The General Data Protection Regulation (GDPR) is applicable beginning May 2018 and has been in force since May 2016. It replaces the Data Protection Directive’s national transpositions and is directly applicable in all EU member states. The GDPR intends to boost transparency and data self-determination by users. Additionally, it aspires to create digital confidence among consumers and harmonization of differing national data protection regimes.
Why the GDPR exerts pressure on companies
The GDPR replaces the differing national transpositions of the Data Protection Directive. The scope of the former covers any entity that processes personal data of EU citizens. Accordingly, even delivery services that process customer data will be affected by new obligations introduced via the GDPR. For instance, stricter requirements regulating the consent for data to be processed, record-keeping obligations and notification obligations apply. Further, individual rights of data subjects were strengthened by, inter alia, introducing the right to data portability. Data controllers as well as data processors are hit by new obligations. The outlined changes require companies to take appropriate measures to be able to comply with the GDPR. The first wave of audits by data protection authorities is expected in May 2018.
Such audits carry special weight since the GDPR has staggering fines in store. They can amount to 20.000.000 EUR or 4 % of a company’s worldwide turnover. Sanctioning mechanisms were largely harmonized among the member states’ authorities, which hinders the ability of companies to enjoy regulatory arbitrage.
Action recommendation
As companies face a considerable regulatory transformation, it is indispensable to set priorities in the adaption process. The actions taken by your entity should therefore have the following focus:
- Create records of data processing (Art. 30 GDPR)
- Appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR)
- Revisit processor agreements and ensure GDPR compliant cooperation (Art. 28 GDPR)
Finally, additional tailored actions are required to fully comply with the new data protection regime. For example, the organization’s ability to protect individual rights and the ability to execute swift data breach notifications should be tested.
Deviations from the GDPR in Spain
Despite its intention to harmonize EU data protection law, the GDPR contains opening clauses that allow member states like Spain to take numerous deviations from the regulation. National deviations should especially be considered by international companies.
Such opening clauses include:
- Lawfulness of data processing (justification to process data in Art. 6 GDPR)
- Processing of genetic data, biometric data and data concerning health (Art. 9 GDPR)
- Processing in the context of employment (Art. 88 GDPR)
The Spanish government drafted a legislative proposal which already provides valuable insights into the future regulatory landscape in Spain. Knowledge of Spain’s deviations allows companies to identify exceptions as well as tightened rules compared to the GDPR. An individual assessment is advisable for companies active in Spain.
Aaron Nourbakhsh & Karl H. Lincke
If you need additional information regarding te General Data Protection Regulation (GDPR) in Spain,