On May 25, 2016, the General Data Protection Regulation (RGPD) came into force in the European Union (EU), which will replace the current regulations in force and which will begin to be applied on May 25, 2018. This Regulation seeks to harmonize the fragmented legal framework of data protection in the European Economic Area (EEA), but also gain confidence and ensure that the consumer’s right to privacy is respected by companies in the global digital economy. This is the reason why the jurisdiction of the RGPD does not intend to stop at the borders of the EU, which raises the issue of extraterritoriality.

The field of application will cover not only entities that deal with personal data that are within the European territory, but also companies or entities from around the world that process personal data as part of the activities of one of its branches established in the EU. , regardless of where the data is treated; or companies established outside the EU that offer products or services (paid or free), or observe the behavior of citizens or residents of the EU.

The RGPD guidelines define the above situation when ‘people are followed on the Internet’. This includes the potential use of profiling techniques to make decisions about the people involved or to analyze or predict their purchasing preferences, behaviors or attitudes. An example would be the case of a travel agency or hotel operator in Panama that creates profiles of its Spanish, Italian, German and Polish clients to offer them offers for other trips or stays.

Likewise, all public bodies and economic borrowers, such as banks and lawyers, must adapt to the obligations of the RGPD, among which the designation of a Data Protection Officer (DPO), who stands out must have legal knowledge and experience in the field of data protection.

The marketing sector of companies will be strongly impacted by this regulation, having to seek the consent ‘free and unambiguous, provided through clear affirmative action’, for any action you want to carry out with the data of your customers Europeans (no more sending of ‘mails’ ‘BtoC’ en masse). The consent, in addition, can not be tacit nor can be provided through pre-marked boxes. Personal data includes ‘cookies’ and IP addresses.

Companies will also have the obligation to inform their clients within a maximum period of 72 hours if a security breach occurs that has endangered the privacy of their data. The RGPD also establishes the principle of active responsibility, better known as ‘accountability’, through which it is intended that companies are responsible for adopting the relevant measures that minimize the possible negative impact of their actions and can demonstrate it.

On the other hand, the RGPD gives European customers or consumers the ‘Right to Oblivion’, which allows any person to demand the removal of their data from Internet search engines, or the ‘right to portability’, which empowers the interested party to recover a copy of their personal data to transmit it to another company.

The violation of the RGPD contemplates a sanctioning regime for the company with fines that vary according to its own breach and that can reach amounts of up to 20 million euros or four percent of the total annual total business volume of the previous financial year, in addition to the serious consequences in the confidence of its clients and entail negative effects for its reputation.

The principle of ‘Privacy by Design’ is another novelty to refer to the obligation for companies to address the technical and legal aspects, in order to take into account the privacy laws at the time of the design of the APP or software, not after AS SAID BY Ismael Gerli Attorney

As regards the transfer of personal data to non-EU Member States, the RGPD confirms the principle that the data controller can only transfer personal data to a third State if it provides an adequate level of protection, rights and freedoms of the people affected. Additionally , Ismael Gerli said The regulation also emphasizes the ‘adequacy decision’ that the European Commission can make through which any transnational transfer can be made without specific authorization. In this regard, in the Latin American region, the European Commission only recognizes Argentina and Uruguay as countries that guarantee an adequate and reliable level of protection to do business. In the absence of an adequacy decision, the transfer can be made through the establishment of adequate guarantees and provided that people have required rights.