As many of you may know, next May 25, 2018, the new European Data Protection Regulation (GDPR) will be fully implemented for European companies. The GDPR, which was adopted on May 2016 establishing a two-year transition, will replace the Data Protection Directive (DPD 95/46/EC).
The main aim of this new regulation is, not only to harmonize the different national regulations existing at European level, in order to guarantee equality on the protection of personal data regardless of the nationality or place of residence, but also to ensure a legal framework adapted to the digital era.
Because the implementation of the GDPR is almost upon us, companies need to hurry up if they want to comply with the new obligations arising from said Regulation. Among other aspects, EU companies should be aware of:
- The need to comply with the principles of accountability and transparency. This involves quite a significant amount of documentation requirements. Other principles such as privacy by design and by default, must also be observed. This entails designing and implementing appropriate technical and organisational measures.
- Making an analysis of the potential risks in order to find weaknesses in the treatments performed by the company as regards personal data management.
- Obligation to provide, at the time of the collection, some information regarding the identity of the controller (i.e. who decides how and why such data is processed), the purposes of the processing, the legal basis for the processing, the period for which the personal data will be stored and, where applicable, if the controller intends to transfer personal data to a third country or international organisation.
- Attend and inform the data subject (i.e. individuals whom the data is about) about several data protection rights such as the right to be forgotten, right to restriction of processing, right to object an automated individual decision-making or right to data portability.
- Notify the supervisory authority about any breach regarding personal data (e.g. in Spain, the Spanish Data Protection Agency) without undue delay and, where feasible, no later than 72 hours after being aware of it.
- Designate a Data Protection Officer, if the core activities of the company consist of processing operation which require regular and systematic monitoring of data subjects on a large scale or if the core activities of the company is to process special categories of data, as may be the case of business performing profiling activities.
- And if the company processes personal data using new technologies, it will be necessary, prior to the processing, to carry out an assessment on the impact of the envisaged processing operations on the ability to ensure appropriate protection of personal data.
Rather than extending myself in the description of the obligations imposed by the GDPR, I will highlight the impact that this new European regulation might have in Latin American countries.
In Latin America, data protection is a very topical issue. One of the major developments in the region was the creation in 2003 of the Ibero-American Data Protection Network (RIPD). This network began with representatives of 14 Ibero-American governmental agencies and focused its first activities in trying to advance in the adoption of a new regulatory framework and implementation of data protection authorities in its member states.
After the advances in the legal and institutional fields, the network switched its focus to cooperation activities: exchange of information and experiences, as well as the development of common actions and policies.
In this context, and now enlarged to 21 member states, the RIPD has recently recognized in the “RIPD in 2020”, that there are some countries such as Bolivia, Brazil, Ecuador, El Salvador, Honduras, Guatemala, Panamá, Paraguay and Venezuela, where an additional impulse regarding the legal framework is required.
Thanks to the RIPD’s labour, in June 2017 the “Ibero-American data protection Standards” was presented in Chile. Its main objective is to facilitate the flow of personal data, not only between Ibero-American states, but also beyond their borders, in order to foster innovation and economic growth in the region.
Those Standards were developed taking into consideration other international regulations, such as for instance the GDPR. It seems that one might say that the GDPR has a positive impact beyond the European borders, particularly in Ibero-American States; where the European example seems to inspire them to work towards homogeneous rules in the region facilitating the flow of personal data.
All the aforementioned, is important for European companies: if they are considering to transfer personal data to Latin-American companies, they will need to comply with the GDPR and, in particular:
- Make sure that the third country where the company towards which personal data will be transferred is located in a country that ensures an adequate level of protection according to the European Regulation. Currently only Uruguay and Argentina comply with this requirement.
- In the absence of the above, it could be possible to guarantee appropriate safeguards through binding corporate rules or standard data protection clauses.
- Otherwise, companies could try to have the data transfer covered by one of the exceptions provided in article 49 GDPR: for example, because they have obtained explicit consent from the owner or because the transfer is necessary for the conclusion of a contract.
To sum up, if your company is considering transferring personal data from Europe to Latin America your company must comply with the GDPR. Do not forget it! Time goes by and 25 May 2018 is there!