which intends to facilitate data controllers and data processors, the adaptation compliance with new regulatory framewor
Information Technology
Madrid, February 2017
SPANISH DATA PROTECTION AGENCY’S GUIDELINES ON THE GENERAL DATA PROTECTION REGULATION The Spanish Data Protection Agency ("SDPA") has started 2017 with the publication of three documents, which intends to facilitate data controllers and data processors, the adaptation compliance with new regulatory framework: Regulation (EU) 2016/679 of the European Parliament and of The Council of 27 April 2016, relative to the protection of natural persons in regard to the processing of personal data and the free movement of such data ("General Regulation of Data Protection" or "GDPR"), approved in May last year. The documents, which have been drafted in collaboration with the regional authorities (Catalan and Basque Agencies), and have been published in a section of the website of the SDPA created for this purpose, are the following: -
The General Data Protection Regulation guides for data controllers. Guidelines for the drafting of contracts between data controllers and data processors. Guide for the compliance with the inform duty.
It should be noted that the documents are mainly focused to small and medium-sized companies, and therefore may not address in a precise manner issues of companies of bigger size and complexity. General Data Protection Regulation Guide This guide offers an analysis on the main issues that companies shall consider in the implementation of the GDPR, structured as follows: -
Legal basis for processing. Principles of transparency and information. Data subject’s rights. Data controller – data processor relationship. Measures for Accountability. International data transfers. Processing of children’s data.
The document includes a “check list” (extended and simplified versions) to help companies on the analysis of the situations towards the new regulation. Data processing agreements The document establishes the main guidelines for the interpretation of a data controller-data processor relationship, according to the new provisions included under the GDPR.
As a guideline, the document includes an annex with examples of contractual clauses to be included in such agreements. Information duty Article 13 of the GDPR, on the obligation of information, includes additional requirements with respect to article 5 of Spanish Data Protection Act 15/1999 ("LOPD"). For compliance purposes with these new requirements, the document proposes the application of a “layered information model”, which consists in structuring the information with a dual approach: a first layer which includes the most basic information, and a second, where more detailed information can be found. The guide provides an illustrative table as well as other practical examples for the drafting of information clauses. The new guidelines should be taken into account when drafting any policy or clause for the collection of personal data, and will involve the reviewing of existing documents. For more information, see the following link: Section of the SDPA dedicated to the GDPR. (SPANISH)
More information Norman Heckh Partner
[email protected]
www.ramonycajalabogados.com
© 2011 Ramón y Cajal Abogados, S.L.
María Luisa González Tapia Associate
[email protected]
Almagro, 16-18 28010 Madrid T +34 91 576 19 00 F +34 91 575 86 78
Elisabet Viñes Vila Junior Lawyer
[email protected]
Caravel•la La Niña, 12, 6ª planta 08017 Barcelona T +34 93 494 74 82 F +34 93 419 62 90
Emilio Arrieta, 6 1º Derecha 31002 Pamplona T +34 94 822 16 01
