New Spanish Regulation Tightens Up Data Protection Requirements RAFI AZIM-KHAN, JOHN NICHOLSON, ALESSANDRO LIOTTA, AND DOMINIC HODGKINSON

Similar documents
Jefferies EMEA Privacy Notice

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Data Processing Agreement DPA

UWC International Data Protection Policy

Data Processing Agreement for Oracle Cloud Services

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

Motorola Mobility Binding Corporate Rules (BCRs)

PS Mailing Services Ltd Data Protection Policy May 2018

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

DATA PROTECTION POLICY THE HOLST GROUP

Data Processor Agreement

ADMA Briefing Summary March

Islam21c.com Data Protection and Privacy Policy

Data Protection Policy

Cognizant Careers Portal Privacy Policy ( Policy )

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

DATA PROCESSING AGREEMENT

Data Processing Agreement

Introductory guide to data sharing. lewissilkin.com

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

Cognizant Careers Portal Terms of Use and Privacy Policy ( Policy )

DATA PROCESSING TERMS

Data Processing Clauses

EU GDPR: The General Data Protection Regulation

Data Protection Policy

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Subject: Kier Group plc Data Protection Policy

Eco Web Hosting Security and Data Processing Agreement

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

VIACOM INC. PRIVACY SHIELD PRIVACY POLICY

DATA PROTECTION POLICY

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

General Data Protection Regulation (GDPR)

PRIVACY POLICY PRIVACY POLICY

PRIVACY POLICY. 1. Definitions and Interpretation In this Policy the following terms shall have the following meanings:

POMONA EUROPE ADVISORS LIMITED

Data Processing Agreement

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

Creative Funding Solutions Limited Data Protection Policy

Data Protection and Privacy Policy PORTOBAY GROUP Version I

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

Information Security Management Criteria for Our Business Partners

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

Data Protection Policy

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

GDPR: A QUICK OVERVIEW

KSi Malta Privacy Policy

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

Terms and Conditions for Allegion Data Processing and Transfer

Data processing policy

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

CNH Industrial Privacy Policy. This Privacy Policy relates to our use of any personal information you provide to us.

1 Privacy Statement INDEX

GDPR - Are you ready?

Individual Agreement. commissioned processing

Data Processing Agreement

Data Breach Notification: what EU law means for your information security strategy

GLOBAL DATA PROTECTION POLICY

INFORMATION TO BE GIVEN 2

PRIVACY POLICY SECTION 1 CONTACTS

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

Data Protection Policy

Rules for Commissioned Processing. (DDV Declaration of Conformity)

Privacy Policy. Company registry number: Budapest, Gönczy Pál utca em. Homepage: contact: Phone:

NIPPON VALUE INVESTORS DATA PROTECTION POLICY

UWTSD Group Data Protection Policy

GDPR RECRUITMENT POLICY

COMMENTARY. Information JONES DAY

CAPGEMINI BINDING CORPORATE RULES

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

PRIVACY POLICY. 1. Definitions and Interpretation In this Policy the following terms shall have the following meanings:

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

Privacy Notice - General Data Protection Regulation ( GDPR )

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

EU Data Protection Agreement

The British Museum. Data Protection Code of Practise. 1 Introduction

DATA PROTECTION A GUIDE FOR USERS

EU data security and privacy trends

HPE DATA PRIVACY AND SECURITY

Information Systems Charter ENS de Lyon 2016

Privacy Policy of the products of Ilves Solutions Ltd and Ilves Valmisohjelmistot Ltd / Ilveshaku

Georgia Institute of Technology EU GDPR Lawful Basis Form

DISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018

PERSONAL DATA PROCESSING POLICY FOR SUPPLIER

Privacy and Data Protection Policy

GLOBAL DATA PROTECTION POLICY

Privacy Notice. General Information Protection Regulation ( GDPR )

Privacy Policy GENERAL

Element Finance Solutions Ltd Data Protection Policy

Privacy Notice - Stora Enso s Supplier and Stakeholder Register. 1 Purpose

Online Ad-hoc Privacy Notice

PRIVACY POLICY OF THE WEB SITE

Cybersecurity Considerations for GDPR

Transcription:

