GDPR consulting for companies and SMEs

Leave GDPR consulting in our hands

Complete GDPR / LOPD consulting solution for your business. It complies with the regulations in the most efficient and economical possible with a totally tailored solution of the reality of your company.

Company obligations

Budget for SMEs and large companies

LOPD is Spanish data protection law, while GDPR is the European law. Both must be applied in Spain, until LOPD update that includes new GDPR features is published.

Is my company obliged to comply with the GDPR?

The GDPR has been mandatory since May 25, 2018, and applies to the total or partial processing of personal data by controllers or processors established in the EU, as well as those not established in the EU, if they carry out processing intended for EU citizens.

Spanish companies that process personal data are obliged to comply with this new regulation and must correctly adapt to the new features and obligations it establishes.

Although a Data Protection Law already existed in Spain, the GDPR introduces some new obligations and, therefore, both regulations must now be applied.

Our experience with clients who handle highly protected data allows us to offer the best and most complete solution to easily adapt to current legislation.

Ask us any question

Do you need personalized advice?

Explain the current situation of your company and what you need. We will call you and analyze your case to assess whether your company is at risk of regulatory non-compliance. Our services adapt to all company sizes.

Adaptation to the GDPR data protection regulations: what is it?

You get customized solutions for your company and professional activity

✔ Privacy policies.
✔ Updated data processing records.
✔ Correct management of social networks and website: publication of images, minors, legal texts, cookie policy…
✔ Administrative adaptation: emails, invoices, delivery notes, SEPA orders, contracts, correct WhatsApp management, and more!
✔ HR management: confidentiality agreements and other documents for your employees.
✔ Video surveillance and geolocation: posters and protocols for the correct management of video surveillance and geolocation.
✔ Attention to customer rights: clear and efficient protocols.
✔ Confidentiality agreements with collaborators and suppliers.
✔ Legal advice on data protection: continuous and specialized support in all phases of the process.

You get access to a cloud management platform

Our data protection service includes access to a cloud application from where you can manage the Record of Processing Activities and keep all legal documentation always up to date. These are the main functions that can be performed from the application:

Consult and download the Record of Processing Activities

Manage ARCO-POL rights

Generate confidentiality agreements and other contracts

Register security incidents quickly

Keep the I/O media registry up to date

Assessment to determine if the figure of the DPO is necessary

The Data Protection Officer (DPO) is a specialist in Data Protection, usually with a law degree, whose function is to guarantee compliance with the regulations.

Our legal compliance experts will determine if your company should appoint a Data Protection Officer (DPO). In that case, Edorteam will be your external DPO to carry out information, coordination and supervision tasks of the company’s data protection policy, ensuring compliance at all times.

Adapting to the GDPR without applying technical security measures is useless

During the data protection audit, the technical security measures implemented by the organization will also be evaluated. If deficiencies or improvable aspects are detected in the computer network, this will be stated in the audit indicating its level of priority.

The Edorteam computer systems department will be at the company’s disposal to guide, advise and implement the technical measures necessary to guarantee the organization’s regulatory compliance, both software and hardware. The implementation service will always be carried out under prior budget and is not included in this economic proposal.

Advantages and benefits of complying with the GDPR

Avoid fines and sanctions that would jeopardize your business

Direct communication with your expert data protection consultant at Edorteam



Regular audits and training by our specialists



If you wish, we can carry out the service 100% online, with documentation always updated and available.

Keys about GDPR regulation and its compliance

Below, you will find a selection about the most important GDPR articles and what we propose to fulfill your obligations.

Article 7

Consent obtained prior to the date of application of the European Regulation (25/05/2018) will only remain valid if it has been obtained in compliance with the criteria set out in the Regulation itself (free, informed, specific and unambiguous).

Edorteam's solution

Change of consents and revision of contracts on behalf of third parties and data processors to adapt them to the new regulations.

Article 28

Contract with data processors that have adhered to data protection compliant certifications, mechanisms or codes of conduct.

Edorteam's solution

Creation of codes of conduct specialised in data protection regulations.

