GDPR: Changes with respect to the Spanish data protection law (LOPD)

Blog

19
- Oct
2017
GDPR: Changes with respect to the Spanish data protection law (LOPD)

Introduction

The GDPR has been published by the European Union to achieve a better adaptation of the data protection law to new technological developments, which have led to an exponential growth in data processing.

This new regulation requires proactive action on the side of those in charge and responsible for processing the data, becoming very important the concept of protection by default and from protection by design.

The GDPR has established new personal data unique identifiers related to ICT, such as cookies, IP addresses or similar.

General changes: GDPR versus LOPD

Having understood why this new GDPR was necessary, the most important thing is to understand the changes it implies with respect to the Spanish LOPD.

Changes in legitimation

The concept of high-risk data processing refers to the processing of data for the assessment of personal aspects for profiling, to the large-scale systematic observation of a publicly accessible area.

The most important change is that tacit or omitted consents are no longer valid, and clear declaration or affirmative and explicit action is needed for high-risk cases, automated decisions, international transfers, etc.

The treatments initiated under the old LOPD will be valid if the consent is in accordance with the GDPR.

Changes in the transfer of information to interested parties

The GDPR stablish that information to interested parties shall be provided in a concise, transparent, intelligible and easily accessible manner, in plain and simple language, providing the following information:

  • Legal base of processing
  • Intention to make international transfers
  • Identification Data of Data Protection Delegate
  • Development of profiles

Changes in the rights of those affected

Derecho de acceso

  • LOPD: It was mandatory to provide all the basic data of the affected person, but not copies or documents
  • GDPR: Recognises the right to obtain a copy of the personal data processed
  • Important: They may attend to this right by enabling remote access to a secure system that offers the interested party direct access to their personal data

Right to forget

This right is the consequence of the application of the right to delete personal data, being a manifestation of the rights of cancellation or opposition in an online environment.

If personal data has been made public by the responsible of treatment, he shall take the technical measures to delete their personal data.

Treatment limitation

Upon prior request of the data subject, the processing operations will not be applied in certain cases, described in detail in the GDPR, such as when processing is lawful, which would lead to the deletion of the data, but the data subject objects to this.

    Important:
  • The limitation of the processing is a right of the interested party that should not be confused with the blocking of data by Spanish law
  • Time limits and procedures are the same as for all other rights
  • The standard practice of erasure of data when other rights are exercised, such as access, is prevented as it would obstruct the exercise of the right of limit processing.

Portability

The right of data portability is an advanced form of the right of access by which the copy provided to the data subject must be provided in a structured, commonly used and mechanically readable format. This right can only be exercised:

  • When processing is carried out by automated means
  • When it is based on consent or a contract
  • When requested by the interested party with respect to the data he or she has provided to the data controller, including data derived from the data subject's own data activity.
    Important:
  • This right implies that the interested parties’ data are transferred from one controller to another whenever possible
  • This right does not apply if the data has been provided by third parties.

Changes in the Responsible-Manager Relationship

The innovations in the relations between esponsibles and managers are established in three different areas

  1. Specific obligations for managers

    The change is that the old LOPD only contained obligations for data responsibles, however, the GDPR also contains obligations for the managers

    • They must keep a record of treatment activities
    • They must determine the security measures applicable to the treatments they carry out
    • Assign a Data Protection Delegate in the cases indicated by the GDPR

  2. Choice of data manager

    The responsible shall choose managers with the appropriate organizational and technical skills to ensure that the processing meets the necessary requirements.

  3. Content of the manager's contract

    The relations between the person responsible and the manager must be formalised by contract or in a legal act, adapting the previous contracts to the new GDPR.

Active responsibility measures

Another important aspect is the procedures that the controller and the processor must follow to comply with active responsibility measures.

Recording of treatment activities

Operators and managers must maintain a register of processing operations containing the following information: Name and contact details of the responsible, Purpose of processing, Description of categories of data subjects and categories and personal data processed and International transfers.

