On 17 March, the Spanish data protection agency (la Agencia
Española de Protección de Datos - AEPD) published a
draft privacy impact assessment guide (Evaluación del Impacto en materia de
Protección de Datos Personales). At the same time, the
AEPD has initiated a public consultation, open until 25 April, to
garner opinion and comments on the guide, after which they will
issue a final version.
The guide sets out a framework to improve privacy and data
protection in relation to an organisation's technological
developments, with the aim of helping them identify, address and
minimise data protection risks prior to the implementation of a new
product or service.
In this draft guide, the AEPD comments on the increasing
importance for organisations to demonstrate their commitment to the
rights of individuals whose personal data they process, and in
meeting their legal obligations (essentially advocating the
principle of accountability). In this regard, they advise that a
developed privacy impact assessment will go a long way in
evidencing an organisation's good diligence, as well as
assisting it to develop appropriate methods and procedures for
addressing privacy risks.
It is not suggested, however, that the guide will provide the
only methodology for carrying out a privacy impact assessment.
Indeed, the AEPD says that they would be receptive to organisations
who wish to develop an assessment specifically adapted to their
business or sector, and they would be open to providing such
organisations with guidance to ensure that they meet the minimum
As well as providing general guidance on privacy impact
assessments, the guide sets out a set of basic questions, together
with an 'evaluation' tool developed by the AEPD, whereby
organisations can 'check off' and determine the legal
obligations that must be met in order to implement their intended
product or service in compliance with data protection
While this privacy impact assessment is not obligatory in Spain,
this type of compliance review could become a legal requirement
across the EU if the European Regulation on Data Protection remains
as currently drafted (Article 33).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Since our last briefing note on this topic, on 29 February 2016 the European Commission (the "Commission") published the legal texts that will put in place the EU-US Privacy Shield together with a Communication setting out the steps that have been taken to restore confidence in the exchange of data between the EU and the US.
Dr. O.G. had been involved in a car accident causing the death of two persons. This accident was reported in the November 1994 edition of Le Soir featuring a specific reference to Dr. O.G.'s name and surname.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
The General Data Protection Regulation (GDPR) will enter into force on 25 May 2018 and a vote to leave will mean that the UK will no longer be required to implement the new laws into its legal framework.
Turkey's newly enacted Law on Protection of Personal Data is based on EU Directive 95/46/EC on protection of individuals with regard to the processing of personal data and on the free movement of such data.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).