ELZABURU Blog - Industrial and Intellectual Property

Tag Archives: Personal data

Personal data – Safeguards for Brexit

If your company has a supplier, parent company, subsidiary or partner located in the United Kingdom, it most probably means that you are transferring personal data to the UK. It is therefore highly advisable to know what can be done in the event that Brexit ultimately goes ahead, in order to be able to continue transferring that information and benefitting from those business relationships without breaching data protection regulations or being exposed to the resulting severe penalties.

Once the United Kingdom has left the European Union, communications of personal data to the UK will be considered international data transfers, since it will become a third country (non-EU and non-EEA).

The General Data Protection Regulation (GDPR) is the world’s most stringent legislation in the area of privacy. It therefore follows that if the data is sent to a country outside the European Economic Area (EEA), the level of security and safeguards will be lower. Thus, the general rule is that such data flows shall not be permitted unless the following criteria are fulfilled:

  • The country of destination for the data has an “Adequacy Decision”: The European Commission, having studied the country’s privacy legislation, considers that it provides sufficient guarantees in keeping with European standards, as was recently the case with Japan in the ruling adopted on 24 January. However, while the United Kingdom has adapted its national legislation in line with the European data protection regulation (GDPR), the European Data Protection Board or EDPB (which replaced the Article 29 Working Party) has already pointed out that at the present time, the UK does not have an adequacy decision, and the fact is that the process of adopting the decision could take up precious time during which data flows to the United Kingdom cannot be stopped.
  • Appropriate safeguards have been adopted: even if the destination country does not have an adequacy decision, the transfer of data can be enabled if appropriate safeguards are provided, the most important of which are the following:
    • Standard clauses: contractual provisions that oblige the recipient of the data to adopt measures and safeguards that provide for a level of protection comparable to the European level.
    • Binding corporate rules: better known as BCR, they are a set of legally binding policies or codes of conduct developed and implemented by a group of enterprises in order to provide sufficient guarantees for the secure transfer of data within the group. This mechanism is exclusively for groups of enterprises, and the rules must be submitted to the pertinent supervisory authority for review and, where appropriate, approval.
  • Codes of conduct and certification mechanisms: these mechanisms are a new feature introduced by the GDPR. The codes of conduct are self-regulatory sectoral rules. The approach is similar to that of BCR, but applied to a business sector rather than to a group of enterprises. Moreover, the GDPR provides for the possibility to create certification mechanisms in the area of data protection (such as seals or marks) as a means of demonstrating compliance with the applicable legislation. The EDPB is currently working on a series of directives to harmonise these conditions.
  • One of the legally established derogations applies: the GDPR does leave some room for manoeuvre, establishing that even if the destination of the international data transfer is not deemed secure and adequate safeguards are not provided for data communication, it may be permitted in the event that it comes under any of the established exceptions. The EDPB has already cautioned that, since these are exceptions, they must be interpreted restrictively, and only be used occasionally to ensure that the exception does not become the rule.

Thus, even if the United Kingdom did not manage to conclude an agreement before its departure from the European Union, or if the agreement did not contain any provisions on data protection, this would not necessarily imply cutting off the flow of personal data from the EU, although the flow of data would depend on the decision that the European Union decides to adopt, and on the preparedness or quick response of companies in the rest of Europe that have business relationships with the United Kingdom.

  Authors: Fernando Díaz y Ruth Benito
Visit our website: http://www.elzaburu.es/en

Nine basic issues concerning the new Data Protection Act (II)

Digital rights

Besides dealing with the field of data protection, Title X of the Act lays down a controversial series of provisions dealing with digital rights, such as Internet neutrality, universal access, promotion in education, and extension of the right to be forgotten to social media, that are highly contentious among people in the field.


In the field of labour relations, the Act provides broad protection for employees while placing squarely on employers the need to adjust internal policies to such new factors as:

  1. a) Protection of privacy in the use of digital devices and metered access to content.
  2. b) Digital disconnection, to ensure respect for free time off work.
  3. c) Greater regulation of the conditions of valid video surveillance and audio recording.
  4. d) Employees’ right to privacy in respect of geolocation systems.

 Digital inheritance

Barring a will stipulating otherwise, the heirs, persons related to the deceased, and/or persons designated by the deceased may access the deceased’s content on social media and digital platforms and give service providers instructions as to its use, modification, destination, and removal.

Access to the first part of this post here

Authors: Ruth Benito y Fernando Díaz

Visit our website: http://www.elzaburu.es/en

Nine basic issues concerning the new Data Protection Act (I)

On 6 December the BOE [Official Spanish Government Gazette] published Organic Personal Data Protection and Guarantee of Digital Rights Act, Act No. 3/2018 of 5 December 2018, approved by plenary session of the Senate this past 21 November.

