The EU GDPR (General Data Protection Reglament 2016/679) or RGPD (Reglamento General de Protección de Datos) as it will be referred to in Spanish, comes into effect today, May 25th 2018.
According to many specialists, active in the field of Data Protection, over 90% of Spanish companies will not be prepared in time, while the EU Reglament has been published 2 years ago and been in force since.
What are Personal Data?
Personal data are defined as any information relating to an identified or identifiable natural person.
This includes online identifiers, such as IP addresses and cookies if they are capable of being
linked back to the data subject. This also includes indirect information, which might include physical, physiological, genetic, mental, economic, cultural or social identities that can be traced back to a specific individual.
There is no distinction between personal data about an individual in their private, public, or work roles –
all are covered by this regulation.
There already were Data Protection Laws in force, so what´s the difference?
The main difference is that companies that host or process your personal data, must now actively seek your explicit consent for them to do so. As an example: your IP address, or email when you subscribe to notifications. As of today, no more ´tacit´ consent, so when you register on a website, or send a request for information, you should at least have to click a button to express your consent for your personal data to be processed and stored, and be referred to the website´s data protection policy for further information.
Also, for each separate use of your personal data, they must seek your consent and be able to show when and how they did this. For us at CAB Spain, that would be the newsletter we send out periodically for example. For this reason you will receive an email from us shortly, asking you to confirm you still want to receive those. Before this new reglament came into force, it was sufficient to include information on how to de-register from the email database we use for this newsletter if you no longer wished to receive them. So the other way around, in a way.
You will probably have received several of these emails from websites or forums you use regularly and where you have entered your personal data, already.
Another thing you will have come across regularly. When you want to make use of services online and you´re asked to register, there will often be a pre-ticked box that states that you wish to receive information about promotions etc. from that same company or service provider. And you would have to ´un-tick´ this box if you don´t want that. That is no longer allowed, they can ask for it, but not pre-tick the box for you or activate it by default. The choice should be yours to make.
As a private individual, you have the right to know for how long your data will be kept, and e.g. in the case of employers, that the data on file are accurate. You are entitled to access, to a copy and to have your data surpressed or erased if you wish or if that data are no longer required for the reasons they were collected (´the right to be forgotten´). Or, to have them transferred to another company (portability) if that´s technically possible.
What about cookies?
As it´s a EU Reglament, do only EU companies have to comply?
No, all companies, worldwide, have to comply if they collect personal data from EU citizens.
What does DPO mean?
DPO stands for Data Protection Officer, a newly ´invented´ figure that companies can or will be obliged to either employ in-company or contract externally, to deal with the protection of data for them. Think of it as a very specialised Personal Data Ombudsman that will make sure the requisites of this new EU Reglament are met by the company he or she is employed or contracted by.
Employing or contracting a DPO is obligatory for all public companies and those that deal with large amounts of personal data, or sensitive data, again if in large amounts. The law ´conveniently´ doesn´t specify ´large amounts´ any further.
So by definition, self employed Autonomos would not be obliged to do so, unless in the rare circumstances that they meet the requisites mentioned above.
Do all companies need to be registered with the Spanish Data Protection Agency?
No, as of now, you don´t have to be registered (have opened a ´fichero´) there, but you are expected to meet the requisites of the new Reglament and keep a register of all activities with regards to the personal data collected and inspections will follow.
For example, you need to arrange for a contract between the person responsible within your organisation for data protection and the external companies dealing with these personal data. Imagine a bank and the company hosting their computer system. An employer or self employed Autonomo and their gestor. A website that collects personal data and the company organising its online marketing. Private individuals advertising their property for holiday lets and their website builder or host-server. Or with the ´meet & greet´ person that collects the passports of guests to pass the relevant information on to the Guardia Civil. To name just a few examples.
Every email you send as a business or self employed professional, or receive from them, should contain information about how your data are protected and what you´re entitled to, who to inform if the email wasn´t intended for you etc.
If your company is registered or exploited in Spain, all this information needs to be first and foremost in Spanish. If you cater to foreigners, other languages may be added.
At CAB Spain, we were already registered with the Spanish Data Protection Agency and we have contracted a lawfirm specialised in Data Protection earlier this year and they´ve helped us comply with the new Reglament. Email signatures all in compliance, just final touches to the website to perform.
The person responsible at CAB Spain for data protection is Richelle de Wit.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.