ILN Data Privacy Paper

Spain

providers of information society services, as well as insurance and financial services entities, among others. The Spanish DP Law, therefore, extends the scope of DPO requirements beyond the parameters established in the GDPR, outlining a more detailed and nuanced set of criteria applicable to specific sectors and contexts. Records of processing activities GDPR, in its article 30, stipulates that “Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility”, however, it would not apply to “an enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data”. The legal framework in Spain, as articulated in the Spanish DP Law, introduces an additional requirement for certain organizations or entities. According to this provision, such entities are obliged to publicly disclose and publish a comprehensive inventory of their data processing activities. This disclosure must be easily accessible through electronic means, encompassing all the details specified in Article 30 of the GDPR. In essence, the Spanish DP Law extends beyond the GDPR by specifically stipulating the obligation for certain entities to proactively share and maintain a transparent record of

their data processing endeavors, thereby fostering greater accountability and accessibility. Usually, these organizations will be public or administrative. Among the organizations listed we can mention: Courts of Justice The National Bank of Spain (“Banco de España”) Public universities Parliamentary groups Public bodies and public law entities. State Administration 4.2. Role and responsibilities of key stakeholders Requirements for Data Processing 5.1. Grounds for collection and processing Consent Consent Notice Withdrawal of Consent 5.2. Data storage and retention timelines 5.3. Data correction, completion, updating or erasure of data 5.4. Data protection and security practices and procedures 5.5. Disclosure, sharing and transfer of data 5.6. Cross border transfer of data 5.7. Grievance redressal

https://lopez-iborabogados.com/en/

Made with FlippingBook - PDF hosting