Consultancy of adaptation to the RGPD

Complies with the European RGPD regulation

We explain the news of the RGPD that every company must adopt

The European Regulation 2016/679 on the Protection of Personal Data (RGPD) incorporates important modifications in the processing of personal data information with respect to the LOPD.

N

All Spanish companies must comply with the RGPD.

N

It is not enough to comply with the Spanish Data Protection Law.

N

Update with Edorteam and comply with the LOPD and RGPD.

Consultancy of adaptation to the RGPD
Is my company obliged to comply with the GDPR?

The LOPD is the Spanish data protection law, while the RGPD is the European law. Both must be applied in Spain, as long as an update of the LOPD that includes the news of the RGPD is not published.

Is my company obliged to comply with the GDPR?

The RGPD is mandatory since May 25, 2018, and applies to the total or partial processing of personal data by data controllers or processors established in the EU , as well as those not established in the EU, if they perform treatments intended for EU citizens.

Spanish companies that process personal data are obligated subjects of this new regulation and must be properly adapted to the new features and obligations that it establishes.

Although in Spain the Organic Law on Data Protection , the GDPR introduces some new obligations and therefore both rules currently apply.

Our experience with clients handling data from high protection level , allows us to offer the best and most complete solution to easily adapt to current legislation.

What are the penalties for violating the GDPR?

As one of the key novelties, the Regulation strengthens the sanctioning regime , establishing fines of up to 4% of the global turnover of the company or 20 million euros, applying as a fine, the greater amount of the two.

Fines can reach 20 million euros or 4% of the company’s global turnover, whichever is higher.

What are the penalties for violating the GDPR?

Do you need further assistance?

Tell us about your company and regulatory questions you may have to interview. We'll study your case to assess whether your company is compliant.

What is our GDPR compliance service?

Review and update of the documents that make up the Company’s Security Document

The first step is to review the data protection policy that the company currently has. After the study, only the essential tasks of updating the current law will be carried out, so that it involves the minimum investment for the company.

Establish the legal clauses to be incorporated in the documents in which the company requests data

In order to adapt them to the obligation to obtain the consent of the affected party (clients and staff of the entity). We will analyze, from a legal point of view, the operations that may constitute transfer of data and incorporation of confidentiality clauses and purpose with external parties with access to company data that limit the use and treatment of said data in accordance with the indications and uses authorized by the company.

Implementation of Security measures

For our technical services or advising the system administrator, for the correct implementation of the appropriate measures to improve security and comply with the law.

Training of the Data Controller

We train, if requested, those responsible for company security and other employees involved in managing the implementation of the measures related to the Security Document , to guarantee compliance with all the requirements of the data protection regulations by the company.

Appointment, if applicable, of the Data Protection Officer (DPO)

The RGPD allows the figure of the DPO to be internal or external to the company, being able to contract the service with natural or legal persons outside the organization. In Edorteam we are accredited to act as DPO , is mandatory for authorities and public bodies or according to the type or volume of data that a company deals with.

Carrying out the DPIA (Data Privacy Impact Assessments)

Also known as impact evaluations on data protection, its function is to evaluate the origin, nature, particularities and risk in which personal data are exposed.

After adapting to the GDPR, manage everything online

LOPD Online is a cloud management software from where you will manage all the documentation regarding the protection of your company’s data:

Featured Features

i

Manage the Security document

~

Generate confidentiality agreements and other contracts

s

Register security incidents quickly

Z

Always keep the record of I / O media up to date

Advantages for your business

100% online service, documentation always updated and available

v

Direct communication with your Edorteam LOPD expert consultant

Regular audits and training by our specialists

R

The peace of mind of complying with the obligations of the LOPD and RGPD

Key articles of the GDPR regulation and how to comply with them

Below, you will find a selection of the most important GDPR articles and what we propose to fulfill your obligations.

Key articles of the GDPR regulation and how to comply with them

Article 7

The consent obtained Prior to the date of application of the European Regulation (05/25/2018), it will only remain valid if it had been obtained respecting the criteria set out in the Regulation itself (free, informed, specific and unequivocal).

"

Edorteam action

Change of the consents and revision of the contracts on behalf of third parties and of the treatment manager to adapt them to the new regulations.

Article 28

Contract with those in charge of the treatment that have adhered to certifications, mechanisms or codes of conduct in accordance with data protection.

"

Edorteam action

Implementation of specialized codes of conduct in data protection regulations.

Article 31.1.d

Regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to guarantee data protection security.

"

Edorteam action

Carrying out audits to verify correct compliance with the implemented measures.

Articles 30 and 32

User management and administration, equipment control and maintenance of a activity log .

Have data recovery systems and Backups periodic equipment.

"

Edorteam action

Provide the computer equipment with the ET Seguridad and ET Backup software, if they do not have other solutions with the same functions.

Article 32.2

Risk assessment presented by data processing, in particular as a result of accidental or illegal destruction, loss or alteration of data, or unauthorized communication or access to said data.

"

Edorteam action

Study and realization of risk assessments in treatments through evaluations from a personalized point of view, attending to the different specifications.

Article 34

Obligation on companies to report if there is any leakage of personal data within the period of 72 hours .

