loader image


Measures to comply with the European General Data Protection Regulation – GDPR

The security in the personal information is a topic fully addressed and developed in the European General Data Protection Regulation, since it is a demand and obligation on the part of the data manager and a right of the subject that its information is kept in a safe way, pointing out that the responsible of the management of their data must evaluate the risks in their management processes and to take adequate measures as encryption or others, with the purpose of ensuring an adequate and confidential level of security, and not only against leaks or hackings, but also considering destruction, loss, alterations or other way that may cause material or immaterial damages, establishing also the obligation of notifying to the subject of the data in case of any violation to the security of any of the ways outlined above.

The data transfer is other topic fully addressed in this regulation, as part of the subject’s right to have knowledge of the processing that will have the information provided, so if there’s any intention of making a data transfer to another manager, it must be informed to the subject and require their consent, informing to whom will be transferred and the purpose of the processing of this information. The subject must consent in a clear and voluntary way the acceptance of the transfer of this data. This transfer must also be able to be declined by the subject.

It also must be taken into account that, the contemplated in this regulation regarding the requirement that the subject of the data consents explicitly the use of their personal data and the knowledge and acceptance of the politics, it must, if not, be provided a means of acceptance where is reflected the consent of the subject, since is not enough with tacit acceptances. In other words, giving the privacy politics and indicating that if they continue with the navigation they are accepting the terms is not enough; the subject must indicate that they agree. For example, in the case of the webpages, adding a box of data authorization where the user has to mark and indicate that they have read and accepted the policies or to give information, since the regulation indicated that the prefilled authorizations or by inaction are not valid.

It is extremely important that all the service providers that have in their list of clients, people within the EU, are clear regarding the provisions in this regulation, since despite being out of the EU, it is applicable regarding the processing of data if its subject is within the Union, so it must be performed a revision of the usage policies and data privacy and to inform updates or changes to all the users.

Mayra Navarrete Crovetto
Senior Associate
García & Bodán