Brief review of the EU General Data Protection Regulation (GDPR)

Feb 27, 2019

Brief review of the EU General Data Protection Regulation (GDPR)

On May 25, 2016, 20 days after its publication in the Official Journal of the European Union, the GDPR of the European Parliament and the Council came into force, whose application became effective after the transition period of two years, starting on May 25, 2018.

What is the EU looking for with the implementation of the GDPR?

The objective of the regulatory policies of the GDPR is to protect the treatment of personal data of all European citizens and to prevent violations of their privacy. Likewise, it establishes articles in its regulations that refer to the free circulation of these data.

The protection of personal data is a fundamental right according to the Charter of Fundamental Rights of the European Union, in its art. 8, item one; and the Treaty on the Functioning of the EU, in its art. 16, item one.

What does it mean to protect the “treatment” of “personal data”?

The European Parliament is very clear in determining that personal data is “all information about an identified or identifiable natural person”. The key point of the GDPR is the treatment of the mentioned data, which is defined as “any operation or set of operations performed on personal data or personal data sets”.

From the above it appears that the GDPR is aimed at companies – whether located in the EU or not – that deal with personal data of EU citizens, as well as the latter so that they can exercise their rights over them.

As you can see, the regulation has a wide scope, since for example the companies located in a country that is outside the EU and treats personal data of European citizens, must comply with this legislation. In case of non-compliance with the GDPR, data regulators may sanction companies with a fine of up to 4% of their annual global turnover depending on the type of non-compliance. It is for this reason that the EU granted a grace period of two years for it to be implemented.

What new rights does the GDPR add to the previous legislation on personal data of EU member countries?

To the ARCO rights (rights of Access, Rectification, Cancellation and Opposition) that governed in the great majority of the member countries of the EU before the implementation of the GDPR – as for example in Spain through the old Organic Law 15/1999 of Protection of Personal Data-, the so-called POL rights are added (right to Portability – article 20-, right to Oblivion or right to suppress data – article 17-, and the right of Limitation – Art. 18-) . Likewise, the right to transparency of information is remarkable (Article 12).

Briefly, what does each of these personal rights mean that the owner of the personal data has to control them in the hands of third parties?

A-           Access: Right by which the owner of the data can access your personal information that is in the hands of third parties. You can also request information on how to obtain this data.

R-          Rectification: Right to rectify incomplete or erroneous personal data that is in the hands of third parties.

C-           Cancellation: Right by which the owner can delete personal data held by third parties whose purposes have not been adjusted in accordance with the law.

O-           Opposition: Right with which the owner of personal data may object to the use of these, requesting the cease of their treatment.

P-           Portability: The owner who has given personal data to a third party has the right to request them again, in a commonly used and easy to read format, to be transferred to a new data processing entity.

O-          Oblivion: It is closely related to the cancellation or opposition rights but in the digital environment. Holders may request third parties (for example, search engines) the immediate elimination of personal data through links that contain erroneous information, obsolete data or data that no longer meet its original treatment purpose. The right to be forgotten can not be used when it goes against freedom of expression and information.

L-           Limitation of data processing: Right that allows the owner of the data to request, in cases where it is not clear whether personal data should be deleted, that their personal data are only treated with their consent and limit their treatment in the future.

Through these rights, the owner can control their personal data in the hands of third parties.

Who controls compliance with the GDPR?

The control of the regulation is carried out by the control authorities designated by each State party within its territory. Each supervisory authority shall supervise the proper application of the regulation in the EU with complete independence in the performance of its functions (Article 57).

Likewise, the control authorities have the power to investigate and sanction the companies that carry out the processing of personal data (Article 58).

Beyond the autonomy of each main control authority in each Member State, art. 60 provides that there should be cooperation and assistance between the control authorities of different countries within the EU.

On the other hand, the regulation has a “one-stop-shop” system for the EU member states, administered by each supervisory authority.

By way of conclusion, surely you have noticed the implementation of the GDPR having received emails from Facebook, Twitter, Instagram in early 2018 about updating personal data policies; or having entered different websites in which there is a section where you must provide the consent (or not) of the “Terms and conditions of use”, “Privacy policies”, and “Cookies” of the site you are browsing, which are in accordance with the regulation.

Through this consent, the EU seeks to promote an adequate use of personal data and that is treated with transparency, guaranteeing the rights of the holder over them. Also, since there is a common regulation that must be complied with by companies that process data on European citizens, the EU seeks to generate greater responsibility and equality of conditions regarding the processing of personal data.


Gastón Alejandro Pisni

Lawyer in Intellectual Property and Computer Law



General Data Protection Regulation (RGPD):

General Data Protection Regulation (GDPR):

Règlement Général sur la Protection des Données (RGPD):