The General Data Protection Regulation (GDPR) does not leave EU Member States much room for manoeuvre, and for that reason the new Act makes constant reference to the Regulation, but it nonetheless contains certain novel provisions discussed here in this post.

Data Protection Officer

In addition to the provisions already set out in the General Data Protection Regulation (GDPR) in this respect, the Act specifies a total of 16 cases in which designation of a DPO is mandatory.

Advertising firms that carry out profiling, operators that offer online gaming, insurance companies, schools, investment service firms that do business in securities markets, financial institutions, and certain energy companies, along with other companies, are all affected by this provision.

Transparency and information

Article 11 of the Act takes what had until now been a recommendation by Spain’s Data Protection Agency and the former Article 29 Data Protection Working Party concerning the layered approach to information and turns it into a mandatory standard.

Accordingly, under this layered information approach, the first layer must necessarily contain, at minimum, the features required in Article 11:

  1. The identity of the data controller and its representative, if any.
  2. The purpose of the processing.
  3. The option of exercising data protection rights.
  4. Where the data are not obtained directly from the owner, the type of data and their source.


The Act keeps the age limit at 14 years and introduces measures aimed at defending minors and their interactions with the digital sphere, for instance, the possibility of intervention by the Public Prosecutor’s Office in cases when images and personal information of minors are disseminated on social networks if doing so represents an unlawful intrusion on their fundamental rights.

Legitimate interest and public interest

The Act expressly sets out certain instances of data processing in which the data controller is presumed to have a legitimate interest or the processing is presumed to be carried out in the public interest.

The former case includes credit information systems, changes to corporate structure or the sale of companies, and contact details of individual business owners and members of the liberal professions, provided that the processing of location and contact data is restricted wholly to the business sphere in relation to providing specialised services.

As far as the public interest is concerned, the Act addresses video surveillance, files regarding advertising opt-outs, and whistleblowing.

The controversy regarding political parties

The final provisions of the new Personal Data Protection and Guarantee of Digital Rights Act amends the Elections Act to allow political parties to gather and use data collected from websites and other publicly accessible sources, including by electronic means, stipulating that election advertising is not to be considered a commercial communication.

Technically, the implicit consideration of websites as being publicly accessible is an important feature, since heretofore the Internet has not enjoyed this status.

System of sanctions

The Act specifies and classifies infringements of data protection categories into the conventional categories of (i) minor, (ii) serious, and (iii) very serious, while maintaining the fines laid down in the GDPR, ranging from a minimum of €10,000,000 or 2 % of total worldwide annual turnover to a maximum of €20,000,000 or 4 % of total worldwide annual turnover.

Access to the second part of this post here

Authors: Ruth Benito y Fernando Díaz

Visit our website: http://www.elzaburu.es/en

When can public authorities access SIM card data?

Access by public authorities to electronic data for the purpose of identifying the owners of SIM cards activated with a stolen mobile telephone: not limited to serious criminal offences since it is a non-serious interference with fundamental rights.

On 16 February 2015, Mr. Hernández Sierra filed a complaint with the Spanish police for a violent robbery, during which he was injured and his wallet and mobile telephone were stolen. On 5 May 2015, the Examining Magistrates’ Court rejected the request made by the police to order various providers of electronic communications services to provide the telephone numbers activated between 16 February and 27 February 2015 with the IMEI code of the stolen mobile telephone and the personal data concerning the identity of the owners or users of the telephone numbers corresponding to the SIM cards activated with said code, such as their forenames, surnames, and, if necessary, their addresses.

The Public Prosecutor’s Office lodged an appeal against the rejection of the request, invoking the judgment of 26 July 2010 handed down by the Supreme Court in a similar case. The Provincial Appellate Court of Tarragona decided to stay the proceedings, recalling the amendment of the Code of Criminal Procedure (enacted under Organic Act No. 13/2015 of 5 October 2015, strengthening procedural due process and regulating technological investigative measures), and referred two questions to the CJEU for a ruling:

  1. Can the sufficient seriousness of offences, as a criterion which justifies interference with the fundamental rights recognised by Articles 7 and 8 of the Charter of Fundamental Rights of the EU, be determined taking into account only the sentence which may be imposed in respect of the offence investigated, or is it also necessary to identify in the criminal conduct particular levels of harm to individual and/or collective legally protected interests?
  2. If it were in accordance with the constitutional principles of the European Union, used by the CJEU in its judgment of 8 April 2014 [Digital Rights Ireland and Others, C-293/12 and C-594/12] as standards for the strict review of the Directive, to determine the seriousness of the office solely on the basis of the sentence which may be imposed, what should the minimum threshold be? Would it be compatible with a general provision setting a minimum of three years’ imprisonment?

