On January 26, 2017, the Spanish data protection authority (“AEPD”) published three guidance papers on the implementation of the general data protection regulation (“GDPR”). Although the guidance is primarily directed at small and medium-sized companies, it gives a snapshot on how the AEPD reads the GDPR and is thus relevant for all companies having operations in Spain.
- GDPR Guide for Controllers: the guide summarizes the requirements of the GDPR while providing practical recommendations on how to implement them. The guide also contains a questionnaire to help controllers make a self-assessment of their privacy practices in light of the GDPR.
- Guide on the Privacy Notices: the guide summarizes the requirements of the GDPR and provides for practical recommendations as to how notices should be delivered to individuals, including through which specific means and channels. Importantly, the AEPD recommends a layered approach to information notices whereby basic information is provided in a table format which is immediately visible to individuals, and detailed information is provided in a second layer. The AEPD invites companies to review their notices and procedures as of now, and in any case before the GDPR fully applies in May 2018.
- Guidelines for Contracts between Controllers and Processors: the guidelines describes the requirements of the GDPR with respect to vendor management and provides for a list of provisions which should be part of a data processing agreement. An annex to the guidelines contains model clauses which companies may use in the situations where the processor processes the controller’s personal data exclusively in its own premises and systems.
The AEPD’s press release is available here.