New Spanish Regulation Tightens Up Data Protection Requirements RAFI AZIM-KHAN, JOHN NICHOLSON, ALESSANDRO LIOTTA, AND DOMINIC HODGKINSON The Spanish government has enacted a new regulation that further develops its data protection legislation by providing additional detail on the security measures required to comply with existing Spanish law. The new regulation came into force on 19 April, 2008, although currently registered businesses have one year to adapt their existing data procedures to the new security measures. While the law is aimed at implementing data security measures and clarifying data transfer issues that arise from the existing data protection legislation, its critics maintain that it merely introduces further regulatory burdens for companies. The Spanish Organic Law 15/1999, which implements EU Privacy Directive 95/46/EC, set out the principles that must be applied when processing personal data and established the Spanish Data Protection Agency (Agencia Española de Protección de Datos (AEPD)), which, unlike other European data protection agencies, has strong interpretative, investigative, and prosecutory powers, as well as the authority to impose significant fines on infringing businesses. Rafi Azim-Khan, John L. Nicholson, and Alessandro Liotta, attorneys with Pillsbury Winthrop Shaw Pittman LLP, can be reached at rafi.azimkhan@pillsburylaw.com, john.nicholson@pillsburylaw.com, and alessandro.liotta@pillsburylaw.com, respectively. Dominic Hodgkinson, an attorney in the firm s London office, can be reached at dominic.hodgkinson@pillsburylaw.com. 439

PRIVACY & DATA SECURITY LAW JOURNAL The new regulation 1720/2007 provides (among other things) for more specific and tighter security measures, as well as for rules on international data transfers and new applicable requirements and procedures. SECURITY MEASURES The Organic Law currently provides that all data controllers (that is, any individual or legal person who controls and is responsible for the keeping and use of personal information on a computer or in structured manual files) must implement a data processing system based on three security levels: basic, medium, or high. The application of each security level depends on the sensitivity of the data being processed or the nature of the relevant business. Under the new regulation, the data controller is required to develop and maintain an internal security policy specifying the technical and organizational measures (pursuant to the applicable security level) to be followed by its staff. Where the data processing is outsourced so that the personal data is processed exclusively by the systems of the data processor, the data controller may delegate the obligation to develop and maintain the internal security policy to the data processor. The new regulation details the measures to be associated with each security level. More specifically: A. Basic Security Level All categories of personal data must be protected, at a minimum, at the basic security level, which requires that the data controller must: Identify the functions and obligations of the staff having access to the personal data; Establish a procedure for the notification and management of all incidents affecting personal data and keep records of such incidents, the notification given, and how such incidents are managed; Ensure that its personnel will have access only to that personal data strictly necessary to the performance of their functions; 440

NEW SPANISH REGULATION TIGHTENS UP DATA PROTECTION REQUIREMENTS Ensure that the devices and documents containing personal data will: Identify the type of data stored; and If they are transferred outside the premises of the data controller, protect against loss or unauthorised access to the data; Establish a mechanism allowing the identification of any person trying to access the data; and Put in place a disaster recovery system that will include a weekly backup of all the personal data stored. B. Medium Security Level Data concerning criminal or administrative offenses, solvency status, taxes, financial transactions or status, social security status, or the data subject s personality or behavioral traits, must be protected, at a minimum, at the medium security level. In addition to the measures provided for under the basic security level, the medium level requires that the data controller must: Appoint one or more security officers who will coordinate and control the implementation of the measures specified in the internal security policy; Undertake internal and external audits; Keep records of all receipts and transfers of documents and other media containing personal data; Establish a system limiting the possibility of repeated attempts at unauthorised access to the information system; Ensure that only authorized personnel have access to the sites where the equipment supporting the information systems is located; and Record all the procedures followed for the recovery of data as a result of any incident, including identifying the persons who executed such procedures. 441

