The New European Data Protection Law


Many have not yet realised that on the 25th May 2018 the new European Data Protection Law will come into force. This law was published in the Official European Community Bulletin of the 4th May 2016, applicable two years after, in all member states.


This law has the intention of returning to the citizens control over the personal data in a world dominated by smart ‘phones and social media, where banking is on-line and purchases made over the internet are now the norm. On the other hand, it intends increasing the security for companies operating with the European Union, but it is also applicable to companies operating with companies with the EU. This way companies are able to make the most of a sole digital market, decreasing bureaucracy and offering consumers greater confidence.

Unifying the Regulations:

The main change that has been introduced is the unification of all the existing laws within the EU, set united criteria to guarantees the consumer’s rights, as well as making easier the cooperation between the police and judicial authorities. The aim is to avoid that the consumer’s details become object of violations of privacy. For example, one of the proposals is to give Judges the right to stop the transfer of data from the EU to United States of a certain person on a platform such as Facebook.

The Right to Be Forgotten:

This right gives people the opportunity to delete or block personal information that the person deems to be obsolete or no longer relevant with the pass of time. This affects the right of cancellation and opposition applicable to internet search engines, such as Google. It includes the right to limit the universal and indiscriminate diffusion of personal data when this is no longer of interest, even if the original publication was legitimate.

To exercise this right, we must first contact the search engine provider (the largest companies have special forms on their websites). If they do not respond to the petition or the response is not adequate you can apply for mediation through the Data Protection Agency (AEPD).

Right of Transfer of Personal Data from One Company to Another:

There are two parts to this right: on the one hand there is the possibility of obtaining, on an electronic form, a copy of the data and where it has been sent. On the other hand, you will have the option of transferring these details to another system (to another provider); as long as these details have been automated. The persons holding these details will not be able to object. Should you object the holder of your data has 1 month in which to give a satisfactory response.

The fines set for not complying with the law can be up to 500.000€ or 1% of the total of the invoicing of the company in the cases where they do not provide a copy of the data they are handling or they prevent transfer of the details to another company (ie: the telephone companies).

The Figure of the Data Protection Delegate:

There will have to be a specialist in Data Protection, as well as the person handling the data. He is there to make sure that the law is enforced and will liaise with the AEPD. You can outsource this responsibility to a company specialising in this.

New Mechanisms of Supervision and Control:

The national authorities will be able to authorise the transfer of data before they are transferred. The new authority will be The European Data Protection Counsel. They will have the same function in all the member states, including sanctioning, correcting and investigation.

Communication of Breaches of Security to the Authorities and Those Affected by the Same:

As soon as a breach has been detected by the person responsible for handling data this must be communicated to the authorities (and the persons affected) within a period no later than 72 hours after the detection of the breach.


Depending on the severity of the violation, the fines can be up to 20 million euros or 4% of the volume of business’ total annual turnover.

Transfers to Other Countries:

Exporting data to other countries will not require a special authorisation, as long as these are carried out according to the new law.