On May 25th, 2018 the new European Regulation on Data Protection - Regulation (EU) 2016/679 of the European Parliament and Council - will be fully applied in all EU member countries, and therefore, in Spain.
In this country, work is being done on the draft law, which will amend the Law currently in force - the Organic Law 15/1999, of December 13 on Data Protection. However, no information has been provided to date.
What we do know is that the Spanish Agency for the Protection of Data (AEPD), in collaboration with other agencies and institutions, is carrying out some actions to enhance the regulatory compliance of the Regulation, and is also developing some guidelines for understanding some aspects of said regulation.
In this post we summarize the actions that we consider the most relevant.
This post is also available in Spanish.
Guidelines to facilitate compliance with the new European Regulation on Data Protection
Guides published in Spain
A series of guides have been issued to facilitate companies’ understanding and compliance with the Regulation.
Guide for the fulfillment on the duty to inform
These two guides have been developed in collaboration with the authorities in Catalonia and the Basque Country, and are very useful to be up to date regarding the latest developments in this regulation.
What should we highlight from these materials?
1. The guide for the fulfillment on the duty to inform highlights that, in order to comply with the information duty that the new Regulation requires, it is recommended that companies provide the information to the user in the moment of collecting their data, doing so in two successive layers: in a first layer it is necessary to succinctly inform the user with the essential information that he/she should know. After doing this, the second layer refers to where the user can find the specific details about the purposes of the processing, security measures and other aspects that he/she should know under the provisions of the regulation.
2. Of the guide about the controller, the most notable is the fact that the controller must implement a series of technical and organizational measures to guarantee and demonstrate that the data processing is realized in accordance with the Regulation. This is the principle of proactive responsibility, that is, it is the controller’s responsibility to assume this responsibility of complying with the regulations.
The controller for the treatment is the natural or legal person that decides on the purpose, content and use of data processing, even if he/she does not do it physically.
Regarding this guide it also highlights the fact that the consent of the interested party must be done through a clear affirmative action. This form of obtaining consent is the one that implies an active position of the interested party, meaning, consent by silence, or tacit consent, is excluded. However, it should be noted that this clear affirmative action does not necessarily imply express consent, since it can refer to inferred consent, which allows for the interested party to express their consent through a behavior which infers the will of consenting.
On the other hand, regarding the so-called ARCO rights - access, rectification, cancellation and opposition -, those responsible for the data processing must facilitate the interested parties the exercise of these rights through visible, accessible and simple means. It is currently requested to facilitate the submission of applications for the exercise of these rights by electronic means.
Don't forget the figure of the person responsible for the data processing, called the processor: a natural or legal person, public or private, who processes personal data on behalf of the controller as a consequence of the existence of a legal relationship that links them.
The processor is the natural or legal person, public or private, that processes personal data on behalf of the controller, as a consequence of the existence of a legal relationship that links them.
The guide on the controller additionally establishes some guidelines for the relationship between the controller and the processor, specifying a series of particular obligations for those in charge of the processing:
- Keep a record of data processing activities
- Determine safety measures applicable to the processing
- Designate a Data Protection Officer in cases that need one
Likewise, the relationship between the responsible and the processor must be formalized in a contract that unites them legally.
3. From the code of good practices on Big Data, it should be noted that new procedural developments have been introduced, such as:
- Privacy by design:, to ensure that the data protection guarantees are incorporated from the very beginning stages of planning for information systems and procedures, taking into account factors such as the technical state, the cost of the application or the risks of data processing for the rights and freedoms of the users concerned - to protect their rights.
- Regarding the Data Protection Impact Assessment (EIPD), it is a process that should allow companies and administrations to determine if the initiatives that involve the use of private information presents risks for the data protection rights. That is, risks should be measured and quantified in order to assess the impact they have on the rights and freedoms of people whose personal data are being processed. For issues related to Big Data, the risks should be identified and managed.
- It is advisable to adopt codes of conduct in organizations to facilitate the application of current legislation, as well as obtaining certificates, stamps or labels that allow to show to third parties its proper compliance.
Guides published in the European Union
The Article 29 Working Party, formed by Data Protection Authorities of all member states of the European Union, the European Data Protection Supervisor and the European Commission, also published a series of guides about the new Regulation which contain the following aspects:
- Clarifications about the right to mobility, recognized in the current Regulation, and which means that the person whose data is being processed, can request the data controller to communicate this data to another data controller.
For example: if you would like to change your telephone company you can request your data from the company that you had contracted so far, or request that they directly pass this data to the new company that you decide to contract. This also extends to all types of entities, like financial, insurance, etc.
- Rules for the identification of the principal supervisory authority in certain situations. Where cross-border data processing is carried out involving citizens in more than one member state, the procedures to be carried out will be directed by the principal supervisory authority. The guide developed by the Article 29 Working Party proposes examples of cross-border processing and clarifies the criteria to determine which authority should take on the role of the principal supervisory authority in each case.
- It addresses a series of questions about the functions of the Data Protection Delegates (DPO), of which we have already spoken about in the past.
New blog from the Spanish Agency on Data Protection
Finally, we would like to highlight that in the beginning of 2017 the Spanish Agency on Data Protection has launched a blog, which is very positive for several reasons:
- It demonstrates the didactic work that the Agency has been implementing since its beginning.
- It is very useful in practice, both for the citizen whose personal data is processed, as for the companies that carry out said data processing.
- It facilitates the work for lawyers specialized in data protection laws, as it allows them to know and interpret what is the Agency's criteria in front of certain problems or situations.
Lastly, and although the new European Regulation on Data Protection does not enter into force until May 2018, we must keep in mind that we should continue to comply with the provisions of the current legislation.
However, from Signaturit we advise companies to begin to adapt to the changes that are coming with this new Regulation, that extends the rights of the users and the obligations of organizations.
The objective is to avoid from the beginning any serious sanctioning procedure from the Spanish Agency on Data Protection or even a reputation crisis that will generate a loss of trust of our customers.
This post is also available in Spanish.
This post has been written by the data protection legal experts at Avatic Abogados.