Article 31.1.d

Regular verification, evaluation and assessment of the effectiveness of technical and organisational measures to ensure data protection security.

Edorteam's solution

Carrying out audits to verify security measures compliance.

Articles 30 and 32

Management and administration of users, control of equipment and maintenance of an activity log.

Set up of data recovery systems and regular backups of equipment.

Edorteam's solution

Setup the IT equipment with ET Seguridad and ET Backup software, if other solutions with same features are not available.

Article 32.2

Assessment of the risks presented by data processing, in particular as a result of accidental or unlawful destruction, loss or alteration of data, or unauthorized disclosure of or access to such data.

Edorteam's solution

Study and implementation of risk assessments in treatments by means of evaluations from a personalised point of view, taking into account the different specifications.

Article 34

Obligation on companies to report any leakage of personal data within 72 hours.

Edorteam's solution

Preventive folders and documents encryption with ET Encrypt or similar software. The use of encryption on personal information removes the obligation to notify those affected that a security breach has occurred.

What are the penalties for GDPR non-compliance?

As one of the key new features, GDPR strengthens the penalty regime, establishing fines of up to 4% of the company’s global turnover or 20 million euros, with the higher of the two amounts being applied as a fine.

Fines can reach 20 million euros or 4% of the company’s global turnover, whichever is higher.

What are the penalties for GDPR non-compliance?

What’s new in the GDPR compared to the LOPD?

Specific consent

Consent must be free, informed, specific and unambiguous. The requirement of consent is reinforced by an unequivocal manifestation or a positive action, and cannot be inferred from silence or inaction. This establishes the obligation to have consent registration systems so that verification is possible in the event of an audit.

Specially protected data

Consent shall be explicit for the processing of sensitive data.

Specially protected or sensitive data:

Ideology
Religion and beliefs
Union membership
Related to: beliefs, racial origin, health and / or sexual life.
Relating to the commission of criminal or administrative offenses

GDPR adds:

Genetic data (DNA analysis)
Biometric data (fingerprint or eye iris)

Privacy notices

The legal basis for the data processing, the length of time the data will be retained, as well as informing data subjects that they can address their complaints to the data protection authorities should be explained. All this information should be included in the web pages or in the communication channels available.

Guardianship rights

Right to portability, oblivion and transparency.

Active responsibility

Companies need to take steps to reasonably ensure that they are in a position to comply with the principles, rights and safeguards of the new regulation. It is understood that acting only when an infringement has already occurred is insufficient as a strategy, so a set of measures is envisaged:

Data protection from the point of view of risk analysis in data processing
Data protection by default (from the start)
Security measures
Maintenance of a treatment record
Conducting Data Protection Impact Assessments (DPIA)
Appointment of a Data Protection Officer (DPO)
Codes of conduct and certification schemes promotion

Conducting Personal Data Impact Assessments (DPIA)

Data protection impact assessments are required to be carried out only when the use of advanced technologies, the volume or type of data processed (specially protected data) may entail a risk to the rights and freedoms of the persons concerned.

The Regulation considers that a DPIA has to be carried out to assess the origin, nature, particularities and risk to which the personal data are exposed. The controller shall seek advice from the Data Protection Officer in carrying out the DPIA.

The Spanish Data Protection Agency is responsible for publishing lists of the types of processing operations that require impact assessments.

Appointment of a Data Protection Officer (DPO)

Among DPO functions, we monitorize the correct applying of measures to reduce risks and advice your company data processors.

GDPR allows the DPO to be internal or external to the company, being able to hire the service to natural or legal persons outside the organization.

This figure is mandatory in:

Organizations and public institutions.
Controllers or processors whose main activities include processing operations requiring regular and systematic observation of data subjects on a large scale.
Controllers or processors whose main activities include the large-scale processing of sensitive data.

Data Security Breach Notifications

Obligation on companies to inform the national data protection authority and also the affected parties themselves if any personal data is leaked within 72 hours.

The use of encryption on personal information removes the obligation to notify those affected that a security breach has occurred, in which their personal data has been exposed.

Strengthening the sanctions regime

Regulation strengthens the sanctioning regime: fines can reach up to 4% of the company’s global turnover or 20 million euros, wherever is higher.

