On 17 March, the Spanish data protection agency (la Agencia
Española de Protección de Datos - AEPD) published a
draft privacy impact assessment guide (Evaluación del Impacto en materia de
Protección de Datos Personales). At the same time, the
AEPD has initiated a public consultation, open until 25 April, to
garner opinion and comments on the guide, after which they will
issue a final version.
The guide sets out a framework to improve privacy and data
protection in relation to an organisation's technological
developments, with the aim of helping them identify, address and
minimise data protection risks prior to the implementation of a new
product or service.
In this draft guide, the AEPD comments on the increasing
importance for organisations to demonstrate their commitment to the
rights of individuals whose personal data they process, and in
meeting their legal obligations (essentially advocating the
principle of accountability). In this regard, they advise that a
developed privacy impact assessment will go a long way in
evidencing an organisation's good diligence, as well as
assisting it to develop appropriate methods and procedures for
addressing privacy risks.
It is not suggested, however, that the guide will provide the
only methodology for carrying out a privacy impact assessment.
Indeed, the AEPD says that they would be receptive to organisations
who wish to develop an assessment specifically adapted to their
business or sector, and they would be open to providing such
organisations with guidance to ensure that they meet the minimum
As well as providing general guidance on privacy impact
assessments, the guide sets out a set of basic questions, together
with an 'evaluation' tool developed by the AEPD, whereby
organisations can 'check off' and determine the legal
obligations that must be met in order to implement their intended
product or service in compliance with data protection
While this privacy impact assessment is not obligatory in Spain,
this type of compliance review could become a legal requirement
across the EU if the European Regulation on Data Protection remains
as currently drafted (Article 33).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On 12 January 2016, the European Court of Human Rights handed down a decision on the lawfulness of monitoring private messages sent on an employee's Yahoo! Messenger account using the employer's computer system; the case was Barbulescu v. Romania.
In October 2015, the CJEU held that transfers of personal data from Europe to the United States made under the so-called US Safe Harbor scheme were invalid as those transfers did not ensure an adequate level of protection under European data protection law.
The invalidation of the EU-U.S. Safe Harbor framework in October 2015 has created uncertainty for businesses that were reliant on the regime to transfer data to the United States, and has caused political shockwaves on both sides of the Atlantic.
The final draft of the new European General Data Protection
Regulation (GDPR) was agreed on 15 December 2015 and, once it has
been approved by the European Parliament in early 2016, is expected
to take effect by early 2018.