Data protection is a fundamental right according to article 8 of the EU Charter of Fundamental Rights and the Convention 108.
General Data Protection Regulation (GDPR) is a regulation issued by European Union and that must be followed by services provided to European Union countries.
Because internet services tend to be global, in the end it must be accomplished by most electronic services around the globe.
GDPR requires that a Data Protection Impact Assessment (DPIA) is completed.
There may be specific regulation within each EU states members. For example, Spain has the General Regulation for Data Protection (in Spanish, Reglamento General de Protección de Datos, whose acronym is RGPD).
GDPR State Member Laws added to GPDR
GDPR is complemented with national regulations, as for example:
- Spain: LOPD-GDD
Spain: Ley Orgánica de Protección de Datos-Garantía de Derechos Digitales (LOPD-GDD). You can read it in Spanish on this external link.
As of 2023, it was last updated on May 2023, on pages 141-144 (disposición novena) of the document on this external link.
EU Privacy laws before GDPR
Before GDPR, there was the Data Protection Directive (DPD) of 1995.
Original LOPD in Spain was a transposition of this 1995 EU Directive.
Before LOPD, there was LORTAD in Spain.
Adequacy of non-UE Countries
UE denominate countries adequate non-UE regarding privacy, where data can be transferred. You can find a list of these countries on this external link.
Data Transfer to non-UE Countries
In case of non-UE countries that want to share data between subsidiaries, there are two options:
- Standard contractual clauses (SCC). Standard of contractual clauses that have been pre-approved. You can find them on this external link.
- Binding corporate rules. Allowed for transfers between internal units of the same firm. It requires that rules are approved by every Eu member nation.
Adequacy of USA regarding GPDR
EU and the USA signed a safe harbor agreement called Privacy Shield. Organizations were able to certify their compliance with privacy practices through independent assessors and, if awarded the privacy shield, were permitted to transfer information.
A 2020 ruling by the European Court of Justice in a case called Schrems II declared the Privacy Shield invalid.
After Privacy Shield , companies should rely on standard contractual clauses or binding corporate rules.
You might also be interested in…
- Chapple et al.; “ISC2 CCSP: Official Study Guide – Third Edition”, pages 263-267; Wiley, 2022