Let's talk about data protection according to GDPR (GDPR).

Escritorio Jurídico Abogada María A. Tuozzo M. 35 seguidores

The General Data Protection Regulation(GDPR) establishes the specific requirements for companies and organizations regarding the collection, storage, and management of data personal. They apply both to European organizations that process the personal data of citizens in the EU, and to organizations that have their headquarters outside the EU and whose activity is directed at people living in the EU.

When does the General Data Protection Regulation (GDPR) apply?

The GDPR applies in the following cases:

1. The company processes personal data and is based in the EU, regardless of where the data is processed or stored.

2. The company is based outside the EU but processes personal data relating to offers of goods or services to citizens in the EU, or monitors the behavior of citizens in the EU. Companies that are not based within the EU and that process data of EU citizens must appoint a representative in the EU.
   

What is personal data?

Personal data is any information related to an identified or identifiable person, also called "the data subject". Examples of personal data:

1. Name and surname

2. Home address.

3. ID/passport number

4. Income

5. Cultural profile.

6. Internet protocol (IP) address

7. Data held by hospitals or doctors (which uniquely identifies a person for health purposes).

Special categories of data.

It must be kept in mind that there are certain data that cannot be processed under any circumstances, as this would lead to criminal convictions and offenses unless authorized by national or EU law. Some of the data that cannot be processed are the following:

1. Racial or ethnic origin.

2. Sexual orientation.

3. Political views.

4. Religious or philosophical convictions.

5. Union membership.

6. Genetic, biometric or health data, except in specific cases (for example, when explicit consent is given or when the processing is necessary for reasons of essential public interest, based on national or EU law)

Who can carry out the processing of personal data?

The processing of personal data can go through different companies or organizations, in many cases outside the company that collected them. We give you an idea of ​​what they can be, in this sense we have:

1. The person responsible for data processing decides the purpose and the way in which the data is processed.

2. The data processor holds and processes the data on behalf of a data controller.

Who oversees how personal data is processed within an organization?

In any company that will have commercial relations with EU countries, you must appoint a data protection officer, who will be responsible for supervising how personal data is processed and for informing and advising employees who process the data about their obligations. The data protection officer also cooperates with the data protection authority and serves as a contact point between these authorities and citizens.

When should a data protection officer be appointed?

Any organization that has commercial relations with EU countries and their citizens has the obligation to appoint a data protection officer when:

1. Regularly or systematically monitor citizens or process special categories of data.

2. Data processing is a core business activity.

3. Perform data processing on a large scale.
   

It must be taken into account that if personal data is processed to guide search engine advertising based on the behavior of people, the company must have a data protection officer. However, if the company only sends advertising material to its clients once a year, a data protection officer is not necessary. The same happens in the case of doctors, when collecting data on the health of their patients, a data protection officer is probably not needed, but if personal data on genetics and health are processed for a hospital, then it is necessary. a data protection officer. The data protection officer may belong to the organization's staff or may have been hired externally through a service contract. A data protection officer can be an individual or can be a part of an organization.

Transfer of data outside the EU

It should be noted that when personal data is transferred outside of the EU, the protection offered by the GDPR will need to support the data. That means that if the data is exported abroad, the company must ensure that one of the following conditions is met:

1. The data protection of the non-EU country is considered adequate.

2. The company takes the necessary measures to provide the appropriate safeguards, such as the inclusion of specific clauses in the contract concluded with the non-European importer of personal data.

The company relies on specific reasons for the transfer (exceptions), such as the consent of the data subject.

When is data processing allowed?

EU data protection rules state that data must be processed fairly and lawfully for a specific and legitimate purpose and only data necessary to achieve that purpose. The company must ensure that one of the following conditions is met for the processing of personal data:

1. The express consent of the interested party is obtained.

2. Personal data is necessary to fulfill a contractual obligation, a legal obligation.

3. Personal data is necessary to protect the vital interests of the data subject. Personal data is processed for a mission in the public interest That is to say, if acting in the legitimate interest of the company, and provided that the processing of the data of the interested party does not seriously affect the fundamental rights and freedoms of the latter; there will be no problems, however, if the rights of that person prevail over the interests of the company, their personal data cannot be processed. The General Data Protection Regulations apply strict rules for data processing based on consent. The purpose of these rules is to ensure that the data subject understands what they are consenting to. This means that consent must be given in a free, specific, informed, and unambiguous way, through a request presented in clear and simple language. Consent will be expressed through an affirmative act, such as checking a box online or signing a form. Always keep in mind that when a person consents to the processing of their personal data, it can only be processed for the purposes for which they have given their consent. You should also be offered the possibility to withdraw your consent.

Keeping the interested party informed is mandatory.

Data subjects should receive clear information about who processes their personal data and why. They should know at least the following:

1. The identity of the person responsible.

2. Why your personal data is processed.

3. The legal basis of the treatment.

4. Who will receive the data (if applicable).
   

The information provided depending on the use of the information must also include:

1. The contact information of the data protection officer (if applicable).

2. The legitimate interests of the company if it uses this legal basis to carry out the treatment.

3. The measures applied for the transfer of data to a non-EU country. The period (time) of storing the data.

4. The rights of the interested party in terms of data protection (for example, access, rectification, deletion, limitation, opposition, portability, etc.)

5. The right to withdraw consent (when consent is the legal basis for processing). If the communication of data is a legal or contractual requirement.

6. In the case of automated decisions, information about the logic applied to the importance and the consequences of the decision. All information must be presented in clear and simple language.

What happens when the data collected is from minors?

