Countdown for adapting to the new European personal data protection framework

The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, is the new regulatory framework adopted by the European Union on the protection of personal data. Although it was published in May 2016, it will not fully come into force until May 2018. Thereafter, both Organic Law 15/1999, on Personal Data Protection and Royal Decree 1720/2007, developing said law, will be revoked.

Both Organic Law 15/1999 and Royal Decree 1720/2007 contain a wide variety of provisions similar to those established by the GDPR. Companies that currently comply with said provisions already have a solid base on which to build their compliance with the GDPR. Even so, the GDPR includes several new developments to which all companies must adapt. The AEPD recently published a range of guidelines to help companies with their efforts to adapt to the new regulations.

Informed consent

Under the GDPR, the unmistakable consent of the interested party shall always be required to process personal data. Said consent must have been granted by a clear affirmative action or statement issued by the interested party. Tacit consent or consent by omission will no longer be permitted, as had been the case to date.

Processing activities started prior to the implementation of the GDPR shall remain valid insofar as explicit consent was granted. Furthermore, in addition to other new developments, the GDPR also demands further information to be provided to interested parties, in particular concerning the legal basis that makes it possible to process personal data, in addition to the scope of rights extended to interested parties. This will involve reviewing not only widely-used informed consent, but clauses included in privacy policies and agreements to this end.

Controllers and data processors

As had been the case to date, the relationship between the controller and data processor must be covered by an agreement, although the GDPR already regulates its basic content more thoroughly. What’s more, the controller will have to adopt appropriate measures to ensure that the processor is able to process data pursuant to the GDPR.

Therefore, it would be advisable for companies that process personal data to adapt to the GDPR as soon as possible rather than waiting until May 2018. This process of adapting will undoubtedly require decision making and measures will need to be adopted that set out a reasonable time frame for their implementation. Particular care will be required, specifically in cases in which sensitive data is processed, for example, data relating to people’s health.