New GDPR law, Procedure for the use of data

I am sure that, during last May and June and even now, you are still receiving notifications from your bank, from the companies whose newsletter you subscribed to, from your energy supplier and, in general, from all the companies that held your personal information, asking you to accept a new privacy policy. This has happened due to the entry into force of the new European Data Protection Regulation, better known as the GDPR. Here we would like to tell you, on a legal level, what it entails.

The entry into force of the GDPR law

The European Data Protection Regulation entered into force on 25 May 2018. However, it did not come into force all at once. It was approved by the European Parliament more than two years ago. This period of time was given to companies to adjust their procedures to comply with it. However, most companies have taken advantage of the benefits offered by the previous legislation and have delayed its implementation as long as possible. 

For its part, it should be remembered that the GDPR obliges the modification of the different data protection laws in force within the countries that form part of the European Union. Obviously, the case of Spain is no exception. The final version has not yet been approved in Parliament, but it is expected to be approved in a very short time. In any case, the European ordinance prevails over the national one.

How should data be used from now on?

The premise on which the GDPR is based is that each user's private information must be used lawfully and fairly. From there, it details a series of aspects that must be complied with by the entities that must abide by this regulation.

The data subject should always know what is being done with his or her personal information.

Every natural person should know that his or her personal information is being collected, used, consulted and processed. Moreover, he or she should be aware of exactly what information is being used by the company.

In this regard, the user must give his or her explicit consent to this. It is no longer sufficient to tick a box at the end of a contract or registration process stating that the terms and conditions of use of a service have been read. It is necessary to specifically ask the data subject whether and to what extent he or she consents to the use of his or her personal information by the company in question.

Personal information must be handled on the basis of the principle of transparency.

Thanks to the GDPR, questions about the processing of personal information provided by the user must appear in clear and simple language that can be well interpreted by anyone. Using excessively complex sentences with the purpose of misleading the data subject is strictly prohibited and may lead to severe sanctions.

For its part, the company that is going to proceed with the use of the user's data must also present itself properly. This means that it must clearly state its legal identity and its intentions with regard to the data. In addition, it is obliged to appoint a data controller for the processing of its customers' data. In addition, you are obliged to ask for the data subject's permission every time you intend to use the data for a different purpose than the one you originally agreed to. 

Information regarding the exercise of their rights and associated risks

Any individual who discloses his or her personal information to an organisation should be made aware of the rules, risks, safeguards and rights to which he or she is entitled. It should also specify the appropriate way to enforce those rights if he or she believes that the information is not being handled in an appropriate or previously agreed manner.

The purpose of the processing of personal information

The GDPR clearly specifies that the use of personal information of any natural person can only be for legitimate purposes. Moreover, these must be clearly specified at the time of the user's consent. For example, if a company wants to transfer it to a third party at a later date, it must state this clearly and in a way that does not create any doubt for the future.

Methods of collecting personal information

Another new aspect of the GDPR is that a user's personal information must be limited to the use to which it is put. To give you an idea, a company that sells electronics products and for which you have signed up for a membership programme does not have the right to collect and process information such as whether you are married, have children or practise a particular religion.

In addition, the information cannot be retained indefinitely, i.e. it must be deleted after a certain period of time, whether or not the user requests it. This is the way in which the so-called 'right to be forgotten' has been regulated. 

Finally, the use of personal information should only take place when an objective cannot reasonably be achieved by other means. 

Retention of the user's personal information

We mentioned this briefly above. However, we would also like to add that the company must guarantee to the user that it will not keep his personal information stored forever. In fact, it must clearly and unambiguously specify the time limits for its review and deletion. For example, if these are set at 5 years, after that time, the data subject must be asked again whether he or she gives permission for further processing. If he or she refuses, he or she is obliged to delete it.

But how can users be sure that their personal information has been deleted?

On this point, the GDPR is more lax and less specific. In fact, it leaves it up to national laws to establish appropriate ways for the deletion of personal information. The user can use whatever legal means he or she deems appropriate to ensure that such deletion has taken place.

Security measures in the handling of the user's personal information

The GDPR also specifies that the personal information of any subject must be handled in a way that ensures that its confidentiality is assured. In this regard, it places particular emphasis on the issue of cyber-attacks and access by unauthorised persons. It also specifies that the equipment used, in the case of digital media, must meet the essential requirements for this purpose.

In short, the GDPR is a regulation that will affect the legislation of all countries with regard to the use of personal data. It is undoubtedly focused on guaranteeing that users' information is used in a reasonable manner and that it is not sold to third parties without their express consent, something that did not happen before.