The new General Data Protection Regulation is mandatory from 25 May. This has led to stir and confusion for many companies. Therefore, we will try to solve some doubts about it and above all, explain the key points that must be understood about the GDPR.
Does the GDPR apply to any entity responsible for the data processing of a resident of the European Union?
The territorial scope of the GDPR is very broad. However, we must understand that it should not be applied to every entity that performs data processing of natural persons residing in the EU. The Article 3 of the regulation specifies three criteria to be applicable:
1.) The GDPR is applied for the processing of personal data in the context of activities performed in the establishment of the controller or the processor in the European Union regardless of whether the processing takes place in it or not.
2.) The GDPR will also apply if the controller or the processor, even not being established in the European Union, perform personal data processing activities of persons who are in a Member State of the European Union. Therefore, we are talking about the residents from outside the Union, but who are in the community territory. In this case, the GDPR is applied when the controller or the processor offers goods or services to data subjects in the European Union, regardless of whether they are required to pay or when their behavior is controlled, insofar as this takes place in the European Union.
3.) The processing of personal data by a controller who is not established in the European Union, but in a place where Community Law is applicable in accordance with International Public Law, as in the diplomatic mission or in a consular office of a Member State outside of the EU will also apply.
Is it mandatory for all the companies to appoint a Data Protection Officer (DPO)?
It would be a mistake to consider that the regulation obliges all the companies to appoint a Data Protection Officer (DPO). Moreover, the appointment of the DPO by the controller or the processor will only be mandatory in these three cases:
- If the processing is performed by a public authority or body, therefore by Public Administration, except for the courts that act in the exercise of their judicial function.
- When the main activities of the controller or the processor consist of processing operations that due to their nature and objectives require a regular and systematic observation of the data subjects on a large scale. An example of this would be a macro hotel chain at a continental level.
- When the main activity of the controller is processing of personal data considered as sensitive, such as biometric data, health data, ethnic origin or religious beliefs.
In case that the controller does not find himself or herself in one of these three situations, the appointment of the DPO is considered as voluntary and the requirements established in the GDPR for the appointment, position and tasks are applied in the same manner as if the appointment was mandatory. The internal regulations of the Member States, such as LOPD[1] in Spain may also require the mandatory appointment of a DPO in cases other than the GDPR.
[1] LOPD = Spanish Organic Law 15/1999 of December 13 about protection of personal data
How should the consent of the data subject look like?
The GDPR establishes that the consent must be granted through a clear affirmative act that reflects a manifestation of free, specific, informed and unambiguous wish of the data subject. These factors are fundamental to understand that the said consent is not flawed and with which we can start processing their personal data:
Free consent: when the data subject knows the elements about which he or she expresses his or her agreement with the data processing; he or she is not conditioned nor pressured by external influences on him or her that makes the said consent vitiate; and that he or she knows knows that he or she can withdraw the consent at any time through mechanisms such as the right to be forgotten.
Specific consent: when the data subject expresses an individualized consent for each data processing operation planned by the controller.
Informed consent: when the data subject has been informed, before giving his or her consent about the data processing activities planned by the controller in a comprehensible and easily accessible manner.
Unequivocal consent: when there is an objective certainty both of the actual existence of the consent of the data subject and of the content therein, which implies that the data subject must give his or her consent through a clear affirmative act.
And after all this… What happens with the consent of users granted before 25 May?
When the controller has obtained the consent of the data subjects prior to the indicated date tacitly, he or she cannot proceed processing the data of this individual based on this type of legitimation, such as legitimate interest of the company for direct marketing purposes.
The GDPR has made a significant change in the consent granting by the data subjects. This consent is no longer a peremptory norm, but is now a mere basis of legitimation, where the controller has to process the data based on legitimation. So, from now on the controller can have several legitimation bases that can be the consent, a legitimate interest, the execution of a contract drafted by the parties, a vital interest of the data subject and the fulfillment of a legal obligation.
For example, the purposes of direct marketing can be considered as legitimate interest within the framework of a contractual relationship. In no case does the GDPR consider direct marketing as a profiling technique to segment and offer products based on processing. In the mentioned it will always be necessary to offer an express consent.
Based on the Spanish Law 34/2002 of Information Society Services, the consent has a lifetime of 5 years, with which if these data have not been processed, it will be necessary to request the said consent again. Based on data protection, in order to offer services similar to the main activity or contractual relationship with the controller, the said consent will always be maintained until its revocation by the data subject.
Do you want to know more about GDPR? Contact us now!
