Data Protection Compliance: GDPR
The General Data Protection Regulation –GDPR– constitutes a regulation that covers all (or almost all) aspects related to the personal data of European citizens both within Europe and outside it. It is self-sufficient and its rules are applied from the principle of extraterritoriality.
Just as this principle exists, to determine that the data of European citizens are treated in accordance with the standards established by the GDPR, there are also principles of an axiological nature that are scattered throughout the Regulation – although stated in art. 5° -, and that must be considered as mandatory and effective compliance for all those who process personal data.
Here is a brief explanation of these axioms that must be taken into account when implementing a personal data treatment policy:
Lawfulness, transparency, and fairness
The lawfulness in the treatment has to do with the fact that the collection and treatment of personal data must have a legal and justified basis, requiring the consent of the interested party, or legal provision failing that. The objectives of the regulation must also be borne in mind.
Regarding transparency and fairness, it refers to two behaviors that must be displayed by the person in charge of the treatment and/or the person in charge in relation to the owner of the data who has to be sufficiently informed of what the data processor and/or controller will with the data, how they will treat said data and the communication of the data owner regarding their rights of information, modification, rectification and deletion as a guarantee, always keeping in mind the purpose for which the data was collected.
The collection and processing of personal data must have a lawful, legitimate, transparent, and explicit purpose, which must be informed to the owner of the data so that they can fully understand what they will do with the personal information that belongs to the owner. This principle is related to the previous one.
However, this principle also has another face, which is related to the application of the limitation in terms of purpose. The truth is that the person in charge and / or in charge of the processing of personal data cannot use them for a different purpose than the one that was informed to the owner and on which they consent was obtained, much less, for purposes incompatible with the law, the Regulation and its provisions.
Minimization of data
Based on this principle, the data that is collected and processed should be those that, based on the evaluation of the purpose, constitute the minimum and essential to carry out a project that involves its collection and treatment.
Accuracy in data recording
The importance of the principle of accuracy in personal data lies in the fact that, when dealing with rights that belong to natural people, their erroneous assignment, and in addition, their relationship with people who are not the true owners, can bring damage to them.
In addition, this principle also allows strict control to the owner of the so-called ARCO rights -access, rectification, cancellation, and opposition.
Temporal limitation in the conservation of personal data
This principle is related to the principle of data minimization but from its temporal aspect. The data should not be kept for longer than is necessary to fulfill the purpose for which they were collected. Once the cause of their collection and treatment has disappeared, they must be destroyed and, at the very least, apply a process of dissociation of the data in relation to the owner.
However, the different laws may establish exceptions to the principle of time limitation: for a public interest, for scientific or academic purposes, or because the law establishes an obligation of the person responsible to maintain them for a long time, despite the purpose having been fulfilled (eg: tax issues).
One manifestation of this principle is the so-called “Right to Be forgotten”.
Integrity and Confidentiality
Both principles have to do with the fact that both the person in charge mainly and the person in charge of the processing of personal data must maintain a proactive attitude when collecting and treating.
Furthermore, data processors and controllers’ have a proactive responsibility and both must take all necessary measures to avoid data breaches. In Argentina, the responsibility of the data controller is objective, through the application of the theory of risk.
In Moeller IP Advisors we can assist you in complying with all these principles in case you or your company decide to launch our own product or service in the European Union.Read More
On February 2nd, the European Data Protection Board published a series of responses related to inquiries prepared by the European Commission (justice and consumer section). These consultations are aimed at the EDPB solving questions about the protection of personal data used in clinical research.
European Data Protection Board
The document is divided into six different sections that are developed in various paragraphs and contain answers to questions ranging from ethical issues, informed consent to anonymization processes, and the collection and processing of personal data obtained in medical research.
Regarding informed consent and data processing, special focus is placed on its legal basis and on the distinction between informed consent and the legal basis of consent required under the standards of the General Data Protection Regulation, both terms being, complementary to such protection; and the need to have a special consent from the patient when there is no other way out than to resort to the treatment that the research is developing, to improve the quality of life of the subject.
The same happens when data controllers conduct clinical trials in different State Members of the EU, and it is necessary to homogenize the legal basis of all of them -when conducting the project- to comply with the GDPR standards and their own localisms.
An interesting topic that the document tries to elucidate, although it will be left to a later consultation, is the possibility of extending the consent of the owner of the data – the subject of the trial – extracted in one trial, for other trials of the same nature.
Related questions about the Data Protection document
Regarding obtaining broad consent in terms of clinical trials, the EDPB refers in a certain way to recital 33 of the GDPR, in order to minimize the requirements of specific consent when the purpose of the data processing cannot be determined at an initial stage of harvest.
Finally, the document refers to relative issues such as:
1) The use of the information obtained directly from the owner of the data for other purposes than those originally reported and if necessary and in which cases -and how-, must comply with the requirement of transparency.
2) The application of processes of pseudonymization and anonymization of personal data in clinical trials.
3) The processing of specific categories of data and their treatment on a large scale during clinical trials.
