Protection of personal data

Our team of experts in the protection of personal data has in-depth knowledge of the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights, which allows us to implement a personal data protection system that adapts to the particular needs of your company in compliance with legal, technological and organizational regulations.

Contact us so that we can advise you on the following matters:

  • Data protection audit. Adaptation to RGPD and LOPDGDD.
  • External Data Protection Officer (DPO) service.
  • Support to the organization’s internal DPD.
  • Elaboration of the Treatment Activity Record (RAT).
  • Analysis of the company’s data protection risks.
  • Creation of informative clauses.
  • Drafting of Contracts for Data Processors (CTP).
  • Drafting of legal texts for e-mails and Web pages.

DPD (Data Protection Officer)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights regulate the figure of the Data Protection Officer (hereinafter, DPD), which is of great importance and is based on the principle that it may be mandatory or voluntary, may or may not be integrated into the organization of the controller or processor and may be either a natural person or a legal entity.

It is a new figure incorporated by the RGPD (General Data Protection Regulation), a specialist in Data Protection Law, which is configured alongside the figures of the data controller and the data processor.

The controller and the processor shall ensure that the DPO is involved in an appropriate and timely manner in all matters relating to the protection of personal data. Support you in the performance of your duties by providing you with the necessary resources and access to personal data and processing operations. Likewise, they shall guarantee the independence of the DPD, who may not be dismissed or sanctioned for the performance of his duties, unless he is guilty of fraud or gross negligence.

The interested parties may contact the DPD in relation to the processing of their personal data and the exercise of their rights, and the DPD shall maintain confidentiality in its functions, without prejudice to the possibility of being part of the staff performing other tasks, provided that they do not give rise to a conflict of interest.

The functions of the DPD are as follows:

  • Inform and advise the controller or processor and its employees of their obligations, derived from both European and Spanish legislation.
  • Monitor compliance with such legislation and with the controller’s or processor’s policies on personal data protection, including the allocation of responsibilities, awareness and training of personnel involved in processing operations and related audits.
  • Provide advice as requested on the data protection impact assessment and monitor its implementation in accordance with the law.
  • Cooperate with the supervisory authority (Spanish Data Protection Agency).
  • To act as a point of contact for the supervisory authority for questions relating to processing and to consult, where appropriate, on any other matter.

The controller and the processor shall appoint a DPO provided that:

  • The processing is carried out by a public authority or body, except for courts acting in the exercise of their judicial function
  • The main activities of the controller or processor consist of processing operations requiring regular and systematic observation of data subjects on a large scale
  • The main activities of the controller or processor consist of large-scale processing of special categories of personal data (art. 9 LOPD) and of data relating to criminal convictions and offenses (art. 10 LOPD).
  • Or in the case of any of the entities listed in Article 34 of the LOPD.

A business group may appoint a single DPD as long as it is easily accessible from each establishment.

Where the controller or processor is a public authority or body, a single DPO may be appointed for several such authorities or bodies, taking into account their organizational structure and size.

In different cases, the controller or processor or associations and other bodies representing categories of controllers or processors may appoint a DPO or must appoint a DPO if required by Union or Member State law. The DPD may act on behalf of these associations and other bodies representing controllers or persons in charge.

The DPO shall be appointed on the basis of his/her professional qualifications and, in particular, his/her specialized knowledge of data protection law and practice and his/her ability to perform the above-mentioned duties.

Compliance with the requirements established by law for the appointment of the DPO, whether a natural or legal person, may be demonstrated, among other means, through voluntary certification mechanisms that will take into account the obtaining of a university degree that accredits expertise in data protection law and practice.

The DPD will act as the interlocutor of the data controller or data processor before the Spanish Data Protection Agency and the regional data protection authorities. It may inspect the procedures related to its functions and issue recommendations within the scope of its competencies.

Protección de datos de carácter personal

Why choose us?

  • Multidisciplinary service.
  • Highly specialized team.
  • Local knowledge and global capability.
  • Commitment to transparency, integrity and honesty.
  • Personalized and close service.
  • Focused on their objectives.
  • Enrolled in the PCAOB.
  • Members of the Forum of Firms.

Contact with us