One Stop Shop

The “One-Stop-Shop” aims to reduce bureaucratic hurdles by making it possible for all procedures affecting Data Protection to be addressed to a one-stop-shop that resolves cases at European level.

The management will be carried out by the national authority (developing an intermediary role), having to inform the interested party of the final outcome of the complaint or denunciation.

Data processor and person in charge of the treatment

The person in charge must be extremely careful and regularize the contracts in accordance with the requirements and the necessary documentation.

Right to compensation and liability and extension to damages that may have been caused by those in charge of the treatment, establishing joint and several liability between the controller and the person in charge of the treatment.

Security measures

Pseudonymisation and encryption of personal data.
Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
Ability to restore availability and access to personal data quickly in the event of a physical or technical incident.
Process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of the processing.
Assessment of the risks presented by data processing, in particular as a result of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure of or access to such data.
Contract with data processors that have adhered to data protection compliant certifications, mechanisms or codes of conduct.
Notify the authorities in the event of a breach of security of personal data.

What do the security measures of the European regulations mean in practical terms?

Mandatory file encryption.

Management and administration of users, controlling access to the equipment containing the data.

Carrying out audits to verify security measures compliance.

Review of contracts for third party data processors and adaptation to the new regulations, if required.

Activity log setup.

Appointment of a Data Protection Officer in the specified cases.

Carrying out a risk assessment that especially contemplates the analysis of CV and payroll files, when dealing with sensitive data.

Establish mechanisms of action and foresight to deal with security breaches.

Record access to your computer equipment with Edorteam DLP

Protect the personal data stored on your equipment and prevent unauthorized uses. We’re not saying it, it’s an obligation included in the GDPR.

Know more

Encrypt files, folders and USBs with ET Encrypt

ET Encrypt is an encryption tool with a practically impenetrable algorithm, encrypts the data that you send attached by e-mail as required by the GDPR.

Know more

Frequently asked questions

What is the GDPR and how does it affect my company?

The GDPR is the General Data Protection Regulation of the European Union that regulates the processing of personal data. It affects any company that operates within the EU or that handles data of EU citizens, regardless of their location, requiring strict data protection measures.

What are the differences between the LOPD and the GDPR?

The LOPD is the Spanish regulation that regulates the protection of personal data, while the GDPR is the regulation at the European level. The GDPR introduces stricter requirements such as explicit consent, extended rights for individuals over their data, and significant penalties for non-compliance.

Is my company obliged to designate a Data Protection Officer (DPO)?

The appointment of a DPO is mandatory for public authorities, organizations that carry out systematic and regular monitoring on a large scale, or those that handle special categories of personal data on a large scale.

What does a data protection impact assessment (DPIA) involve and when is it necessary?

A DPIA evaluates the risks of processing personal data and is necessary when such processing could result in a high risk to the rights and freedoms of individuals, such as in the processing of sensitive data on a large scale.

How can your service help our company with the GDPR?

Our service includes the review and updating of privacy policies, advice on data handling and protection, implementation of security measures, staff training and design of processes in accordance with the GDPR to ensure regulatory compliance.

What sanctions do we face if we do not comply with the GDPR?

Fines can be up to 20 million euros or 4% of the total global annual turnover, whichever is greater, depending on the severity of the breach.

How does your service manage GDPR updates and other legal changes?

We provide regular updates and audits to ensure that your company remains compliant with the GDPR and other relevant legislation, adjusting policies and practices according to legal developments.

What technical and organizational measures do you implement to protect data?

We implement data encryption, access control, periodic security assessments and employee training, among other measures to ensure effective data protection.

Can your service help in the event of a data security breach?

Yes, we offer immediate assistance to manage data breaches, including notifications to authorities and those affected, as well as measures to mitigate and prevent future incidents.

What specific benefits does your GDPR management software offer?

Our software facilitates the management of the security document, incident registration, and maintenance of records of data processing activities. In addition, it allows direct and constant communication with your LOPD consultant, ensuring that you are always up to date with your legal obligations.