GDPR special

The countdown’s over: the EU General Data Protection Regulation (GDPR) became compulsory as from 25 May 2018. Decisions need to be taken to ensure compliance with the Regulation. Not doing so involves not just the risk of a penalty but also a reputational risk. As business heads towards digital transformation so must it meet this new challenge.

We organize different types of events with specialized expert speakers who will provide an overview of the new regulatory environment from various viewpoints, with the following principal thresholds:

X-ray of the GPDR: solving the puzzle

Key Topics

Key Topics

¿What is GDPR?

The General Data Protection Regulation of the European Union, is directly applicable in all EU Member States and will be mandatory from May 25, 2018. It replaces all prior national legislation and any other industry laws containing personal data protection regulations.

Data Protection Officer (DPO)

This is a new figure introduced by the GDPR, whose function is to monitor and advise businesses on compliance with data protection legislation. He/she may be internal or external and must have an in-depth knowledge of data protection law and experience and knowledge of the industry in question. The DPD may take on other duties, provided that there is no conflict of interest and he/she has sufficient time to perform the duties of a DPD.

Record of Processing Activities

This is the central document of a GDPR compliance program. It is compulsory for businesses with over 250 employees, or which process data on a regular basis or sensitive data. It contains specific details of all the activities of the business that involve processing personal data.

Legal bases

The GDPR allows us to process personal data provided that certain requirements, which are all equally valid, are met. The most important are: consent (clear affirmative actions); the performance of a contract; compliance with a legal obligation; to protect the vital interests of a data subject or others; for the performance of a task carried out in the public interest; the legitimate interest of the controller.

Consent

One of the legal bases to process personal data. It must consist of clear affirmative action by the data subject. Tacit consent or inactivity are not valid. When obtaining consent, clear, transparent and specific information should be given on, inter alia, the purposes of collecting the data, how long the processing will last, and the rights available to data subjects.

Legitimate interest

One of the legal bases for the processing of personal data. This legal basis may be used after weighing up the interest of the controller or a third party and the fundamental rights of the data subject, bearing in mind the relationship between them and the data subject’s expectation that his/her data will be processed for a specific purpose. It is necessary to inform the data subject in advance and offer him/her the right to object.

Supervisory authority

The national administrative data protection authority in each EU Member State. Its duties include supervising compliance by controllers and processors with the GDPR, performing inspections, the power to impose penalties, to issue reprimands, demands and orders, or validate binding corporate rules for international data transfers.

International transfers

The transfer of personal data by a company outside the European Union. In these cases, it is necessary to ensure that the data will be protected in the same way as if they were inside the EU. This guarantee can be obtained in several ways: through a statement by the European Commission, through the signature of standard contractual clauses approved at a European level or through the use of binding corporate rules validated by a supervisory authority.

Binding corporate rules (BCRs)

A mandatory binding agreement used as a basis for international data transfers. Their contents are regulated in the GDPR and must be validated by a control authority.

Privacy impact asessment (PIA)

A specific analysis that must be carried out where the processing entails a high risk for data subjects’ rights.

Liability and penalties

Supervisory authorities have the power to issue reprimands, demands or orders. However, the most important power they have is issuing fines. Fines can amount to up to 20 million euros or 4% of the infringer’s annual billings. The supervisory authority can act on its own initiative or following a complaint by data subjects.

Compliance plan

16-07-2020
The Court of Justice of the European Union invalidates the Privacy Shield
The Privacy Shield is the framework that permitted international data transfers between Europe and the United States; its invalidation will cause chaos in commercial relations between the EU and the US.
08-11-2019
The new Guidelines on Cookies of the Spanish Data Protection Agency forces the review of all cookie policies of commercial websites
The Spanish Data Protection Agency (AEPD), in cooperation with the entities Adigital, Autocontrol, IAB Spain and the AEA, has published the awaited 'Guidelines on the use of cookies' which is intended to clarify the main obligations that the editors of websites should take into consideration.
13-08-2019
New Portuguese Data Protection Act
Law 58/2019, of August 8, which ensures the implementation of the GDPR in Portugal, has come into force last Friday, August 9th.
13-06-2019
Colombia: The EPS cannot order employers to provide the medical records of their employees to process incapacity to work
The Ministry of Health and Social Protection, in a resolution dated February 20, 2019, has established that due to the private and reserved nature of medical records, health care entities (EPS) cannot order employers to provide the medical records of their employees and employers cannot request said records from their employees to process incapacity to work.
28-01-2019
CNPD publishes model of record of processing activities
The National Data Protection Commission has published on its website a model of record of processing activities for controllers and a model for processors, in accordance with the requirements set forth in article 30 of the General Data Protection Regulation (Regulation (EU) 2016/679), which can be consulted aqui.
07-11-2018
Garrigues participates in one of the first international publications on privacy since the GDPR
The work reviews privacy regulations in numerous jurisdictions worldwide.
06-11-2018
First penalties imposed under the GDPR in Portugal
The Portuguese Data Protection Agency (CNPD, pursuant to its Portuguese acronym) has imposed a 400,000 euro fine on Centro Hospitalario Barreiro-Montijo due to two breaches of the General Data Protection Regulation (GDPR) which has been in force since May 25, 2018.
26-09-2018
How the GDPR impacts M&A professionals
El nuevo marco legal puede tener incidencia en la documentación y en los procesos de las operaciones de compraventa de empresas
18-06-2018
Protecting personal data under the GDPR in arbitration
In this article we highlight the implications for parties, counsel, arbitral institutions and third party providers and consider how to best deal with GDPR compliance including assessing if consent is necessary, obtaining consent when and if needed, gathering documents, rights of access, denial and deletion, and transfer of personal data outside the EU.
13-06-2018
The 'Privacy Shield' comes under European Union scrutiny
The European Parliament's Civil Liberties Committee has filed a motion for resolution for approval in plenary session, requesting that the European Commission suspend the “Privacy Shield” agreement between the European Union and the USA, in force since July 2016, designed to facilitate international data transfer between these two zones.

Pagination

Current page 1
Page 2
Next page
Last page

Publications

GDPR special

X-ray of the GPDR: solving the puzzle

The Court of Justice of the European Union invalidates the Privacy Shield

The new Guidelines on Cookies of the Spanish Data Protection Agency forces the review of all cookie policies of commercial websites

New Portuguese Data Protection Act

Colombia: The EPS cannot order employers to provide the medical records of their employees to process incapacity to work

CNPD publishes model of record of processing activities

Garrigues participates in one of the first international publications on privacy since the GDPR

First penalties imposed under the GDPR in Portugal

How the GDPR impacts M&A professionals

Protecting personal data under the GDPR in arbitration

The 'Privacy Shield' comes under European Union scrutiny