The European Data Protection Regulation (GDPR), published on May 4, 2016 and fully applicable from May 25, 2018, introduces a new global model that entails not only a harmonization of the regulatory framework for this matter across all EU Member States, but also a significant shift in approach to compliance strategy regarding the protection of personal data.
On the one hand, it introduces a historic change in relation to the data controller’s commitment through the concept of proactive responsibility or “accountability.” This principle, which constitutes one of the pillars upon which the legislation is based, consists of the obligation to prevent harm by organizations that process personal data, requiring them to take measures that reasonably ensure that, a priori, they are in a position to comply with the principles, guarantees, and rights established in the Regulation.
Furthermore, not only must organizations comply with the provisions of the GDPR, but they must also be in a position to demonstrate such compliance, in order to avoid any type of risk to the fundamental rights of users.
On the other hand, it provides greater legal certainty, given that, in application of the principle of transparency, organizations are required to provide greater detail to the data subject regarding the processing of their personal data. Thus, when data is collected from the subject, certain information must be provided, such as the purposes and legal basis of the processing, the recipients or categories of recipients of their data, planned transfers thereof, or the retention period—among others—so that they may have, where applicable, effective control over such data.
Likewise, the consent regime is modified, with tacit consent no longer being valid, the possibility is introduced that the legitimate interest of the controller may constitute a legal basis for processing—provided that the interests or rights and freedoms of the data subject do not prevail—and the rights of the latter are expanded, with the introduction of the right to be forgotten, the possibility to limit the processing of their data, or the right to data portability.
The Regulation also establishes new specific obligations for data controllers, among which the designation of a Data Protection Officer stands out, mandatory in the case of banks as their main activity involves data processing operations that require regular and systematic monitoring on a large scale. It is also mandatory to prepare a record of processing activities taking into account their purpose and the legal basis on which they rest, conduct a risk analysis, review security measures in light of the results of such analysis, and establish mechanisms and a procedure for notifying security breaches, or carry out, where applicable, a data protection impact assessment.
Spanish banks, as data controllers, have adopted, within the adaptation period provided by the European text, all necessary initiatives, with the implementation of technical, organizational, and internal security measures affecting their mechanisms, procedures, and internal forms, taking into account the implications for their clients of the processing of their data.
Nevertheless, beyond the new requirements imposed by the GDPR (which will be complemented at the national level by the new Organic Law on Data Protection currently being debated in Parliament), it should not be forgotten that, given the high volume of data it handles and the diversity of services and operations it offers, the Spanish banking sector has always granted a high level of protection to its clients’ data and full guarantee in the exercise of their rights. Indeed, the processing and protection of data is of fundamental importance to banks both from the perspective of their responsibility, to prevent their clients’ data from being subject to unauthorized disclosure and to guarantee its integrity, and from the perspective of the repercussions on their activity, in which their clients place their trust, as the reputational impact of poor data handling can have consequences of enormous magnitude for a bank.
Therefore, Spanish banks make and will continue to make great efforts and dedicate substantial resources, both human and material, to implement the measures that, at any given time, are necessary to comply with legal provisions in this area, committed to the purposes of the regulations and to the supervisors.
Maria Peco, Legal Advisor to the Spanish Banking Association
