Guidelines from the Spanish DPA to help SMEs comply with the General Data Protection Regulation

The Spanish Data Protection Agency (“DPA”) has published two new guides and guidelines, drafted in collaboration with the Catalan and Basque data protection authorities, to facilitate the compliance of small and medium-sized companies with the General Data Protection Regulation (“GDPR”), which will apply from May 25, 2018.

The published materials are the following:

Guide of the GDPR for data controllers. This guide reviews the principles and obligations established by the GDPR, focusing on the differences between current regulations. It also includes a checklist with questions that data controllers (and, where applicable, data processors) can ask themselves to assess whether they are in a position to comply with the GDPR.

Guide for compliance with the obligation to inform. This guide establishes best practices to comply with the obligation regarding information to be provided to data subjects about their data processing, including how this information should be given. The DPA recommends that information should be provided in layers (something that will sound familiar to website owners when using cookies): the first layer should include basic and summarized information on the data processing, and further detailed information should be provided in a second layer. In addition, the European Commission is working on issuing standardized icons.

Guidelines for contracts between data controllers and data processors. This document responds to general questions about the data processor under the GDPR and the terms and conditions to be included in the contract regulating the data processing. The DPA interprets that the obligation established under the GDPR to inform data subjects about “the recipients or categories of recipients of personal data” does not apply to those acting as data processors, but admits that, depending on the case, it may be advisable to provide this information for the sake of transparency. An annex is included with model clauses for cases in which the data processor processes the personal data exclusively in its own premises and systems.

Although these documents are addressed to small and medium-sized companies, the DPA’s criteria and recommendations are useful for any company that processes personal data, regardless of its size and, therefore, should be taken into account when adapting to the GDPR.

The press release published by the DPA is available here. All the documents are in Spanish only.

Register now for your free, tailored, daily legal newsfeed service.

Guidelines from the Spanish DPA to help SMEs comply with the General Data Protection Regulation
Blog Intellectual Property Blog

Filed under

Laws

Organisations

Popular articles from this firm

Directives 2014/23/EU, 2014/24/EU and 2014/25/EU of the European Parliament and of the Council, of February 26 | New public procurement directives *

Banking, Finance and Capital Markets Newsletter | 2nd Quarter 2019 *

VAT and commissionaire structures: is winter coming? *

In case of conflict, which law applies to an international employment contract? *

Corporate Law Newsletter | 2nd Quarter 2019 *

More from Intellectual Property Blog

Control de concentraciones: Las ventajas de los compromisos en primera fase

El Tribunal Supremo interpreta el concepto de responsabilidad matriz-filial en infracciones del derecho de la Competencia

Booking.com gana la batalla a los hoteles en alemania: es competitivo impedirles ofrecer precios inferiores al ofertado en Booking.com

Con compromisos y sin multas: la Comisión Europea cierra su investigación sobre las majors de Hollywood y Sky UK

Pena de prisión en Estados Unidos para otro directivo europeo culpable de conductas anticompetitivas

Related practical resources PRO

Related research hubs