General Data Protection Regulation (GDPR)

Data protection is a fundamental right according to article 8 of the EU Charter of Fundamental Rights and the Convention 108.

General Data Protection Regulation (GDPR) is a regulation issued by European Union and that must be followed by services provided to European Union countries.

Because internet services tend to be global, in the end it must be accomplished by most electronic services around the globe.

GDPR requires that a Data Protection Impact Assessment (DPIA) is completed.

There may be specific regulation within each EU states members. For example, Spain has the General Regulation for Data Protection (in Spanish, Reglamento General de Protección de Datos, whose acronym is RGPD).

GDPR State Member Laws added to GPDR

GDPR is complemented with national regulations, as for example:

  • Spain: LOPD-GDD

LOPD-GDD (Spain)

Spain: Ley Orgánica de Protección de Datos-Garantía de Derechos Digitales (LOPD-GDD). You can read it in Spanish on this external link.

As of 2023, it was last updated on May 2023, on pages 141-144 (disposición novena) of the document on this external link.

EU Privacy laws before GDPR

Before GDPR, there was the Data Protection Directive (DPD) of 1995.

Original LOPD in Spain was a transposition of this 1995 EU Directive.

Before LOPD, there was LORTAD in Spain.

Adequacy of non-UE Countries

UE denominate countries adequate non-UE regarding privacy, where data can be transferred. You can find a list of these countries on this external link.

Data Transfer to non-UE Countries

GDPR prohibits entities within a country that has no nationwide privacy law from gathering or processin privacy data belonging to EU citizens.

In case of non-UE countries that want to share data between subsidiaries, there are two options:

  1. Countries complying EU laws. Their own country has a nationwide laws that complys with the EU laws. You can find a list on this external link.
  2. Standard contractual clauses (SCC). The entity creates contractual language that complies with the EU laws and has that language approved by each EU country from which the entity wishes to gather data. Standard of contractual clauses that have been pre-approved. You can find them on this external link.
  3. Binding corporate rules. Allowed for transfers between internal units of the same firm. It requires that rules are approved by every Eu member nation.

Adequacy of USA regarding GPDR

EU and the USA signed a safe harbor agreement called Privacy Shield. Organizations were able to certify their compliance with privacy practices through independent assessors and, if awarded the privacy shield, were permitted to transfer information.

A 2020 ruling by the European Court of Justice in a case called Schrems II declared the Privacy Shield invalid.

After Privacy Shield , companies should rely on standard contractual clauses or binding corporate rules.

The European Committee of Data Protection is composed by the director of each control authority on each member state and by the Data Protection European Supervisor or their representatives.

A data privacy impact assessment must be done whenever the data brings a high risk.

You might also be interested in…

External References

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *