards digital transformation so must it meet this new challenge.

We organize different types of events with specialized expert speakers who will provide an overview of the new regulatory environment from various viewpoints, with the following principal thresholds:

X-ray of the GPDR: solving the puzzle

Key Topics

Key Topics

¿What is GDPR?

The General Data Protection Regulation of the European Union, is directly applicable in all EU Member States and will be mandatory from May 25, 2018. It replaces all prior national legislation and any other industry laws containing personal data protection regulations.

Data Protection Officer (DPO)

This is a new figure introduced by the GDPR, whose function is to monitor and advise businesses on compliance with data protection legislation. He/she may be internal or external and must have an in-depth knowledge of data protection law and experience and knowledge of the industry in question. The DPD may take on other duties, provided that there is no conflict of interest and he/she has sufficient time to perform the duties of a DPD.

Record of Processing Activities

This is the central document of a GDPR compliance program. It is compulsory for businesses with over 250 employees, or which process data on a regular basis or sensitive data. It contains specific details of all the activities of the business that involve processing personal data.

Legal bases

The GDPR allows us to process personal data provided that certain requirements, which are all equally valid, are met. The most important are: consent (clear affirmative actions); the performance of a contract; compliance with a legal obligation; to protect the vital interests of a data subject or others; for the performance of a task carried out in the public interest; the legitimate interest of the controller.

Consent

One of the legal bases to process personal data. It must consist of clear affirmative action by the data subject. Tacit consent or inactivity are not valid. When obtaining consent, clear, transparent and specific information should be given on, inter alia, the purposes of collecting the data, how long the processing will last, and the rights available to data subjects.

Legitimate interest

One of the legal bases for the processing of personal data. This legal basis may be used after weighing up the interest of the controller or a third party and the fundamental rights of the data subject, bearing in mind the relationship between them and the data subject’s expectation that his/her data will be processed for a specific purpose. It is necessary to inform the data subject in advance and offer him/her the right to object.

Supervisory authority

The national administrative data protection authority in each EU Member State. Its duties include supervising compliance by controllers and processors with the GDPR, performing inspections, the power to impose penalties, to issue reprimands, demands and orders, or validate binding corporate rules for international data transfers.

International transfers

The transfer of personal data by a company outside the European Union. In these cases, it is necessary to ensure that the data will be protected in the same way as if they were inside the EU. This guarantee can be obtained in several ways: through a statement by the European Commission, through the signature of standard contractual clauses approved at a European level or through the use of binding corporate rules validated by a supervisory authority.

Binding corporate rules (BCRs)

A mandatory binding agreement used as a basis for international data transfers. Their contents are regulated in the GDPR and must be validated by a control authority.

Privacy impact asessment (PIA)

A specific analysis that must be carried out where the processing entails a high risk for data subjects’ rights.

Liability and penalties

Supervisory authorities have the power to issue reprimands, demands or orders. However, the most important power they have is issuing fines. Fines can amount to up to 20 million euros or 4% of the infringer’s annual billings. The supervisory authority can act on its own initiative or following a complaint by data subjects.

Compliance plan

24-09-2019
CNPD issued a Deliberation (Deliberation No. 494/2019, of September 3) stating that they will not apply some of the rules of the Portuguese Law implementing GDPR
In order to “ensure the principle of primacy of the European Union law and the full effectiveness of the GDPR”, the Portuguese Data Protection Agency (“CNPD”) “intends to disregard, in situations of processing of personal data it may consider”, some rules of law 58 / 2019, of August 8, being the most relevant:
13-08-2019
New Portuguese Data Protection Act
Law 58/2019, of August 8, which ensures the implementation of the GDPR in Portugal, has come into force last Friday, August 9th.
28-01-2019
CNPD publishes model of record of processing activities
The National Data Protection Commission has published on its website a model of record of processing activities for controllers and a model for processors, in accordance with the requirements set forth in article 30 of the General Data Protection Regulation (Regulation (EU) 2016/679), which can be consulted aqui.
07-11-2018
Garrigues participates in one of the first international publications on privacy since the GDPR
The work reviews privacy regulations in numerous jurisdictions worldwide.
18-06-2018
Protecting personal data under the GDPR in arbitration
In this article we highlight the implications for parties, counsel, arbitral institutions and third party providers and consider how to best deal with GDPR compliance including assessing if consent is necessary, obtaining consent when and if needed, gathering documents, rights of access, denial and deletion, and transfer of personal data outside the EU.
24-05-2018
Data protection regulation in Latin America and the impact of the GDPR
The General Data Protection Regulation (GDPR), which is compulsory as from today, is a complex regulation that extends beyond the borders of Europe. The new rules will affect all companies, regardless of their location, that handle data of individuals living in the European Union, even if the company in question has neither a physical nor a legal presence in Europe.
23-02-2018
Will the General Data Protection Regulation make business cards a thing of the past?
It is believed that business cards, such a 20th century phenomenon, were first used in China back in the 15th century and that they had reached Europe by the 17th century. Despite their antiquity, they nevertheless continue to play an important role in the business world. Cards are still a simple, easy, rapid and inexpensive way for professionals to exchange their contact details. However, and despite the fact that business cards have endured for over 6 centuries, we raise the question: Could their days be counted from 25 May 2018 when it will be compulsory to comply with the terms of the RGPD?
24-04-2017
The new European data protection regulation will mean far- reaching changes for businesses
In May 2018, the new General Data Protection Regulation of the European Union (GDPR) will be obligatory, bringing about major changes in the current model for managing personal data in terms of the rights and obligations that businesses will need to address.
27-03-2017
EU General Data Protection Regulation
The EU General Data Protection Regulation (GDPR) constitutes the greatest legislative landmark in relation to privacy and protection of personal data in Europe in the last 20 years.
06-05-2016
Publication of the European General Regulation on Data Protection and parallel Directives
On May 4, having been several years in the making, the Official Journal of the European Union finally published the regulatory instruments forming the new European framework for personal data protection, namely:

Publications

GDPR special

X-ray of the GPDR: solving the puzzle

CNPD issued a Deliberation (Deliberation No. 494/2019, of September 3) stating that they will not apply some of the rules of the Portuguese Law implementing GDPR

New Portuguese Data Protection Act

CNPD publishes model of record of processing activities

Garrigues participates in one of the first international publications on privacy since the GDPR

Protecting personal data under the GDPR in arbitration

Data protection regulation in Latin America and the impact of the GDPR

Will the General Data Protection Regulation make business cards a thing of the past?

The new European data protection regulation will mean far- reaching changes for businesses

EU General Data Protection Regulation

Publication of the European General Regulation on Data Protection and parallel Directives