The General Data Protection Regulation turns ten years old with a direct impact on the way administrations, companies and digital platforms collect, use and store citizens' personal information. The European Union regulation protects privacy and personal data both within the community space and against companies from outside the Union that process or collect data from Europeans.
A rule that sets limits to the use of personal information
The regulation recognizes citizens the right to know what data is collected and for what purpose. It also prohibits that this information be used for purposes other than those initially communicated and establishes limits on the time during which it can be kept.
The regulation gives people the possibility to access their data, correct them, request their deletion through the so-called right to be forgotten, oppose their processing or request that it be limited. It is a framework that has marked the relationship between users and entities that handle large volumes of personal information.
Obligations for companies and entities
Companies are obliged to request clear consent when necessary, apply protection measures on data and communicate security breaches. Depending on their size, they must also designate a data protection officer.
The most serious infringements can entail penalties of up to 20 million euros, one of the tools with which the regulation seeks to guarantee its compliance.
Balance of the Agencia Española de Protección de Datos
"It has consolidated a culture of responsibility on the part of those who process data and has contributed to placing respect for privacy as a structural element" - Lorenzo Cotino, director of the AEPD
Cotino has made a positive assessment of this decade of application of the regulation and has defended the European dimension of the data protection system.
"Much stronger in a coordinated way; more before those who process data on an enormous scale" - Lorenzo Cotino, director of the AEPD
The coordination among the 27 countries of the Union remains one of the pillars of the regulation in a context marked by the massive processing of data. Ten years after its implementation, the regulation continues to be the reference for controlling how personal information is collected and used in the digital environment and outside of it.