What does this cover?

The Spanish Data Protection Agency (the SDPA) has been informed that some security companies are offering their services to perform security audits by telephone in order to examine compliance with Spanish Data Protection Legislation. The security companies claim that the telephone audits enable them to certify the adequacy of the medium and high level security measures applied to files, processing facilities and data storage and therefore sign off compliance with the Spanish data protection law.

The SDPA has confirmed that a telephone audit of the security measures would not be sufficient to establish compliance with Spanish Data Protection Legislation and would need to be done on the premises.

What action could be taken to manage risks that may arise from this development?

Organisations operating in Spain should ignore any such requests. 

Article submitted by Irene Robledo de Castro, Spanish counsel – Madrid, Spain in partnership with DAC Beachcroft LLP