General Data Protection Regulation (GDPR)

Data protection is a fundamental right according to article 8 of the EU Charter of Fundamental Rights and the Convention 108.

General Data Protection Regulation (GDPR) is a regulation issued by European Union and that must be followed by services provided to European Union countries. Its codename is Regulation (EU) 2016/679.

You can find this external link to Regulation (EU) 2016/679.

Because internet services tend to be global, in the end it must be accomplished by most electronic services around the globe.

GDPR requires that a Data Protection Impact Assessment (DPIA) is completed.

There may be specific regulation within each EU states members. For example, Spain has the General Regulation for Data Protection (in Spanish, Reglamento General de Protección de Datos, whose acronym is RGPD).

Principal aspects of GDPR:

• Principles
• Lawfulness processing
• Data Protection Officer (DPO)

Lawfulness processing

There are specific cases where processing of personal data processing is lawful; otherwise, it is illegal.

The article 6 “Lawfulness of processing” of GDPR summarizes the situation where data treatment is lawful.

Lawfulness of processing principles:

1. the data subject has given consent
2. to perform contract to which the data subject is party
3. legal obligation
4. protect the vital interests of the data subject or of another natural person
5. task carried out in the public interest or in the exercise of official authority
6. legitimate interests, except where they are overridden by the interests or fundamental rights and freedoms of the data subject

Principles

Principles:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality

There are some conditions in which the treatment is legal, being consent one of them. They can be listed.

There are many situations where consent is not necessary.

There is a definition for special data.

When access rights is once each 6 months or more, it must be free. In case of higher frequency, data owner may apply a canon.

The age of consent for data treatment must be between 13 and 16.

There is data that cannot be treated, with some exceptions. These exceptions are detailed in article 9.

Some data may be illegal to be treated.

Right to be forgotten is detailed in article 17. There are some conditions in which data must be deleted.

Article 21 is about opposition. It limits the use of data, though it is not deleted.

Decisions derived from automatized treatment is described in article 22.

Decisions made by a data protection authority ends the administrative way.

Treatment Activity Registry is covered in article 30.

The article details the content of this registry.

The information related to the registry is usually available on websites.

Article 33 statest that incidents must be notified in 72 hours after the incident has been discovered

Article 35 is about impact assessment. This impact assessment is necessary in certains conditions:

• Automatic treatment that has effect on significant decisions
• Treatment of special data (see special data definition)
• Surveillance of public areas

When the risk assessment is high, an approval from the local data protection authortiy is required.. The authority must reply in 8 weeks.

Agencia Española de Protección de Datos has a list of situations that require a risk assessment. It is written in Spanish.

Data Protection Officer (DPO)

Article 37 is about DPO.

The Data Protection Officer is mandatory in certain situations:

• For public organizations
• When surveillance on personal data (such as un CCTV) is performed.
• When the main activity of the organization implies processing specail infomation.

The DPO can be externalized.

Audit is mentioned, but it is not mandatory.

GDPR Supervision

The European Data Protection Board (EDPB) supervises the GDPR at EU level.

GDPR State Member Laws added to GPDR

GDPR is complemented with national regulations, as for example:

• Spain: LOPD-GDD

LOPD-GDD (Spain)

Spain: Ley Orgánica de Protección de Datos-Garantía de Derechos Digitales (LOPD-GDD). You can read it in Spanish on this external link.

As of 2023, it was last updated on May 2023, on pages 141-144 (disposición novena) of the document on this external link.

EU Privacy laws before GDPR

Before GDPR, there was the Data Protection Directive (DPD) of 1995.

Original LOPD in Spain was a transposition of this 1995 EU Directive.

Before LOPD, there was LORTAD in Spain.

Adequacy of non-UE Countries

UE denominate countries adequate non-UE regarding privacy, where data can be transferred. You can find a list of these countries on this external link.

Data Transfer to non-UE Countries

GDPR prohibits entities within a country that has no nationwide privacy law from gathering or processin privacy data belonging to EU citizens.

In case of non-UE countries that want to share data between subsidiaries, there are two options:

1. Countries complying EU laws. Their own country has a nationwide laws that complys with the EU laws. You can find a list on this external link.
2. Standard contractual clauses (SCC). The entity creates contractual language that complies with the EU laws and has that language approved by each EU country from which the entity wishes to gather data. Standard of contractual clauses that have been pre-approved. You can find them on this external link.
3. Binding corporate rules. Allowed for transfers between internal units of the same firm. It requires that rules are approved by every Eu member nation.

Adequacy of USA regarding GPDR

EU and the USA signed a safe harbor agreement called Privacy Shield. Organizations were able to certify their compliance with privacy practices through independent assessors and, if awarded the privacy shield, were permitted to transfer information.

A 2020 ruling by the European Court of Justice in a case called Schrems II declared the Privacy Shield invalid.

After Privacy Shield , companies should rely on standard contractual clauses or binding corporate rules.

The European Committee of Data Protection is composed by the director of each control authority on each member state and by the Data Protection European Supervisor or their representatives.

A data privacy impact assessment must be done whenever the data brings a high risk.

You might also be interested in…

• Data Privacy

External References

• Cloud
  • Chapple et al.; “ISC2 CCSP: Official Study Guide – Third Edition”, pages 263-267; Wiley, 2022
• LOPD-GDD
  • AEPD; “La AEPD publica una guía sobre la utilización de datos biométricos para el control de presencia y acceso“; AEPD