Published and draft legislation - European Union

European Regulation on Data Protection

Regulation EU 2016/679 of the Europeran Parliament and of the Council

On 14th April this year, the European Parliament approved the EU Regulation to protect the handling of natural persons’ personal data and the free circulation of this data, thus revoking the 95/46/EC Directive (General Regulation on data protection).

As we reported in Progreso 2, the new Regulation is the result of negotiations that lasted four-years, culminating in a reform that aims to return citizens control over their personal data, to guarantee the consistent and even application of rules on general data handling, and to ensure that all countries in the European Union have the highest standards of protection, adapted to the digital age.  

The Regulation will be applicable from April 2018 to all companies, even if they do not have a presence in the EU, that handle the personal data of European citizens in the course of marketing their goods or services to them, whether payment takes place or not.

Key changes

Among other provisions, the new Regulation includes:

    • Duty of information and explicit consent: requirement to have a clear and positive consent from the person whose personal data is being handled, that may be withdrawn at any time.
    • Right to be forgotten: through the correction or elimination of personal data under certain conditions.
    • Right to portability: the right to move one’s data to another service provider.
    • Greater data protection for minors: minors under 13 years old will need parental consent to open accounts on social media. This age limit may be raised to 16 by individual member states.
    • Notification of security breaches: in a maximum timeframe of 72 hours the control organ must be notified of security breaches, as must the party concerned if there is a high risk to their rights and liberties.
    • New data protection principles: accountability, data protection by design and by default. The implications are that anyone who processes personal data should do so bearing in mind this fundamental right from the outset in such a way that, by adopting measures that are commensurate with the risk intrinsic to data processing, compliance can be proven.
    • Designation of a Data Protection Officer, obligatory for certain companies (in the public sector and in Big Data activities). Attention should be paid, when appointing this Officer, to their specialist legal knowledge and experience in data protection issues.
    • One-stop shop: a company with subsidiaries in several member states will only have to deal with the data protection authority in the member state of its main establishment.
    • Sanctions: of up to EUR 20 million or up to 4% of their turnover (whichever is the higher).

The measures passed by the European Parliament also include a Directive on personal data protection for law enforcement and legal purposes. The aim is to make it easier to transfer data within the European Union while retaining basic ground rules in terms of data processing and supervision. These new measures seek to protect those involved in police investigations or legal proceedings, whether in the capacity of victims, defendants or witnesses and, at the same time, facilitate cooperation between the security services and legal authorities.