The Spanish Data Protection Agency ("SDPA") has published a series of documents with the purpose of assisting data controllers and data processors (especially SMEs) to comply with the requirements of the new General Data Protection Regulation ("GDPR"), which will be enforceable on May the 25th 2018.
The aforementioned documents provide guidelines to entities processing personal data so that they can start to adapt their processes in order to meet the new requirements set forth by the GDPR during this transitional period.
In particular, the SDPA has published 3 documents:
- "General Data Protection Regulation Guidelines for Data Controllers": This document describes the main issues that data controllers should take into account in order to meet the requirements set forth by the GDPR for data controllers. It includes a fact-check list that can be used by companies for ensuring that they have taken the necessary steps for complying with the GDPR. You can access the document here.
- "Guidelines for Agreements between Data Controllers and Data Processors": The GDPR requires relationships between data controllers and data processors to be entered into through a written agreement that shall have a minimum mandatory content. This document provides guidelines for controllers and processors in order to assist them to comply with the requirement. You can access the document here.
- "Guidelines for Complying with the Information Requirements": The GDPR gives great importance to the information that data controllers must provide to data subjects when such data controllers process their personal data. These guidelines show data controllers what information must be provided to data subjects and practical information on how to provide them with such information. You can access the document here.
The 3 Guidelines have been included in a brand new section of the SDPA's webpage that is entirely dedicated to the new GDRP. This section already includes other material prepared by the SDPA in relation to the GDPR. Moreover, the SDPA is currently developing a self-evaluation online tool with the purpose of assisting SMEs in ascertaining if they are just carrying out data processing operations that have minor impact on the data subjects' privacy rights, providing them in such case with guidance on the measures envisaged by the GDPR for this scenario.