With the start of the transition period during which data controllers and processors shall adapt and modify their processes to the General Data Protection Regulation, the Spanish Data Protection Agency has made available the first guidelines to offer orientation on this adaptation process.
Since before the entry into force of the General Data Protection Regulation (the “GDPR“) last 25 May 2016, the data protection authorities alerted agents involved in the processing of personal data that the new regulations would mean substantial modifications in the modus operandi of business practices in data protection matters.
The transition period until the definitive application of the GDPR is twofold for data controllers and processors, since besides observing privacy by design and default principles in any new data processing, they will have to adapt to the new regulations the processing that continue to exist as from 25 May 2018.
Conscious of both the need to adapt to the new GDPR requirements, and the uncertainty generated by the unawareness of the method in which certain provisions of the regulation should be applied, the Spanish Data Protection Agency (the “SDPA“) has committed to publish documents, material and tools that would allow Spanish businesses to identify the key points they should bear in mind to comply with the GDPR requirements with full guarantees. Thus, last 26 January the SDPA, within the scope of its 2015-2019 Strategic Plan, published three guidelines in which they explain aspects associated to the relation between data controllers and processors, the duty of information and the general obligations of the data controller within the scope of the new European regulation.
As regards the principal obligations of data controllers, the guideline, far from intending to be an exhaustive and final document, highlights the new aspects of the GDPR, makes recommendations, outlines aspects that should be taken into consideration and provides a check list to verify the level of compliance with the new regulation. In this respect, for example, it is worth noting the changes in the requirements for obtaining consent, not admitting forms of implied or omitted consent. In the light of this modification, the SDPA warns that from 25 May 2018 consents obtained under methods not admitted by the GDPR will be invalid and, therefore, they advise reviewing and adapting such processes to the new regulation.
Regarding the duty of information, the SDPA highlights in the guideline its recommendation to provide the information in a double layer system (following a similar scheme to that recommended by the SDPA in the Cookies Guideline). In the first layer, it recommends informing in a summarised way (preferably in table format) about the essential aspects that affect the processing (i.e. controller, purpose, legitimation, recipients, rights and, if applicable, origin of the data) redirecting the individual to the additional information presented in more detail in the second layer (for example, in an electronic link or on the back of the document where the basic information is provided).
Finally, with respect to the legal relationship between data controllers and processors, the SDPA provides directives relating to what provisions should be regulated in data processing contracts as from 25 May 2018. Such directives focuses not only on existing aspects of the present regulation, but also (i) anticipating the processors’ duty to collaborate with data controllers in the observance of the new regulation, and (ii) replacing the reference to existing security levels by the need to carry out a risk evaluation that allow to determine the security measures to be applied.
Although the directives provided by the SDPA in the three guidelines mentioned are merely recommendations that may be modified and are not binding, they are a good starting point for agents involved in data processing to become familiar with the manner of correctly applying the GDPR.