Two years after the enactment of GDPR in the European Union, we hereby recover its main characteristics. The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, presents a single set of rules relating to the protection of individuals with regard to the processing of personal data and the free movement of such data.
This regulation began to be enforced on 25 May 2018, and applies to companies that are established or operate within the European Union. This law came about mainly due to the impulse of electronic commerce, with the aim of protecting and guaranteeing a higher level of security for European consumers in this digital environment. The new regulation defines how companies and public entities collect and process their customers’ personal data.
Main topics to remember about the GDPR:
- Covers all organizations that provide services or products to EU residents, whether or not they are based in the EU and even if the services they provide are free of charge.
- Penalties for non-compliance with the RPGD rules imply fines of up to € 20 million or 4% of the annual sales volume.
- It is not possible for minors under 16 to give their consent to the processing of their personal data on online services, thus requiring parental consent.
- If there is a leak of personal data, the company will have to notify the competent authorities, within 72 hours after the breach is detected (unless it is unlikely to result in a risk to the rights and freedoms of individuals). They must also notify the individuals affected by the data breach regarding the possibility of unauthorized access to their information.
- Implementation of techniques within the organization that comply with data security in terms of system confidentiality, integrity, availability and resilience.
- It covers any activity, regardless of its size, including the direct responsibility of subcontractors. This includes any organization that collects and / or manipulates data from European citizens regardless of their location.
- The definition of personal data started to include location data and electronic identifiers, customer addresses, purchase histories, access, e-mail addresses, IP’s, employee information.
- Companies will have to control the collection and processing of data, in addition to having to obtain explicit authorization from consumers for the processing of their data.