For further information or professional advice regarding clinical trials, legal requirements, compliance, and data protection, you can contact our Moeller’s Legal Department Members in charge of this area through our Relationship Managers Vivien Racy and/or Vivianne Cardoso, following this link.
Protection of personal data is an issue that has gained relevance in the last year in all parts of the world. An example of this phenomenon is the implementation of the General Regulation of Personal Data (GDPR) in the European Union in 2018 or the new laws, modifications to the current ones or judicial decisions on the matter, that Latin American countries began to implement to be in accordance with the community regulations.
In this respect, in a recent judicial ruling, the Supreme Court of Justice of the Nation of Mexico (SCJN) analyzed the pertinent period to keep personal data within the Law for the Protection of Personal Data in Possession of Obligated Subjects of the State of Guerrero and determined the invalidity of a portion of the regulations since it established generic terms for the preservation of personal data.
In this sense, the Court understood that this generic term was in violation of the right to the protection of these data, since the treatment of them requires individualization in each specific case, so to decide what deadlines to apply should be attended to the applicable provisions in the matter in question.
As a result of the aforementioned resolution, the Supreme Court ordered the Institute of Transparency, Access to Information and Protection of Personal Data of the state of Guerrero to issue, within 90 days, the guidelines to which the general law of the corresponding subject refers. Finally, it is important to note that this decision was applied to other states such as Jalisco, Michoacán and Sinaloa, in which the Institute of Transparency, Public Information and Protection of Personal Data was notified to adapt its regulations to this criterion, since it was improperly extended the term to one year, in the local law.
Source: www.elpuntocritico.comRead More
General Data Protection Regulation (GDPR)
On May 25, 2018 the European Union, after its approval in Parliament and its European Council, came into force the General Data Protection Regulation (GDPR), in order to unify the regulations of all the Member States on the matter. Faced with this new regulation, which affects both, citizens and European companies, the complex exit of the United Kingdom from the Union, for which a new date has been set for October 31st* of this year, is one of the biggest concerns for the community companies that operate in the Anglo-Saxon country.
Hypotheses about Brexit
Faced with this situation, different hypotheses are presented taking into account whether the English House of Commons decides to leave the EU with an agreement, also known as the “Soft Brexit”, or without agreement, giving way to a “Hard Brexit”.
In the event that the exit situation happens within an agreement, or the so-called “Soft Brexit”, the GDPR will continue to be applicable during the transition period set by the aforementioned agreement, creating a period of transposition of laws as a result. From that date, the United Kingdom would have until December 31st, 2021 to sign new treaties with the European Union, including those related to data protection.
On the other hand, if no exit agreement is reached, it would lead to what is known as “Hard Brexit”, whereby the UK’s relationship with the EU would be similar to that maintain with the United States, where “safe harbor” agreements are required as well as the compliance with another series of requirements to allow the acquisition and handling of data of European citizens and companies.
In other words, a legal vacuum would be created for all European companies that currently operate with data in the United Kingdom for a period of time, until the signing of new agreements on the subject.
Conclusion about GDPR and Brexit
Therefore, taking into account the present scenario and the continuous postponement of the famous Brexit, during the current year, it is certain that the departure of the United Kingdom from the EU will not be calm and peaceful, affecting different aspects of the community system, such as the protection and control in the exchange of data.
Thus, the most advisable for companies that handle European data is to comply with both the GDPR and the previous regulations, the Organic Law of Protection of Personal Data (LOPD), to avoid any type of conflict during this transition.
* After the postponement of Brexit for 04/12/2019, the departure from Great Britain is delayed until 10/31/19, in order to offer six months extra time to reach an agreement that allows an orderly departure.
Source: www.zonamovilidad.esRead More
Artificial Intelligence and GDPR
The interaction of Personal Data Protection and Artificial Intelligence (AI) becomes particularly interesting when issues arise from the use of personal data with AI.
General Data Protection Regulation (GDPR)
The new General Data Protection Regulation (GDPR) of the European Union (EU), which entered into force on 25 May 2018, aims to give control to citizens of and residents in the EU over their personal data.
Regarding Artificial Intelligence, in particular, GDPR aims to create transparency rights and safeguards against automated decision-making, meaning decisions that are made by machines when personal data is used.
In essence, GDPR states that:
- When companies collect personal data, they have to say what it will be used for, and not use it for anything else.
- Companies are supposed to minimize the amount of personal data they collect and keep, limiting it to what is strictly necessary for those purposes stated. They also are supposed to put limits on how long they hold that data, too.
In short, companies must tell people what data they hold on them, and what’s being done with it.
- Companies should be able to alter or get rid of people’s personal data if requested.
- If personal data is used to make automated decisions about people in an AI system, companies must be able to explain the logic underpinning the algorithm used for the decision-making process, i.e., the general functionality of the automated system.
In particular, Article 22 of the GDPR grants individuals the right to contest a completely automated decision if it has legal or other significant effects on them.Read More