C/ Enric Granados, 86-88, 5è 1ª – 5è 2ª, 08008 Barcelona · 93 268 87 40 info@ms-advocats.com

The new European Data Protection Regulation, which will come into force within a year (in May 2018), incorporates very significant changes in the processing of personal data, both as regards the rights of individuals and the obligations of Organizations and entities.

Nowadays, it is no longer necessary to insist too much on the importance of good and responsible management and security of the data of an organization, dedicate to what is dedicated. The treatment of data, whether generated or obtained, is without doubt the oil of the 21st century.

Thus, those organizations that have not yet realized the need to incorporate the management and treatment of databases into their strategic plan, have a year to begin to assume the suitability to adapt. These new measures and management criteria, including the new European Regulation, should be incorporated, yes or no, the treatment of personal data by organizations.

Of the innovations introduced in the new Regulation (EU) 2016/679, of the Parliament and the Council, of 27 of April of 2016 (RGPD); In highlighting the following:


1. Principle of proactive responsibility; 

2. The risk approach;

3. New special categories of data (genetic data and biometric data);

4. Consent shall be provided by an unequivocal statement or affirmative action and, in certain situations, it must also be explicit;

5. The right to information is configured as a right of the persons concerned and extends the issues to be informed; 

6. The right to oblivion is incorporated and regulated as a right linked to the right of suppression, the right to limit treatment and the right to portability; 

7. The need to formally create the files and notify them to the data protection registry of the supervisory authority is deleted; 

8. The minimum content of the treatment contract is extended;

9. In cases where the processing of data poses a high risk for the rights and freedoms of natural persons; Before beginning the treatment, the responsible has to do an evaluation of the impact of the operations of treatment in protection of personal data;

10. The concepts of privacy are incorporated from the design and privacy by default;

11. Promote the creation of codes of conduct; 

12. Certification mechanisms, stamps or marks are promoted to prove compliance with the RGPD.

13. The figure of the “Data Protection Officer” of the organizations or Data Protection Officer (DPO) is born. 

14. The responsible and the person in charge of the treatment must apply the technical and organizational measures appropriate to the risk that entails the treatment; The typologies of data disappear;

15. In case of breach of security, the controller must notify the control authority, within a maximum period of 72 hours.

16. The single window is created with the intention of member states having a single data protection authority as interlocutor.

In future publications, we will expand the analysis and study of each of these novelties.

… Data is already the power and the engine of any business !!


Jordi Cugat
Consultor legal