Changes associated with technological advances are usually of great proportions and scope. They require technological adjustments, but also the creation of legal bases to regulate their operation.
Through the network, many companies have boosted their advertising and marketing campaigns, gaining access to potential customers and their data. Despite the fact that in some areas of the world this activity has not been regulatedThe European Union was able to do so by protecting the privacy of user data.
The Data Protection Regulation (GDPR) came into force on May 24, 2016 and its task is to establish legal mechanisms for the manipulation of user data on the Internet. The deadline for companies to adapt to the approved legislation expired on May 25 of this year.
The GDPR applies to any company or individual offering goods or services to any citizen of the European Union.The regulation also makes no distinction as to whether or not a business transaction took place between the company and the customer. The regulation also does not distinguish whether a commercial transaction took place between the company and the customer or not. It also applies to those who monitor online behavior in the case of actions carried out in the European Union.
The regulation specifies that its measures protect fundamental rights and freedoms. of European citizens, particularly the guarantee of personal data protection. However, it clarifies that the free movement of personal data is neither restricted nor prohibited.
GDPR a new protection
One of the most relevant aspects of the impact of these legal measures are the monetary sanctions20 million, which can range from 4% of the company's total turnover to 20 million euros, depending on which of the two options is higher.
Privacy by design and privacy by default are two novel features of the instrument. The first defends the principle that privacy is best protected when it is integrated by technology, at the time of the creation of products and services; while the second refers to the obligation of companies to apply the necessary technical measures for data protection to be effective and optimal, taking into account that only personal data that is necessary will be handled.
The GDPR imposes the obligation of a consent given by the user for the collection of his personal data.. In this sense, this consent must be explicit, informed and revocable at any time the person wishes. It should be noted that consent must be obtained for each of the collection objectives.
The instrument introduces the right to portability, which refers to users having the power to request their data from one company and give it to another company or individual. This data includes activity logs and a copy can also be requested for the user.
Likewise, the principle of active responsibility was applied to make companies responsible for the handling of user data. This includes the design of specific protocols to address situations where security is at risk. In the event of a security breach, the organization must respond within 72 hours of the event occurring, report it to the corresponding agency and to the affected citizen.
The application of the regulation and the adjustment of the organizations to such instrument is a matter of study for lawyers in the world, as well as a model of experience to be taken into account by other countries.
Sources consulted