Complies with the European RGPD regulation
We explain the news of the RGPD that every company must adopt
The European Regulation 2016/679 on the Protection of Personal Data (RGPD) incorporates important modifications in the processing of personal data information with respect to the LOPD.
All Spanish companies must comply with the RGPD.
It is not enough to comply with the Spanish Data Protection Law.
Update with Edorteam and comply with the LOPD and RGPD.
The LOPD is the Spanish data protection law, while the RGPD is the European law. Both must be applied in Spain, as long as an update of the LOPD that includes the news of the RGPD is not published.
Is my company obliged to comply with the GDPR?
The RGPD is mandatory since May 25, 2018, and applies to the total or partial processing of personal data by data controllers or processors established in the EU , as well as those not established in the EU, if they perform treatments intended for EU citizens.
Spanish companies that process personal data are obligated subjects of this new regulation and must be properly adapted to the new features and obligations that it establishes.
Although in Spain the Organic Law on Data Protection , the GDPR introduces some new obligations and therefore both rules currently apply.
Our experience with clients handling data from high protection level , allows us to offer the best and most complete solution to easily adapt to current legislation.
What are the penalties for violating the GDPR?
As one of the key novelties, the Regulation strengthens the sanctioning regime , establishing fines of up to 4% of the global turnover of the company or 20 million euros, applying as a fine, the greater amount of the two.
Fines can reach 20 million euros or 4% of the company’s global turnover, whichever is higher.
Do you need further assistance?
Tell us about your company and regulatory questions you may have to interview. We'll study your case to assess whether your company is compliant.
What is our GDPR compliance service?
Review and update of the documents that make up the Company’s Security Document
The first step is to review the data protection policy that the company currently has. After the study, only the essential tasks of updating the current law will be carried out, so that it involves the minimum investment for the company.
Establish the legal clauses to be incorporated in the documents in which the company requests data
In order to adapt them to the obligation to obtain the consent of the affected party (clients and staff of the entity). We will analyze, from a legal point of view, the operations that may constitute transfer of data and incorporation of confidentiality clauses and purpose with external parties with access to company data that limit the use and treatment of said data in accordance with the indications and uses authorized by the company.
Implementation of Security measures
For our technical services or advising the system administrator, for the correct implementation of the appropriate measures to improve security and comply with the law.
Training of the Data Controller
We train, if requested, those responsible for company security and other employees involved in managing the implementation of the measures related to the Security Document , to guarantee compliance with all the requirements of the data protection regulations by the company.
Appointment, if applicable, of the Data Protection Officer (DPO)
The RGPD allows the figure of the DPO to be internal or external to the company, being able to contract the service with natural or legal persons outside the organization. In Edorteam we are accredited to act as DPO , is mandatory for authorities and public bodies or according to the type or volume of data that a company deals with.
Carrying out the DPIA (Data Privacy Impact Assessments)
Also known as impact evaluations on data protection, its function is to evaluate the origin, nature, particularities and risk in which personal data are exposed.
After adapting to the GDPR, manage everything online
LOPD Online is a cloud management software from where you will manage all the documentation regarding the protection of your company’s data:
Manage the Security document
Generate confidentiality agreements and other contracts
Register security incidents quickly
Always keep the record of I / O media up to date
Advantages for your business
100% online service, documentation always updated and available
Direct communication with your Edorteam LOPD expert consultant
Regular audits and training by our specialists
The peace of mind of complying with the obligations of the LOPD and RGPD
Key articles of the GDPR regulation and how to comply with them
Below, you will find a selection of the most important GDPR articles and what we propose to fulfill your obligations.
The consent obtained Prior to the date of application of the European Regulation (05/25/2018), it will only remain valid if it had been obtained respecting the criteria set out in the Regulation itself (free, informed, specific and unequivocal).
Change of the consents and revision of the contracts on behalf of third parties and of the treatment manager to adapt them to the new regulations.
Contract with those in charge of the treatment that have adhered to certifications, mechanisms or codes of conduct in accordance with data protection.
Implementation of specialized codes of conduct in data protection regulations.
Regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to guarantee data protection security.
Carrying out audits to verify correct compliance with the implemented measures.
Articles 30 and 32
User management and administration, equipment control and maintenance of a activity log .
Have data recovery systems and Backups periodic equipment.
Provide the computer equipment with the ET Seguridad and ET Backup software, if they do not have other solutions with the same functions.
Risk assessment presented by data processing, in particular as a result of accidental or illegal destruction, loss or alteration of data, or unauthorized communication or access to said data.
