Start of main content

The General Data Protection Regulation provides legal certainty for new businesses and protects the fundamental rights of natural persons

| Events | Privacy, IT & Digital Business

Francisco Fonseca stressed that this Regulation respects all the rights that are enshrined in the Charter of Fundamental Rights of the European Union

June 2017. The General Data Protection Regulation implies a structural and cultural change in the processing of personal data which aims to generate legal certainty and stability for new types of businesses which are based on the mass exchange of personal data, and to safeguard the right to privacy, which is recognised as a fundamental right in the EU, of all citizens.

This was how Francisco Fonseca, the Deputy Director-General of the Directorate-General for Justice and Consumers of the European Commission, summarised the new Regulation during his talk at the conference "Are you prepared for the new General Data Protection Regulation?" The conference was organised by Andersen Tax & Legal, in collaboration with the Chamber of Commerce of Belgium and Luxembourg in Spain, and the Hispano-Dutch Business Forum. Other speakers included Yves Verhamme, the President of the Chamber, the responsibles at Andersen Tax & Legal of the Privacy, IT & Digital Business area, and Rafael Ripoll, a counsel in the company.

Francisco Fonseca emphasised that "the Regulation is concerned with the protection of the fundamental rights of individuals” which, as he pointed out, is what “gives this Regulation its legitimacy, as this protection is enshrined in the Charter of Fundamental Rights of the European Union, a legally binding instrument which forms part of the primary European law in force".

During the event the Andersen team explained that the new General Data Protection Regulation (GDPR) will come into force on 25 May 2018, and that companies which are not in compliance with the Regulation by this date will face fines of up to 20 million euros, or 4% of their annual turnover.

They went on to specify that any company, whether European or non-European, that provides services to EU residents and has access to any type of personal data will have to implement the technical and organisational measures required for compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The team added that in order to become compliant with the new Regulation companies will have to follow a specific process which may take several months.

The Privacy team stressed that one of the most important new elements of the Regulation is the creation of new rights for the protection of data subjects, such as the principle of “data minimisation”, the “right to data portability” and the “right to be forgotten”. Furthermore, under this new Regulation the collection and processing of sensitive data will require the explicit consent of the data subject, while data controllers will have to demonstrate that they have obtained this consent lawfully in accordance with the Regulation.

Finally, they explained that to facilitate the implementation and correct application of the Regulation a new corporate position of data protection officer has been created. The responsibilities of this position will be to manage organisational data protection in a company and oversee compliance with the new data protection requirements. 

End of main content