LOPD: Protocol of Action (Adaptation) and Review Protocols (Audit) in Data Protection

LOPD - Ley de protección de datos

DATA PROTECTION is a fundamental right, therefore, implying that the party responsable for processing personal data must be subject to certain principles and obligations.

The Fundamental Right to Data Protection recognizes the rights of individuals in relation to the processing of their personal data. This fundamntal right acknowledges the data subject the faculty to control their personal data and the ability to dispose of and decide on them.

What is Data Protection?

Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of their personal data. These rights, such as the right to be informed, the right of access or the right of rectification or erasure, empower the data subject to ensure that the information or sensitive data is acccurate and is only made available to those that should have it and is only used for specified purposes.

The regulation enforced in this matter is the following:

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27 (GDPR)

    On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  2. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016

    On the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

These standards are meant to OBLIGE the parties managing the data processing to submit to stricter rules than the previous legislation, enforcing a more personalized adaptation according to their respective risk factors, all under the principle of proactive responsibility of the person or entity Responsible. The new rules will avoid generic obligations on data processing, requiring an adaptation according to their respective risk factors, which will depend on the company, for example, taking into account the obligation to carry out the REGISTRATION OF PROCESSING ACTIVITIES of your entity.

How does Data Protection affect us?

Companies manage and process personal data on a daily basis, as an essential part of their activities, such as with invoices, accounting, etc. As Data Protection Controllers, this processing of personal data must be carried out in compliance with the legal obligations, specifically the regulation on Data Protection, such as the EU Regulation and Directive.
In this sense, article 24 of the GDPR (General Data Protection Regulation), provides in its first paragraph the responsibility of the controller “taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”

What Obligations must I comply with?

  • Prepare a document or PROTOCOL OF ACTION IN DATA PROTECTION that your company follows.
  • Periodic review and updating of Protocols in Data Protection (AUDIT).
  • Ensure that the data processing is performed in accordance with the Regulation, carrying out a legal treatment of information, that is, observing the obligations and rights established in the Regulation.
  • Comply with and enforce this regulation to all personnel of the company that has access to personal data.
  • Establish a procedure that allows for the exercise of rights by interested parties.
  • The duty of the processor or controller to notify the violations of personal data, not only to the control authority but also to the persons expressly affected by them, the data subjects.
  • Adherence to ethical code, codes of conduct or to a certification mecanism approved in accordance with the provisions of the GDPR, that may be used as forms to demonstrate compliance with the obligations by the Data Processor.
  • Identification and mitigation of risks that may affect personal data in your entity. Conduct an Impact Assessment related to data protection. Specify risk levels according to an evaluation of the impact that could suppose the treatment of personal data, and take measures according to those levels.
  • The consent for data processing, it must be “freely given, specific, informed and unambiguous” and the data controller must be able to prove if the Spanish Agency for Data Protection requieres it, that the data subject “consented to the processing of their data”.
  • The new Regulation now establishes new rights of: Transparency, Information, Access, Rectification, Erasure, Restriction of processing, Data portability and the Right to object.

How can we help you or your entity?

Doing, step by step, all the work for you!

  • Assessment of the need to incorporate a Data Protection Delegate.
  • Certification of the figure of the Delegate of Data Protection in your entity.
  • Identification of personal data that your entity manages.
  • Preparation and drafting of the PROTOCOL OF ACTION IN DATA PROTECTION.
  • Devising of the confidentiality contract or the provision of services with Data Processors. The transfer of data can only be carried out with the express consent of the affected party (data subject) or when there is a contract for the provision of services between assignor and assignee (eg., data transfer to an agency to carry out payrolls, contracts, accounting, etc.).
  • Clauses related to the protection of personal data that should be included in any type of contracts, forms, brochures, emails, invoices, etc., where personal data is collected.
  • Response models on behalf of any request by the interested party to exercise the rights of: access, rectification, portability and erasure of their data and the limitation or opposition to their processing.
  • Customized computerized recommendations for a better adaptation of the technology to the legislation related to Data Protection (change of passwords, recommended antivirus, etc.).
  • Resolution of the queries addressed by THE CLIENT to RAPINFORMES regarding the application of the current legislation on the protection of personal data.
  • Provision of information on possible legislative changes in the field of Data Protection and its impact on the information system of the CLIENT.
  • Making the necessary documents, in response to any claim raised by the Data Protection Agency, ie we assume your representation before the AEPD (Spanish Data Protection Agency).
  • Training for Security Managers and employees of the entity.
  • Review and update of Protocols in Data Protection (AUDIT)
  • Analysis of the risk level that implies the processing of personal data (Impact Assessment).

Revision and update of Protocol in Data Protection Service

What can we offer?

  • Identification of the deficiencies that may be appropriate to propose the corrective or complementary measures that may be necessary.
  • Verify compliance with mandatory security measures.
  • That the current procedures and instructions on data security are followed.
  • Control and evaluate the existence of the necessary elements for the correct adaptation of the computer systems of storage and processing of personal data, ensuring that it complies with the laws and regulations provided. As well as, the updating of computer systems.
  • Certificate of Compliance.
  • Training for Security Managers and employees of the entity


Adaptation to the New Regulation on Data Protection

After carrying out a complete audit of your company to have it adapted to the Data Protection regulations, you will have a series of Customized Computerized Recommendations, to better adapt the technology to comply with the new regulation.
If you dont have computer services or you prefer that our professionals adapt your systems to those measures, we can help you implement all the recommendations so that you manage your company and the process the data in the safest way.
To start off, you can verify the level of adaptation that your organization has in terms of computer measures in relation to the Organic Law on Data Protection (LOPD) completing the following test.

If you want to check the extent to which you comply with the law you can perform any of our tests, in order to verify.