The CJEU ruled on both questions in its judgment of 2 October 2018 (case C-207/16).

In this judgment, it is stated that pursuant to the principle of proportionality, in the areas of prevention, investigation, detection and prosecution of criminal offences, a serious interference may be justified only by the objective of fighting crime which must also be defined as serious. However, when the interference entailed by such access is not serious, it may be justified by the objective of preventing, investigating, detecting and prosecuting criminal offences generally.

The data sought by the Spanish police only enable the SIM card or cards activated with the stolen mobile telephone to be linked, during a specific time period, with the data concerning the identity of the owners of those SIM cards. Without checking those data against the data concerning the communications made with those SIM cards and the location data, it is not possible to determine the date, time, duration or recipients of the communications made with the SIM cards in question, or the locations where the communications were made, or the frequency of those communications with certain people during a certain time period. Therefore, said data do not allow precise conclusions to be drawn regarding the private lives of the persons whose data is affected, and therefore it cannot be regarded as a serious interference in the fundamental rights of those individuals.

The interference entailed by access to said data may be justified by the objective of preventing, investigating, detecting and prosecuting criminal offences generally, as referred to in the first sentence of Article 15(1) of Directive 2002/58, without it being necessary that those criminal offences be defined as serious.

Consequently, it is stated that the access of public authorities to data for the purpose of identifying the owners of SIM cards activated with a stolen mobile telephone, such as forenames, surnames, and if necessary, their addresses, constitutes interference with their fundamental rights, enshrined in the aforementioned articles of the Charter, which is not sufficiently serious to mean that said access is to be limited, in the areas of prevention, investigation, detection and prosecution of criminal offences, to the objective of fighting serious crime.

Let us hope that this judgment helps to reduce the reluctance of courts in Spain, when it comes to prevention, investigation, detection and prosecution of any type of crime in which technological investigative measures are required, encouraging them to weigh the different interests involved but without hindering the chances of establishing the facts of the matter.

  Author: Juan José Caselles

Visit our website: http://www.elzaburu.es/en

S.O.S. Security incident

Since 25 May, we receive news and notifications every day of security breaches at top-level companies resulting in the mass exposure of customer data.

The reality, as unlikely as it may seem, is that the number of security breaches has not increased since the application date of the Data Protection Regulation (GDPR) of 27 April 2016. It is in fact the case that, up to now, there has been no obligation under our legislation to report security violations except in the case of providers of publicly available electronic communications services, while the GDPR now extends this obligation to any company processing data.

A security incident is the destruction, loss or alteration of personal data due to internal or external causes, which may be accidental or intentional. With regard to such an eventuality, the most important things for any company to bear in mind should be to (i) define a procedure for management of security breaches; (ii) have the tools available to assess the risk of such an incident occurring; and (iii) know whether it should be reported to the supervisory authorities and to data subjects depending on the characteristics of the incident and the risk for data subjects.

Notification to the supervisory authority, as established under the GDPR, is required whenever the incident may result in a risk to data subjects and the notification must be made within 72 hours of becoming aware (having actual evidence) of the incident. It is also required to notify the data subjects affected whenever such an incident could result in a high risk for them and provided that said notification does not compromise the outcome of a pending investigation, in which case the communication may be made at a later stage, all under the control of the supervisory authority.

Additionally, it is crucial to respond quickly in an effort to mitigate the consequences of the incident, by adopting security measures that prevent access to data or amendment or reading of the same.

The only effective formula for avoiding this deluge of legal obligations is prevention. All possible measures must be taken to avoid security breaches, prevent unauthorised reading and amendment of data, and establish a procedure for responding to incidents of this kind.

The European Data Protection Board, formerly the Article 29 Working Party, prepared a guide on notification of security breaches which deals with many of the issues that had given rise to doubts. Moreover, on 19 June 2018 the Spanish Data Protection Agency published a guide for management and notification of security breaches with directives for detection and management of security breaches and evaluating notification of the same.

Author: Martín Bello y Cristina Espín

Visit our website: http://www.elzaburu.es/en



Formulario de suscripcion

Sí, soy humano*

Se ha enviado un mensaje de confirmación; por favor, haga clic en el enlace de confirmación para verificar su suscripción.
Este email ya está en uso
Debes escribir un email válido
Debes cliquear el captcha
El captcha no es correcto