Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Gonzalo Gallego

Posts by Gonzalo Gallego
Posted in International/EU Privacy

Spanish Data Protection Authority Clarifies Requirements for Cross-Border Transfers to Safe Harbor US entities

On Tuesday November 3, the Spanish data protection authority, Agencia Española de Protección de Datos, sent a letter all companies operating in Spain that had previously notified the AEPD of cross-border data transfers to Safe Harbor certified companies. The letter warns companies that because Safe Harbor certifications are no longer recognized as valid, they must take steps to ensure that alternative mechanisms are implemented in order to continue transferring data to Safe Harbor certified companies in the United States. In particular, the AEPD is requiring of all companies that received the letter to inform it not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States.

Posted in International/EU Privacy

Data Protection Compliance in Spain (2015)

Spain is well known for having one of the most restrictive data protection regimes in the European Union. It also counts with some of the highest penalties (fines are up to € 600,000 per infringement), and a data protection authority – the Spanish Data Protection Agency – with a reputation for being one of the fiercest of the EU. Moreover, the penalties envisaged are not only on paper; they are applied on a regular basis by the AEPD. For instance, in the past few years, it has imposed fines of € 450,000, € 900,000 and € 1,400,000.

Posted in International/EU Privacy

Part 4: Justifying Data Uses – From Consent to Legitimate Interests

Under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law remains unchanged under the draft Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher, particularly in relation to consent. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”

Posted in International/EU Privacy, News & Events

20 Years of Data Protection in Spain

Yesterday in Spain, the Government Department for Telecommunications and Information Society hosted an event to commemorate the 20th anniversary of the introduction of the first Spanish data protection law and also to recognize EU Data Protection Day.  Information about the event, titled: “20 years of data protection in Spain” is available (in Spanish) here.  The first Spanish data […]

Posted in Employment Privacy, International/EU Privacy

The Spanish Constitutional Court Backs the Possibility of Accessing Private On-Line Conversations of Employees

The Spanish Constitutional Court has ruled against two company employees who claimed an infringement of their privacy right and their right to secrecy of communications, in a recent judgement from 17 December 2012, published in the States’ Official Gazette on 22 January 2013. The Constitutional Courts’ Decision 241/2012 (the “Decision“), is available (in Spanish) here: […]

Posted in International/EU Privacy

Spain changes the paradigm of international transfers of personal data allowing Spanish data processors to be “exporters” under the Standard Contractual Clauses for the Transfer of Data

The Spanish Data Protection Authority (SDPA) has established new procedures that allow data processors (not data controllers) based in Spain to obtain authorizations for transferring data processed on behalf of their customers (the data controllers) to sub-processors based in Third Countries that are not deemed to have an adequate level of protection for personal data. In addition, data processors can enter into Standard Contractual Clauses with their sub-processors. Previously in Spain, data controllers had to enter into Standard Contractual Clauses with each of their data processors’ sub-processors in Third Countries and data controllers had to obtain authorizations from the SDPA for such transfers.

Posted in Consumer Privacy, International/EU Privacy

Social Network Impersonator Fined by Spanish Data Protection Authority In New Exercise of Regulatory Authority

On October 20th, the Spanish Data Protection Authority, the Agencia Espanola de Protecccion de Datos (AEPD), announced an unprecedented decision against an individual who impersonated someone on a social networking site and thus engaged in identity theft. The AEPD fined the individual who had created a profile in a sexually-oriented social network, and chose not to proceed against the online host of the offending content.