It is evident that many companies and organizations of all kinds deal with data of a personal nature as part and parcel of their daily business (for example, from noting of the information of the shareholders on formation of the company right through to the commencement of liquidation and examination of information concerning employees as potential creditors). This premise leads us to the conclusion of the mandatory application of data protection regulations.

Currently, in the field of data protection we are in a period of certain turbulence. This is due, fundamentally, to the fact that the new European General Data Protection Regulation was adopted on 27 April 2016 and will be applicable once the transition period expires next year on  25 May 2018.

This new legal framework provides for many significant changes. Such changes are being are the subject of vibrant commentary among data protection experts and specialists.  For example, the sanctioning regime has seen a most substantial increase in fines and penalties that now may reach 20 million Euro or, in the case of a company, an amount equivalent to 4% of its total annual global turnover of the preceding financial year. In light of the scale of possible sanctions, the correct implementation of appropriate measures of data protection has become a core concern of tremendous strategic importance.

As European General Data Protection Regulation has been adopted, Spain has activated its procedure to adapt the existing national legislation. The Spanish Data Protection Agency is finalising the new proposal for an Organic Law on Data Protection which is expected to be completed shortly. It follows that we must take note of its contents in order to progress our adaptation to it.

Meanwhile, the Spanish Data Protection Agency has facilitated some tools to pave the way in the form of three key publications:

  • The so-called “Guide to the Regulations for Managers”, which presents a list of verifications that organizations can use to check their compliance.
  • The “Guidelines for the preparation of contracts between managers and controllers”, which contains recommendations on the key points to be taken into account in the drafting of the contracts previously referred to as data access; and
  • The “Guide to fulfilment of duty to inform”, where it provides guidance on good practices to follow in order to comply with the obligation to inform stakeholders.

Please click on the following link for additional information (In Spanish).

In short, in terms of data protection it is necessary to implement the criteria already defined by the Spanish Agency for Data Protection and to prepare for the issues that the European Regulation has established in very clear terms leaving little no doubt as its possible interpretation.