Organisations with fewer than 250 employees are exempt, unless the processing they carry out may involve a risk to the rights and freedoms of data subjects, which is not occasional or includes special categories of data.

Notification of data security breaches

Security breaches include any incident that results in the destruction, loss or alteration of personal data, as well as the unauthorized communication and access of such data.

The responsible must notify the security breaches within 72 hours of their occurrence, unless the breach does not imply risk to the rights and freedoms of those affected, including

  • o Nature of the breach
  • o Categories of data and data subjects and persons concerned
  • o Measures taken by the responsible to resolve the failure
  • o Measures applied to mitigate possible negative effects

If breaches involve a risk to data subjects, they should be notified so that they can protect themselves.

Suspicion of breach or the finding of an incident should not be reported until the real risk to the data subjects is known.

Designation of the data protection delegate

The GDPR establishes that it will be compulsory to appoint a Data Protection Delegate (DPD) in the following cases:

  • Public authorities and public organizations
  • Responsible persons or persons in charge who require regular systematic observation of large-scale stakeholders.
  • Large-scale processing of sensitive data

The DPD must be appointed according to its professional qualifications and, in particular, its knowledge of data protection law and practice.

The designation of the DPD and its contact details should be made public by the persons responsible and in charge and should be communicated to the supervisory authorities.

Every DPD must meet the following set of requirements:

  • Total autonomy in the exercise of its functions
  • Need to keep contact to the top level of management
  • Duty for the operator or manager to provide him/her with all the necessary resources to carry out his/her activity.

International transfers

Data may only be transmitted outside the European Economic Area in the following cases:

  • Countries, territories or specific sectors on which the commission has decide that they offer the appropriate level of protection
  • Where adequate guarantees have been given that the data will be properly received at destination
  • Where any of the exceptions allowing data to be transferred are applied without adequate protection guarantees for reasons of necessity linked to the data subject's own interest or to general interests..

The list of external countries that currently guarantee data protection according to the GDPR are: Switzerland, Andorra, Guenrsey, Isle of Man, Jersey, Faeroe Islands, Israel, Uruguay, New Zealand, USA (According to Privaxy-Shield).

Data processing of children

The mention of children is related to obtaining consent in the area of direct provision of services to the information society. The GDPR provides that, in this environment, consent will only be valid from the age of 16, with parental consent.

On the one hand, the GDPR allows member states to set a lower age as long as it is not less than 13 years old.

On the other hand, the GDPR requires that those responsible make reasonable efforts to verify that consent has been given by the parents.

Pseudonymization

It is a new concept that refers to the processing of data (encryption, hashing...), so that it is not directly linked to an individual. However, it is still personal data and therefore it needs to be legitimized for processing. Undertakings implementing pseudonymisation are exempted from certain obligations under the GDPR.

Although the Spanish data protection agency encourages companies to carry out this process, it is important to know that it entails a risk analysis and the consequent impact assessment.



jtsec offers consulting services to achieve compliance with the GDPR, for example, helping companies to implement pseudonymization in their processes. Do not hesitate to contact us if you are interested or need help in implementing the GDPR in your business.

Juan Martínez/Senior consultant

Telecommunication Engineer and Master in cybersecurity by the University of Granada. Working as a cybersecurity consultant at jtsec since July 2017 in projects related to Common Criteria, LINCE certification, FIPS 140-2, FIPS 140-3 and PCI-PTS standards.

Although his main activity is focused in consultancy, he has also participated in project as evaluator in LINCE certifications and as a hardware security analyst based on his experience in hardware obtained during his University stage participating in the third and fourth editions of the “Desafío Tecnológico UGR” university challenge where he got the third and first awards respectively.

Juan is part of the first group of students awarded the CryptoCert Certified Crypto Analyst certification, whose quality, relevance and usefulness is recognized by the Spanish National Cryptologic Center.

His main motivation is to keep improving his cybersecurity skills in order to actively participate in the protection of user data and to help the companies to achieve their product certifications.


Contact

Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.