Very important information kindly supplied by Gestdatos
SUMMARY – DATA PROTECTION LAW (LOPD)
Effective in Spain since APRIL 2008
This is a law that protects the rights we all have as Induviduals for our personal data to
be correctly and securly handled and managed.
· 52% of companies declare they are registered
– Fact – only 19% are registered
WHO HAS TO COMPLY?
ALL companies – private, public, state and autonomos. Fact – all companies hold and manage
personal data, whether stored in manual or computerised format. All companies have to register
these files at the Spanish Data Protection Agency (AEPD).
HOW TO COMPLY?
1- Register the names of files containing personal data at the AEPD (not the database itself)
2- Create a Security Document – a book with all obligations and protocols regarding data
3- Allow individuals to exercise their ARCO rights (Access, Rectification, Cancelation and
Opposition) in all the formats a company may use to record an individual’s personal data, web
site, email address, newsletters, etc.
DATA SECURITY LEVELS
Low risk : Every normal company handles names, telephones, address, email…
Medium risk: Accountants, lawyers, civil or criminal offences, credit rating, finacial information..
High risk: Health, dentals clinics, therapiests, Unions, Religion, etc.
Low: 600 to 60,000; € Medium: 600,000 to 300,000; € High: 300,000 to 600,000 €
WHY COMPLY? WHAT IS IN IT FOR THE COMPANIES?
· The discipline imposed by the LOPD improves security of personal data
· Compliance improves corporate image and increases confidence in the company
· Creates a competitive advantage – assurance and trust in your company
· because…It’s the law!
WHY ARE COMPANIES NOT COMPLYING?
Lack of information – Additional cost for the company – No added value
· Poor quality LOPD consultants
· Limited to basic information
· Non approved LOPD training programs
In times of financial difficutlies companies believe they can do it themselves
· Its not that straight forward to do it without proper training
· It ends up costing more in internal resources
WHAT DOES IT COST?
For companies with employees, the payment scheme is ZERO COST *
Registered companies are charged an annual fee for this training. The Government has agreed
that this fee will be deducted by the company from its Social Security payments ( bonificación).
To find out how the State subsidy works and how to comply call us at:
Auditing and consulting on files and security to ensure continued compliance
(i) A high number of companies just copy the legal LOPD clause from other companies and
paste it on their Web and emails. This is illegal unless they comply with LOPD.
(ii) April 19, 2010 was the due date established by LOPD to comply with the security
procedures for high risk files. Files that contain medical information and are considered high risk
files. Special security measures regarding information and data storage, copies or reproductions
and their access and transfers must be adopted.By law, companies with such high risk files
must be audited by an authorised company.
(iii) LOPD fines to Property Management Companies (Communidades de Propietarios,
Administraciones de Fincas y Profesionales) have increased in number and size, ranging from
€1,500 to €30,000. Fines for Independent Property Mangement Professionals start at €6.000.
(iv) Fines in Spain for non-compliance in 2009 totaled in excess of €30 million.
Iberdata21, S.L. Documento de Seguridad © 2009 • Derechos reservados
Data Protection Law (LOPD)
Security Procedures for Medium and High Risk Files
April 19, 2010 was the due date established by LOPD´s Royal Decree (Real
Decreto) No.1720 (2007), to comply with the security proceedures for files
containing high risk data.
The new Regulation (Reglamento), besides enforcing LOPD No.15 (1999),
includes non-automated files (paper files).
Paper files that contain medical information and are now considered high risk
files. Special security measures regarding information and data storage, copies
or reproductions and their access and transfers must be adopted.
Therefore all Security Documents made according to the LOPD 15 (1999)
have to be modified and adapted to the new Royal Decree No.1720 (2007)
before April 19, 2010.
By law, companies with such high risk files must be audited by an authorised
GESTDATOS is an authorized auditing company specializing in the Data
Protection Law (LOPD) and can assist your company through all the necessary
steps required to comply with the LOPD.
Be aware that if your business does not comply with the LOPD this will likely
result in inspections from AEPD ( de Proteccion de Datos) and the imposition of
potentially large fines. These can vary from € 600 to € 600,000.
Fines are published in the AEPD Agencia Española web page http://www.agpd.es