Study and realization of risk assessments in treatments through evaluations from a personalized point of view, attending to the different specifications.
Obligation on companies to report if there is any leakage of personal data within the period of 72 hours .
Preventive encryption of folders and documents with ET Encrypt software or similar. Using encryption on personal information eliminates the obligation to notify those affected that a security breach has occurred.
Register access to your computer equipment with ET Seguridad
Protect stored information with the access log and prevents unauthorized use of computer equipment.
Encrypt files and USB removable drives with ET Encrypt
ET Encrypt is an encryption tool with a practically impenetrable algorithm, protect data even if you send files by e-mail.
What new features does the RGPD introduce with respect to the LOPD?
Consent must be free, informed, specific and unequivocal. The demand for consent is reinforced by an unequivocal manifestation or positive action, and cannot be deduced from silence or inaction. This establishes the obligation to have systems for recording consent so that it can be verified in the event of an audit.
Specially protected data
The consent will be explicit for the treatment of sensitive data.
Especially protected or sensitive data:
- Religion and beliefs
- Union membership
- Related to: beliefs, racial origin, health and / or sexual life.
- Relating to the commission of criminal or administrative offenses
The new regulation adds:
- Genetic data (DNA analysis)
- Biometric data (fingerprint or eye iris)
The legal basis for data processing must be explained, the time for which this data will be retained, as well as informing the interested parties that they can direct their claims to the data protection authorities. All this information must be included in the web pages or in the communication channels available.
- Right to portability, oblivion and transparency.
Companies have to adopt measures that reasonably ensure that they are in a position to comply with the principles, rights and guarantees of the new regulation. It is understood that acting only when an infringement has already occurred is insufficient as a strategy, that is why a set of measures is envisaged:
- Data protection from the point of view of risk analysis in data processing
- Data protection by default (from the start)
- Security measures
- Maintenance of a treatment record
- Carrying out data protection impact assessments (DPIA)
- Appointment of a data protection officer (DPO)
- Promotion of codes of conduct and certification schemes
Carrying out impact assessments on personal data (DPIA)
Data protection impact evaluations are required only when the use of advanced technologies, the volume or type of data processed (especially protected) may pose a risk to the rights and freedoms of the affected persons.
The Regulation considers that a DPIA has to be carried out to evaluate the origin, nature, particularities and risk in which personal data are exposed. The person in charge of the treatment will seek advice from the Data Protection Delegate to carry out the DPIA.
The Spanish Agency for Data Protection is in charge of publishing the lists with the types of processing operations that require impact evaluations.
Appointment of a Data Protection Officer (DPD)
Among the functions of the DPD, we find the control of the correct implementation of the measures aimed at reducing risks and advising the person responsible for the processing of personal data.
The RGPD allows the figure of the DPO to be internal or external to the company, being able to contract the service to natural or legal persons outside the organization.
This figure is mandatory in:
- Organizations and public institutions.
- Managers or managers who have among their main activities the processing operations that require a regular and systematic observation of interested parties on a large scale.
- Managers or managers who have among their main activities the large-scale treatment of sensitive data.
Notifications of data breaches
Obligation for companies to report if there is any leakage of personal data within 72 hours to the national authority (Spanish Agency for Data Protection) and also to those affected.
The use of encryption in personal information eliminates the obligation to notify those affected that a security breach has occurred, in which their personal data has been exposed.
Strengthening of the sanctioning regime
The Regulation strengthens the sanctioning regime: fines can reach up to 4% of global turnover of the company or 20 million euros , applying as a fine, the greater amount of the two.
The “One-Stop-Shop” or single window aims to reduce bureaucratic obstacles by making all the procedures that affect Data Protection go to a single window that solves cases at the European level.
The management will be carried out by the national authority (developing an intermediary role), having to inform the interested party of the final result of the claim or complaint.
Manager and data controller
The person in charge must exercise extreme caution and regularize the contracts in accordance with the requirements and the precise documentation.
Right to compensation and liability and extension to damages that may have been caused by those in charge of the treatment, establishing joint and several liability between the controller and the person in charge of the treatment.
- Pseudonymisation and encryption of personal data.
- Guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services.
- Ability to restore availability and access to personal data quickly in the event of a physical or technical incident.
- Process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to guarantee the security of the treatment.
- Assessment of the risks posed by data processing, in particular as a consequence of the destruction, loss or accidental or illegal alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to said data.
- Contract with those in charge of the treatment that have adhered to certifications, mechanisms or codes of conduct in accordance with data protection.
- Notify the control authority, if it happens, the violation of the security of personal data.