Reglamento General de Protección de Datos
Generated by GPT-5-miniExpansion Funnel Raw 108 → Dedup 0 → NER 0 → Enqueued 0
| Reglamento General de Protección de Datos | |
|---|---|
| Name | Reglamento General de Protección de Datos |
| Abbreviation | RGPD |
| Adopted | 27 April 2016 |
| Commenced | 25 May 2018 |
| Jurisdiction | European Union |
| Legal basis | Treaty on the Functioning of the European Union |
| Status | In force |
Reglamento General de Protección de Datos is a comprehensive data protection regulation enacted by the European Parliament and the Council of the European Union to harmonize personal data safeguards across the European Union and the European Economic Area. It updates and replaces national regimes and directives, establishing rights for individuals and duties for organizations operating in member states such as France, Germany, Spain, Italy and Poland. The regulation has influenced jurisprudence in courts including the Court of Justice of the European Union and led to policy responses from institutions like the European Commission and the European Data Protection Board.
Introducción
The instrument was adopted after interinstitutional negotiations involving the European Parliament, the Council of the European Union, and the European Commission, and entered into application following publication in the Official Journal of the European Union. It superseded the Data Protection Directive 95/46/EC and interacts with frameworks such as the Charter of Fundamental Rights of the European Union, decisions by the European Court of Human Rights, and standards referenced by bodies like the Organisation for Economic Co-operation and Development and the United Nations.
Antecedentes y contexto legal
Reform momentum derived from landmark cases and initiatives across jurisdictions: rulings by the Court of Justice of the European Union including the Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González case, decisions on data adequacy such as Schrems II relating to United States arrangements, and legislative efforts in member states like Germany's Bundesdatenschutzgesetz and France's Loi Informatique et Libertés. International instruments and agreements such as the Council of Europe's conventions, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, and dialogues with actors including Microsoft, Facebook, Apple Inc., Amazon (company), Google LLC and Twitter shaped provisions. Negotiations engaged stakeholders from the European Central Bank, the European Investment Bank, national data protection authorities like the Information Commissioner's Office (UK), the Commission Nationale de l'Informatique et des Libertés (France) and the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Germany).
Principios y derechos de los interesados
Core principles derive from the text and from precedents involving institutions such as the European Court of Human Rights and scholarly discussion referencing figures in privacy law. Rights include transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability; these echo rulings involving Max Schrems, and debates involving platforms like YouTube, Facebook, Instagram, LinkedIn, WhatsApp, and Skype. Specific rights cover access, rectification, erasure (the "right to be forgotten" noted in Google Spain SL...), restriction of processing, data portability, objection, and rights related to automated decision-making and profiling; these have been tested in litigation involving corporations such as Cambridge Analytica-linked entities, decisions involving Facebook Ireland Limited, and academic analyses by institutions like the London School of Economics and Harvard Law School.
Obligaciones de los responsables y encargados
The regulation establishes obligations for controllers and processors akin to practices in large organizations including Siemens, Volkswagen Group, Deutsche Telekom, Orange S.A., Vodafone Group, IKEA, H&M, Zalando, Airbnb, Uber Technologies, Inc. and tech operators such as IBM, Oracle Corporation, SAP SE and Salesforce. Duties include implementing technical and organisational measures, conducting data protection impact assessments, appointing data protection officers where thresholds are met, maintaining records of processing activities, and ensuring contracts with processors reflect mandated clauses; supervisory interactions have involved authorities like the Irish Data Protection Commission, the Spanish Agency for Data Protection, and the Austrian Data Protection Authority.
Transferencias internacionales de datos
Cross-border transfers require safeguards through mechanisms such as adequacy decisions by the European Commission, standard contractual clauses, binding corporate rules, and derogations for specific situations. Judgments such as Schrems II affected transfers to the United States and prompted dialogues with agencies including the U.S. Department of Commerce and entities like Privacy Shield, while trade and data-sharing arrangements touch on negotiations with countries including United Kingdom, Canada, Japan, South Korea, Australia, Brazil, India and multinational organizations like the World Trade Organization and G20. Enforcement has required coordination with international data protection authorities including the Swiss Federal Data Protection and Information Commissioner and frameworks such as the Council of Europe recommendations.
Autoridades de control y régimen sancionador
Supervisory authorities at national level, such as the Information Commissioner's Office (UK), CNIL (France), Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Germany), Agencia Española de Protección de Datos, and the Irish Data Protection Commission, enforce compliance and coordinate via the European Data Protection Board. The regime provides strong corrective powers, including administrative fines up to specified percentages of global annual turnover, and corrective measures applied in cases involving multinational actors like Google, Facebook, Twitter and major telecoms. Adjudication can involve courts including the Court of Justice of the European Union and national constitutional tribunals such as the Bundesverfassungsgericht and the Constitutional Court of Spain.
Impacto y aplicación práctica en la UE y en terceros países
Implementation has affected sectors from finance—banks like Deutsche Bank, BNP Paribas, Santander, ING Group—to healthcare institutions such as Karolinska Institutet, Charité – Universitätsmedizin Berlin, and technology providers including Intel, NVIDIA, ARM Holdings and software firms like Adobe Inc. and Atlassian. Compliance efforts intersect with standards from organizations like ISO and collaborations with entities such as European Banking Authority, European Medicines Agency, World Health Organization and global consortia including the Internet Engineering Task Force. The regulation has prompted legislative and policy responses outside the EU in jurisdictions including United States states like California (California Consumer Privacy Act), Brazil (Lei Geral de Proteção de Dados), Argentina (Personal Data Protection Act), Japan (Act on the Protection of Personal Information), and ongoing reforms in China and India. High-profile enforcement actions, cross-border disputes, and corporate compliance programs continue to influence international data flows, trade talks involving the World Economic Forum, and academic research in institutions such as Oxford University, Cambridge University, Stanford University, Massachusetts Institute of Technology and Yale University.