The Spanish Data Protection Agency (“DPA”) has published two new guides and guidelines, drafted in collaboration with the Catalan and Basque data protection authorities, to facilitate the compliance of small and medium-sized companies with the General Data Protection Regulation (“GDPR”), which will apply from May 25, 2018.

The published materials are the following:

  • Guide of the GDPR for data controllers. This guide reviews the principles and obligations established by the GDPR, focusing on the differences between current regulations. It also includes a checklist with questions that data controllers (and, where applicable, data processors) can ask themselves to assess whether they are in a position to comply with the GDPR.
  • Guide for compliance with the obligation to inform. This guide establishes best practices to comply with the obligation regarding information to be provided to data subjects about their data processing, including how this information should be given. The DPA recommends that information should be provided in layers (something that will sound familiar to website owners when using cookies): the first layer should include basic and summarized information on the data processing, and further detailed information should be provided in a second layer. In addition, the European Commission is working on issuing standardized icons.
  • Guidelines for contracts between data controllers and data processors. This document responds to general questions about the data processor under the GDPR and the terms and conditions to be included in the contract regulating the data processing. The DPA interprets that the obligation established under the GDPR to inform data subjects about “the recipients or categories of recipients of personal data” does not apply to those acting as data processors, but admits that, depending on the case, it may be advisable to provide this information for the sake of transparency. An annex is included with model clauses for cases in which the data processor processes the personal data exclusively in its own premises and systems.

Although these documents are addressed to small and medium-sized companies, the DPA’s criteria and recommendations are useful for any company that processes personal data, regardless of its size and, therefore, should be taken into account when adapting to the GDPR.

The press release published by the DPA is available here. All the documents are in Spanish only.