PRIVACY & DATA SECURITY LAW JOURNAL C. High Security Level Sensitive data, including trade union membership, religious or other beliefs, racial origin, health or sex life, data acquired for security forces purposes, and data relating to acts of gender-based violence, must be protected at the high security level. In addition to the measures provided for under the basic and medium security levels, the high level requires that the data controller must: Ensure that all media on which data is stored are identified through labels allowing users to identify their content; Where the media on which data is stored are transferred, or if personal data is stored on a portable device (e.g., laptops, PDAs, USB drives, or other portable memory devices) and such device is located in a place that is outside the control of the data controller, ensure that the data is encrypted or otherwise protected so that it cannot be accessed or manipulated by unauthorised individuals; Maintain a backup copy of the data in a different place from the location where the data is processed; Keep a record (for at least two years) of any attempt to access the data, identifying: The user, the date and time of the attempt; The data accessed; The type of access; and Whether the attempt was authorized or denied; Ensure that the security officer reviews the access register at least once a month; and Ensure that the transfer of personal data through public networks or wireless electronic communications networks is encrypted or otherwise protected to ensure that such data cannot be accessed or manipulated by unauthorized individuals. To facilitate compliance with the applicable security measures, soft- 442

NEW SPANISH REGULATION TIGHTENS UP DATA PROTECTION REQUIREMENTS ware products to be used in the processing of personal data shall include, in their technical description, the security level (basic, medium, or high) that they can meet. SECURITY AUDIT For medium and high security level data processing, the new regulations specify that all data processing systems must be subject to an internal or external audit at least every two years to verify compliance with the applicable security level requirements. A further audit must be carried out every time substantial changes are made to the processing system that could affect the security measures for medium and high security data. For example, if a data processing function is being outsourced to a service provider, where the outsourced service provider is expected to change the information system or transfer the data processing function offshore, an audit must be performed. Following each audit, a report must be prepared specifying the security measures applied and identifying any further measures to be undertaken to comply with the regulation. The audit reports must be given to the data controller s security officer, who will keep them and provide them to the AEPD upon request. INTERNATIONAL TRANSFERS The new regulation further sets out the procedure to follow prior to an international transfer of data to countries outside the European Economic Area ( EEA ) that are not considered as providing an adequate level of protection. There are several ways for such an international transfer to be authorized: consent of the data subject, use of the Model Contractual Clauses ( MCC ) (as approved by the European Commission Decisions 2001/497, 2002/16 and 2004/915), or implementation of an alternative data protection regime. Unless the data subject consents to the international transfer, the data exporter and the data importer must either enter into the MCC or an alternative written contract containing adequate data security measures. If the parties decide to enter into an alternative 443

PRIVACY & DATA SECURITY LAW JOURNAL arrangement (including, in the case of intracompany or intracorporate group transfers, the implementation of Binding Corporate Rules ( BCR )), then the transfer will be subject to prior authorization by the AEPD as described below. The procedure to obtain AEPD authorization must be initiated by the data exporter by depositing a copy of the contract or the BCR with the AEPD. The Director of the AEPD will, within three months of the application, adopt a resolution either authorizing or rejecting the transfer. If, at the end of the three months, the Director of the AEPD has not adopted any resolution, the transfer will be deemed authorized. At any time (even when authorization has been given), the Director of the AEPD may, following a hearing with the data exporter, temporarily suspend the transfer, where: The protection of fundamental rights and civil liberties in the country of destination or that country s legislation, does not guarantee the data importer s compliance (or ability to comply) with the provisions of the contract; The data importer has previously breached guarantees similar to those provided for in the contract; There are reasonable indications that the data importer will not comply with the guarantees provided for in the contract; There are reasonable indications that the measures provided for in the contract will not be effective; or The transfer, or its continuation if it has started, may create a risk situation for the data subject. CONCLUSION The Spanish data protection regime has long been considered one of the more cumbersome Member State regimes. Data controllers and data processors subject to Spanish privacy regulations will find the new regulations useful in clarifying several issues that were previously left to the interpretation of the AEPD and the Span- 444

NEW SPANISH REGULATION TIGHTENS UP DATA PROTECTION REQUIREMENTS ish courts. However, as some Spanish commentators have written, there is also a good chance that businesses may feel overregulated, especially considering the risk of fines that can be as high as 600,000 euros. The cost that businesses will incur to comply with the new regulations are yet to be proven, but they may be onerous particularly with regard to the security measures and the audit requirements. The international transfer procedures and the powers given to the Director of the AEPD in relation to such transfers may also have an impact on transfer costs and timeframes. In particular, when an entity controlling data pertaining to Spanish data subjects is considering entering into an outsourcing contract, careful attention should be paid to the applicability of Spanish regulations and the impact that any costs, procedures, and timeframes may have on the overall outsourced solution. 445

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback