The New General Data Protection Regulation of the European Union

The new General Data Protection Regulation (GDPR) entered into force on 25 May 2018, in the Member States of the European Union, where Portugal is integrated.

The GDPR has implemented a set of new legal and institutional rules, largely as result of the former directive on data protection being outdated in view of the current technology used, as well as due to the impact that digital economy has had and also, the impact of social networking and the usage of cell phones.

In this context, the creation of a regulation adapted to the challenges and contexts of our time permits harmonise the laws of privacy of personal data of all European Union countries, with the intention of protecting the citizens from the digital massification of data that is transacted and transmitted either between clients and companies or between companies.

The new GDPR therefore applies to all entities which carry out transactions involving personal data, namely those which determine the purposes and means of processing personal data, such as those which carry out such subcontracting operations.

Furthermore, the processing of personal data carried out in the exercise of activities not subject to the application of Union law, as well as the treatment by competent authorities for the purpose of preventing, investigating, detecting and repressing criminal offenses or the execution of sanctions including the safeguarding and prevention of threats to public security, are not subject to the terms of the Regulation.

In addition, the GDPR can still be enforced beyond European borders. This was undoubtedly one of the major changes introduced by the new Regulation, in that the Regulation applies to all companies processing personal data of residents of the European Union, when there is an offer of goods and services irrespective of where they are located, as well in the case of the controller has a permanent establishment in the European Union, even if processing takes place outside the territory of the European Union. Thus, Brazilian companies, for example, that process data of citizens of the European Union will also have to comply with the provisions of that regulation.

Currently, data processing covers a wide range of operations performed on personal data, by both manual and automated means. Among the most common are collection, registration, conservation, consultation and dissemination.

Accordingly, companies are obliged to identify what types of data exist, what their purpose is, for how long they will be kept, and whether there is a free, current and informed consent of the holders for the use and treatment of data that already exists, through the revision of privacy policies and terms of use, as well as contracts with suppliers and other subcontracting entities, with information duties for the data subjects having been created.

The GDPR provides different instruments for framing data transfers from a country of the European Union to a third country. This means that the European Commission can establish that a third country already has an adequate level of protection, in which case the company located in that third country will no longer be required to provide additional data protection and safety guarantees.

However, in cases where it is understood that there is not an adequate level of protection, as in the case of Brazil, the transfer of data may occur through the presentation of guarantees and provided that people enjoy enforceable rights and legal, effective and corrective measures, in particular, adherence to a code of conduct or a certification procedure, accompanied by binding and enforceable commitments, appropriate to safeguard the data transferred, the implementation of the standard data protection clauses adopted by the European Commission, among other appropriate mechanisms to safeguard the transfer of data.

It should be noted, however, that in cases where a transfer of personal data to a third country which is not subject to a decision on adequacy and in the absence of adequate guarantees is foreseen, the transfer may nevertheless be realized by means of set derogations applicable in specific situations, such as express consent to the proposed transfer.

The foregoing shows that when the provision of a service or supply of products between Brazilian and European companies involves the transfer of personal data, they must ensure compliance with the rules regarding the transfer of personal data.

As regards non-compliance with these provisions, it should be noted that the fines to be imposed may reach a maximum of EUR 10,000,000.00 or, in the case of legal persons, up to a maximum of 2% of their worldwide annual turnover; and in more serious cases fines may amount to € 20,000,000.00 or, in the case of legal persons, up to 4% of their worldwide annual turnover.

In this context, it should also be pointed out those holders of data which have suffered damage due to a breach of their rights as set out in the new regulation, have the right to claim compensation from both the controller and the subcontractor responsible for having inflicted damages to personal data.

Compliance with these regulatory provisions is supervised by data protection authorities. These authorities are independent and control, through investigative and corrective powers, the correct application of data protection legislation, as well as providing expert advice on data protection issues, including receiving complaints arising from GDPR violations and associated national laws. There is an authority of this nature in each Member State of the European Union.

In short, the GDPR represents not only a major legislative change in the European Union but also in the international area since its application extends to that level.

The content of this information does not constitute any specific legal advice; the latter can only be given when faced with a specific case. Please contact us for any further clarification or information deemed necessary in what concerns the application of the law.