Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, commonly known as the RGPD, entered into force on 25 May 2018.


The Regulation was corrected for material errors on 05/23/2018. The RGPD lays down rules on the protection of personal data.

It does not therefore apply to data of legal persons. The RGPD applies when data processing is concerned by automated or non-automated means.

Being a normative document of the European Union (EU), it applies in its territory.

However, if entities established within the EU process the data entrusted to them outside EU territory, they remain bound to comply with the rules of the Regulation.


The RGPD also has to be observed by entities established outside the EU, when dealing with personal data whose holders are established in the Union.


Personal data” means all information relating to a natural person – data subject – that is identified or identifiable, such as address, e-mail, or marital status.


An identifiable person shall be considered to be identifiable, directly or indirectly, in particular by reference to an identifier, such as a name or an identification number.


Data processing” means any operation or set of operations carried out on personal data or personal data sets, by automated or non-automated means, such as collection, registration, organization, structuring, conservation, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of disclosure, comparison or interconnection, limitation, erasure or destruction.


The processing of data in this context is always associated with the development of a professional or commercial activity.


In principle, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data, health data or related data to the sexual life or sexual orientation of a person, shall be prohibited.


The authorization for the processing of the data shall fix – and limit – the purpose or purposes for which the data can be processed.


The consent of the data subject must be expressed in a free, informed and explicit manner, and the data controller must be able to demonstrate that the data subject has given consent for the processing of data that is in question .


The data subject has the right to withdraw his/her consent at any time, and consent must be as easy to withdraw as it is to give, as well as to require limitation of data processing.


The holder of the data also has the right to be forgotten. This is one of the innovations that the RGPD enshrines. The data subject also has the right to require the correction of incorrect data or to complete incomplete data.


In order to demonstrate that they comply with the RGPD, entities subject to it must be able to prove that (i) they have authorization from the holder to process data; (ii) the data is secure and guaranteed to be confidential; (iii) there are standards, procedures and codes of conduct that can be displayed to supervisory bodies (iv) and there are monitoring systems to verify compliance with the standards.


A position that is of particular importance in the RGPD, in view of the legislation that existed until then, is that of the “data controller”.


The appointment of a data controller (DPO) to public authorities or bodies is mandatory; for bodies regularly monitoring large-scale personal data or large-scale sensitive personal data or relating to criminal convictions and offenses.


Until all the national legislation necessary for the implementation of the RGPD has been created, Law 67/98 of 26 October and other legislation related to this matter will continue to apply, in all that is not in contradiction with it.