The Spanish Data Protection Agency held its 10th Annual Open Session on 4 June in which members of the Agency reviewed the practical implications of the GDPR and initiatives to adapt to them.
In view of the number of communications that have been sent to interested parties requesting renewed consent, the SDPA has recalled that the GDPR only requires non-GDPR compliant consents, such as silent consents, be obtained again and only if the processing does not have any other legal basis.
The Director of the Agency also referred to the volume of notifications of appointments of Data Protection Delegates received by the SDPA. As indicated above, this figure currently exceeds 8,000 notifications, but it is considered to be below the expected notifications.
The Agency has also analyzed the register of processing activities, one of the first compliance measures to be adopted and the preparation of which can be considered as a first step towards adaptation to the requirements of the GDPR.
The sanctioning regime was another one of the aspects analyzed during the Session. The Agency has stressed that there are measures, such as a warning, which can be taken instead of a fine, when, despite an error, adequate diligence in the implementation of the GDPR is obvious and documented. It has also stated that the supervisory authorities may also order measures such as the limitation or suspension of processing, which would prevent a controller from continuing to carry out such processing operations that constitute a risk to citizens' rights and freedoms, without prejudice to the possibility of imposing a fine where the case so requires.