General Data Protection Regulation (GDPR)

Rapid technological developments and globalisation have brought new challenges for the protection of personal data. In this regard, the scale of the collection and sharing of personal data has increased significantly, and currently technology allows the use of personal data on an unprecedented scale.

Those developments require a strong and more coherent data protection framework in the Union, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Thus, natural persons should have control of their own personal data and the legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.

In this context, in April 2016 the European Parliament and Council approved the Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Some of the most relevant that are included in this Regulation are the following:

• New rights of data subjects are implemented. Among others, are recognised to natural persons: the ‘right to be forgotten’, the right to access to personal data, the right to data portability, etc.
• Several obligations for controllers and processors are established regarding processing of personal data, e.g. they will implement technical and organizational measures on appropriate security.
• Supervision on the compliance of the regulation framework is intensified through the establishment of independent supervisory authorities in each Member State, and through certain administrative and judicial redress.

This document prepared by the R&D area of Management Solutions analyzes the new data protection framework defined by this Regulation.

Executive summary

The new Regulation includes, among other aspects, principles regarding the processing of personal data, rights of data subjects, and obligations of controllers and processors.

Scope of application

Protection with regard to the processing of personal data of natural persons and data subjects. It applies to controllers and processors1 established in the EU, and to those not established in the UE when the processing of personal data of data subjects who are in the EU.

Main content

• Principles on data processing: fairly, legal, transparent, for appropriate purposes processing of data, etc.; and prohibition of processing sensitive data (with exceptions).
• Data subjects’ rights: right of information, access, rectification, right to be forgotten, to restricted data processing and data portability, right to object, etc.
• Obligations of controllers/processors: general obligation (e.g. protection “by design and by default”), personal data security, impact assessment, data protection officer (DPO) and codes of conduct and certifications.
• Other aspects: independent supervisory authorities; European Committee on data protection; remedies and penalties; and transfers of personal data to a third country.

Download the technical note by clicking here.