Spanish DPA issues a document outlining the main points regarding the GDPR
The Spanish Data Protection Agency (SDPA) has recently prepared a document to provide a better
understanding of the EU General Data Protection Regulation (GDPR) and to help companies comply
with the new obligations the GDPR brings. However, the interesting fact about this document is that
the SDPA has defined its position regarding some important aspects.
• With regard to the conditions applicable to child's consent, the Regulation states that the
processing of the personal data of a child shall be lawful if the child is at least 16 years old.
Member States may establish a lower age by law but it may not be below 13 years old. As for
Spain, the SDPA states that the minimum age will continue to be 14. In the case of
companies obtaining consent for personal data processing, it is important to mention that the
consent must be verifiable and the privacy advice must be in written form and clear enough to
be understandable by a child.
• Responsibility for the companies: a lot of companies are wondering whether the GDPR
involves a higher level of obligations and responsibilities. The SDPA is of the view that some
of the new measures are similar to the ones previously existing and therefore its
implementation should not be a problem. Other obligations were already of common use and
are now are legally included in the GDPR. The SDPA is working on developing tools to
facilitate the identification and evaluation of the risks that each company faces that ultimately
depend on the data processing they perform.
• Consent: the GDPR states that consent, in general terms, has to be freely given, specific,
informed and unambiguous. The SDPA recommends that companies should check that their
consent registry in place in case they have to face an audit.
• Privacy Notice: companies have to review their Privacy Notice to be in accordance with the
new requirements. The GDPR now requires that the information contained in the Privacy
Notice must be clear and easy to understand.
The SDPA recommends that companies start checking whether their common practices are in
accordance with the new GDPR, determine the type of processing they perform and the applicable
rules, and take the necessary steps to gradually implement the new GDPR. A great advantage of the
prompt application of the GDPR is identifying difficulties, weaknesses and errors now that the GDPR
is not yet mandatory.
For more information, please contact Raul Rubio, Patricia Perez, Rosario Alvarez, Ignacio Vela,
Alvaro Ubeda or Cristina Monereo.