When personal data of minors is collected, which is based on consent, for example, to use a social network or for a content download account, it is necessary to first obtain parental authorization, for example by sending a notification to the father, mother, or guardian. The age up to which a person is considered a minor varies according to the country of residence, but is between 13 and 16 years of age.

Right of access and right to data portability

Citizens should have the right to access their personal data free of charge. When a request of this type is received it is necessary:

1. Clearly indicate whether personal data is being processed.

2. Inform about the treatment (purpose, categories of personal data, recipients of the data, etc.)

3. Deliver a copy of the personal data being processed (in an accessible format).

4. When the processing is based on consent or a contract, the data subject may also request that their personal data be returned to them or transferred to another company. This is known as the right to data portability. The data must be provided in a commonly used and machine-readable format.

The interested party will always have the right to rectification and the right to oppose If a person considers that his personal data is incorrect, incomplete, or inaccurate, he has the right to rectify or complete it without undue delay. In this case, all recipients of personal data must be notified if any of the data shared with them has been modified or deleted, as well as those who have consulted said data (unless it is considered that it supposes a disproportionate effort). It must be taken into account that the person providing the information can object at any time to the processing of their personal data for a specific user if the company treats them on the basis of a legitimate interest or for an activity of public interest. The company must stop processing the personal data unless the legitimate interest prevails over the interest of the data subject. Here is the importance of the legal area of ​​the company to analyze the case. Likewise, a person can request that the processing of their personal data be limited while it is determined whether the legitimate interest of the company prevails over their individual interest. However, in the case of direct commercial purposes, the company always has the obligation to stop processing personal data if requested by the data subject.

Right of deletion of the person who provided the information (right to be forgotten)

The controller may be asked to delete your personal data, for example if the data is no longer necessary to fulfill the purpose of the processing. However, the company does not have the obligation to do so in the following cases:

1. Processing is necessary to respect freedom of expression and information.

2. There is a legal obligation where the personal data provided is required.

3. There are other reasons for public interest in storing personal data, such as public health or scientific and historical research purposes.

4. Personal data is required to take legal action.

Outstanding with automated decisions and profiling

Interested parties have the right not to be subject to a decision based solely on automated processing, which is why it is important that, before proceeding to use personal data for such purposes, they have explicit consent. Except when an automated decision is based on law, the company must:

1. Inform the interested party about automated decisions.

2. Give the data subject the right to review the automated decision.

3. Give the interested party the possibility to challenge the automated decision.

For example if a bank automates its decision to grant a loan or not to a person, the person must be informed of the automated decision and have the possibility to challenge the decision and request human intervention.

Data Breach: Providing Proper Notification

One of the risks to individual rights and liberties is a data breach, and when this occurs, it is important to notify the data protection authority within 72 hours from the moment the breach became known. . It is important that in the face of this type of event, the company informs all those affected.

A data breach is considered the accidental or illegal disclosure to unauthorized recipients of data that is the responsibility of a company, as well as its temporary unavailability or its modification.

Importance of responding to requests from individuals who express their desire to exercise their rights

If the company receives a request from an individual who wishes to exercise their rights, it must respond to the request without undue delay, for which there will be a period of one month from the receipt of the request. This term can be extended for a period of two months in the case of complex or multiple requests, provided that the interested party is informed of the extension. These types of requests are processed free of charge. In the event that the company decides to reject the request, it must inform the interested party of the reasons that support the decision.

Impact evaluation to reduce the risk of violation of rights and freedoms of people

It is mandatory to carry out an impact assessment on data protection each time new technologies are implemented, provided that the intended treatment may represent a high risk to the rights and freedoms of individuals. That high risk exists when:

1. Automated processing and profiling mechanisms are used to assess individuals.

2. A public access area is observed on a large scale (for example with closed-circuit television).

3. Special categories of data (for example, health data) or personal data relating to criminal convictions and offenses, are processed on a large scale.

*** Other categories of data processing may be considered high risk by data protection authorities.***

***If the measures indicated in the protection impact assessment do not eliminate all high risks identified, the data protection authority should be consulted before the processing takes place.***

Prevention is the solution, therefore proper record-keeping is the best measure for reducing risks

The company must demonstrate that it acts in accordance with the General Data Protection Regulation and complies with all applicable obligations, especially at the request or inspection of the data protection authority.

One way to do this is to keep detailed records of things such as:

1. Name and contact details of the company involved in the data processing. Reasons for the processing of personal data.

2. Description of the categories of persons who provide personal data.

3. Categories of organizations that receive the personal data.

4. Transfer of personal data to another country or organization.

5. Storage period of personal data.

6. Description of the security measures used in the processing of personal data.

The company must also maintain, and periodically update, the written guidelines and procedures and make them known to its employees.

***If you are an SME or smaller company, you do not need to keep records of processing activities as long as:

• They are not done regularly.

• They do not affect the rights or freedoms of the interested parties.

• Do not process confidential data or criminal records.

The importance of protecting data by design and by default

Data protection by design means that the company must take data protection into account from the early stages of planning a new way of processing personal data. In other words, a data controller must adopt all the technical and organizational measures necessary to apply the principles of data protection and protect the rights of individuals. These measures may consist, for example, of pseudonymization.

Data protection by default means that the company must always adopt the settings that most defend privacy by default. For example, if two privacy settings are possible and one of the settings prevents third parties from accessing personal data, this should be used as the default setting.

What happens if the GDPR is breached?

Failure to comply with the General Data Protection Regulation may result in fines of up to 20 million euros or 4% of the company's worldwide turnover, in certain violations. The data protection authority may impose additional corrective measures, such as forcing the termination of the processing of personal data.

Source: GDPR.

Abogada María Alejandra Tuozzo M.