"

Edorteam action

Preventive encryption of folders and documents with ET Encrypt software or similar. Using encryption on personal information eliminates the obligation to notify those affected that a security breach has occurred.

Register access to your computer equipment with ET Seguridad

Protect stored information with the access log and prevents unauthorized use of computer equipment.

Encrypt files and USB removable drives with ET Encrypt

ET Encrypt is an encryption tool with a practically impenetrable algorithm, protect data even if you send files by e-mail.

What new features does the RGPD introduce with respect to the LOPD?

Unequivocal consent

Consent must be free, informed, specific and unequivocal. The demand for consent is reinforced by an unequivocal manifestation or positive action, and cannot be deduced from silence or inaction. This establishes the obligation to have systems for recording consent so that it can be verified in the event of an audit.

Specially protected data

The consent will be explicit for the treatment of sensitive data.

Especially protected or sensitive data:

  • Ideology
  • Religion and beliefs
  • Union membership
  • Related to: beliefs, racial origin, health and / or sexual life.
  • Relating to the commission of criminal or administrative offenses

The new regulation adds:

  • Genetic data (DNA analysis)
  • Biometric data (fingerprint or eye iris)
Privacy notices

The legal basis for data processing must be explained, the time for which this data will be retained, as well as informing the interested parties that they can direct their claims to the data protection authorities. All this information must be included in the web pages or in the communication channels available.

Guardianship rights
  • Right to portability, oblivion and transparency.
Active responsibility

Companies have to adopt measures that reasonably ensure that they are in a position to comply with the principles, rights and guarantees of the new regulation. It is understood that acting only when an infringement has already occurred is insufficient as a strategy, that is why a set of measures is envisaged:

  • Data protection from the point of view of risk analysis in data processing
  • Data protection by default (from the start)
  • Security measures
  • Maintenance of a treatment record
  • Carrying out data protection impact assessments (DPIA)
  • Appointment of a data protection officer (DPO)
  • Promotion of codes of conduct and certification schemes
Carrying out impact assessments on personal data (DPIA)

Data protection impact evaluations are required only when the use of advanced technologies, the volume or type of data processed (especially protected) may pose a risk to the rights and freedoms of the affected persons.

The Regulation considers that a DPIA has to be carried out to evaluate the origin, nature, particularities and risk in which personal data are exposed. The person in charge of the treatment will seek advice from the Data Protection Delegate to carry out the DPIA.

The Spanish Agency for Data Protection is in charge of publishing the lists with the types of processing operations that require impact evaluations.

Appointment of a Data Protection Officer (DPD)

Among the functions of the DPD, we find the control of the correct implementation of the measures aimed at reducing risks and advising the person responsible for the processing of personal data.

The RGPD allows the figure of the DPO to be internal or external to the company, being able to contract the service to natural or legal persons outside the organization.

This figure is mandatory in:

  • Organizations and public institutions.
  • Managers or managers who have among their main activities the processing operations that require a regular and systematic observation of interested parties on a large scale.
  • Managers or managers who have among their main activities the large-scale treatment of sensitive data.
Notifications of data breaches

Obligation for companies to report if there is any leakage of personal data within 72 hours to the national authority (Spanish Agency for Data Protection) and also to those affected.

The use of encryption in personal information eliminates the obligation to notify those affected that a security breach has occurred, in which their personal data has been exposed.

Strengthening of the sanctioning regime

The Regulation strengthens the sanctioning regime: fines can reach up to 4% of global turnover of the company or 20 million euros , applying as a fine, the greater amount of the two.

Single window

The “One-Stop-Shop” or single window aims to reduce bureaucratic obstacles by making all the procedures that affect Data Protection go to a single window that solves cases at the European level.

The management will be carried out by the national authority (developing an intermediary role), having to inform the interested party of the final result of the claim or complaint.

Manager and data controller

The person in charge must exercise extreme caution and regularize the contracts in accordance with the requirements and the precise documentation.

Right to compensation and liability and extension to damages that may have been caused by those in charge of the treatment, establishing joint and several liability between the controller and the person in charge of the treatment.

Security measures
  • Pseudonymisation and encryption of personal data.
  • Guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services.
  • Ability to restore availability and access to personal data quickly in the event of a physical or technical incident.
  • Process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to guarantee the security of the treatment.
  • Assessment of the risks posed by data processing, in particular as a consequence of the destruction, loss or accidental or illegal alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to said data.
  • Contract with those in charge of the treatment that have adhered to certifications, mechanisms or codes of conduct in accordance with data protection.
  • Notify the control authority, if it happens, the violation of the security of personal data.
Security measures to comply with the GDPR

What do the security measures of European regulations translate into for practical purposes?

N

Mandatory file encryption.

N

User management and administration, controlling access to the computers that contain the data.

N

Carrying out audits to verify correct compliance with the implemented measures.

N

Review of the contracts of the treatment manager on behalf of third parties and adaptation to the new regulations, if required.

N

Maintaining a log of activities.

N

Appointment of a Data Protection Delegate in the specified cases.

N

Carrying out a risk assessment that includes in a special way the analysis of the resume and payroll files, when treating sensitive data.

N

Establish action and forecasting mechanisms to face security gaps.