GDPR guidelines released by the Spanish Data Protection Agency to assist companies

THE Spanish Data Protection Agency has published a new set of guidelines, in an effort to help organisations and businesses prepare for the General Data Protection Regulation, set to come into force on 25 May next year.

Spain’s data protection authority released guidelines on the processing of personal data by entities like enterprises and SMEs, in a bid to make their transition to the new EU data protection regime smoother. The new General Data Protection Regulation, or GDPR, outlines stricter comprehensive rules for the collection, storage and processing of personal data for private entities and is set to come into effect on 25 May, 2018.

It replaces the 1995 EU Data Protection Directive and is heavily focused on privacy and safeguarding principles, responding to growing concerns about the handling of personal data by companies and private entities. Failure to adhere to the obligations set forth might result in hefty fines for enterprises, which is why national data protection authorities, like the Spanish Data Protection Agency, are starting to issue guidelines and material to assist private entities with compliance.

Besides introducing principles like privacy by default and privacy by design, the GDPR also affects transfers between companies based in Spain and their partners abroad. Article 44 of the Regulation forbids the transfer of personal data to countries outside the EU/EEA borders unless the recipient country can offer proof that it provides a level of data protection that is considered adequate by EU standards. This may be achieved, among other ways, by internal Binding Corporate Rules or through the power of the European Commission to whitelist certain jurisdictions.

Almost a year before the GDPR comes into effect, a survey found that only 43% of organisations are getting prepared for the new set of rules and only 51% were sure that GDPR would affect the way they do business, with nearly one-third of respondents seeing the new Regulation having no impact at all and 11% stating they were unsure of its implications. In this context, action like that taken by the Spanish Data Protection Agency might prove crucial as

The Spanish institution has released three documents, all in Spanish, to assist with these preparations: “General Data Protection Regulation Guidelines for Data Controllers” looks into the obligations and duties of data controllers under the new rules and provides insight on how to tackle the main issues they will face. It comes complete with an annex of model documentation to help data controllers draft their own versions during the implementation phase.

The Agency has also issued its “Guidelines for Agreements between Data Controllers and Data Processors”, which seeks to assist data controllers and data processors with drafting written agreements for their cooperation and ensuring they include the minimum content required by the GDPR. The last document, namely “Guidelines for Complying with the Information Requirements”, is perhaps the most pertinent for consumers and private citizens, as it lays out the information that data controllers must provide to data subjects (individuals that have their personal data stored and processed), as well as on how to effectively deliver this crucial information.