On 17 March, the Spanish data protection agency (la Agencia
Española de Protección de Datos - AEPD) published a
draft privacy impact assessment guide (Evaluación del Impacto en materia de
Protección de Datos Personales). At the same time, the
AEPD has initiated a public consultation, open until 25 April, to
garner opinion and comments on the guide, after which they will
issue a final version.
The guide sets out a framework to improve privacy and data
protection in relation to an organisation's technological
developments, with the aim of helping them identify, address and
minimise data protection risks prior to the implementation of a new
product or service.
In this draft guide, the AEPD comments on the increasing
importance for organisations to demonstrate their commitment to the
rights of individuals whose personal data they process, and in
meeting their legal obligations (essentially advocating the
principle of accountability). In this regard, they advise that a
developed privacy impact assessment will go a long way in
evidencing an organisation's good diligence, as well as
assisting it to develop appropriate methods and procedures for
addressing privacy risks.
It is not suggested, however, that the guide will provide the
only methodology for carrying out a privacy impact assessment.
Indeed, the AEPD says that they would be receptive to organisations
who wish to develop an assessment specifically adapted to their
business or sector, and they would be open to providing such
organisations with guidance to ensure that they meet the minimum
As well as providing general guidance on privacy impact
assessments, the guide sets out a set of basic questions, together
with an 'evaluation' tool developed by the AEPD, whereby
organisations can 'check off' and determine the legal
obligations that must be met in order to implement their intended
product or service in compliance with data protection
While this privacy impact assessment is not obligatory in Spain,
this type of compliance review could become a legal requirement
across the EU if the European Regulation on Data Protection remains
as currently drafted (Article 33).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
John O’Connor outlines the latest position in the ‘Microsoft Warrant case’ where the Cloud provider was ordered by a US Federal Court to produce its customer’s private e-mail content even though it was stored exclusively outside the USA.