The General Data Protection Regulation regulates the processing by individuals, companies or organisations of personal data relating to EU member states. Where a person uses data, outside the personal sphere, for socio-cultural and financial activities, that person must comply with the GDPR. Entered into force on 25 May 2018.
Subjects of application
The GDPR applies to all persons, companies or organisations that collect and process personal data of EU members.
Example of when the regulation applies
A company offers career guidance and job search services. To carry out its activity, it needs to collect personal data from its clients. It must therefore comply with the GDPR.
Example of when it does not apply
An individual writes down the addresses of his friends in a diary to invite them to his birthday. In this case, the regulation does not apply.
Changes implied by the GDPR
The new digital paradigm has inaugurated a scenario of uncertainty for users. Most people do not know who stores their personal data, how they handle it and with whom they share it. The new GDPR regulation aims to remedy this shortcoming, implement transparency in companies and provide legal certainty to the customer.
Content of the GDPR
The new Organic Law on the Protection of Personal Data and Guarantee of Digital Rights, in line with the European GDPR, establishes that companies are obliged to obtain express, unambiguous and verifiable consent for the information collected from customers. Under the previous legislation (the Organic Law on Personal Data Protection of 1999) this consent was understood to have been given tacitly when the data were obtained. The new regulation aims to expand users' rights, enhance transparency and confirm security.
Implications for companies
The aim of the new regulation is to turn companies into effective information managers for their customers, subscribers and users. This means that our marketing actions will have to be 100% aligned with the GDPR, which is a significant change in business strategy. In other words: our portfolio of partners and customers becomes our main asset.
The main changes in the GDPR that we, as a company, are interested in are:
- All companies must have a register of personal data activity and processing. An internal document specifying the processing and purpose of the data, as well as the security measures implemented.
- Permission barriers to the customer are reinforced. There are more consent buttons shaped as checkboxes.
- The information requirements are extended. It is mandatory to declare who is the controller of the personal information, their legal address and with whom the data will be shared.
- As actors involved in the processing of information, our brand partners and collaborators must provide guarantees that they comply with the regulations.
According to the EU Data Protection Regulation, a company's database must only be used for specific purposes that have been communicated to individuals in advance. It is therefore important that before signing up a new subscriber you have their informed consent.
For greater security, make sure that the user registration is carried out through the Opt-in procedure (subscription confirmation email). We also recommend that you send a notification that your company is compliant with the new regulations and specify a link to make it easier for those who wish to unsubscribe.
Implications for users
By consenting to the transmission of their data, the user agrees to receive the information that the company has offered to send them. According to Articles 12- 23 of the GDPR, the user also has several rights:
Right of access
All users have the right to know how their data is being used, for what purpose and to whom it has been disclosed, as well as to obtain a copy of it. This right gives users greater transparency about the use of their personal information.
Right to rectification
Individuals are entitled to contact the data keeper to correct erroneous information.
Right to be forgotten
Individuals may request that their data be deleted under certain circumstances. These include:
- When the data no longer needs to be stored for the original reason it was collected.
- When an individual withdraws their consent.
- When the data was illegally collected.
This right shall not apply in cases where the right to freedom of expression and information or reasons of public interest prevail.
Right to restrict processing
Individuals have the right to limit the way their data are processed. This can be applied while verifying the accuracy of the information provided or resolving a dispute between the parties. Likewise, the user may require the retention of the data even if its collection has been unlawful, or for the exercise of claims.
Right to data portability
Individuals have the right to receive a copy of their data for reuse by transferring it to another company. This measure intends to facilitate the freedom of the person, who can decide with which company to contract a service. It therefore benefits the individual, while fostering competition between companies in the digital marketplace.
Right to object
It gives individuals the right to request that their data not be processed in certain cases, relating to their individual situation or where the processing is for direct marketing purposes. The data controller may demonstrate compelling legitimate grounds which override the rights and freedoms of the data subject, or grounds for the formulation, exercise or defence of claims.
Right not to be subject to automated decision-making
The purpose of this new right for European citizens is to restrict the possibility for companies to create user profiles after automatically collecting information. The regulation seeks to avoid negative legal consequences that may arise from the mechanised processing of personal data.
They must sign confidentiality contracts
Those who provide a service to the company (management, IT technicians, etc.) and therefore have access to the personal data of employees, customers and suppliers must sign a third-party contract form.
Company employees will have to sign a confidentiality agreement, as they have full access to the information.