25 May DO I HAVE TO DO MORE THAN CHANGE WEB TEXTS, NEWSLETTERS AND FOOTNOTES IN EMAILS ACCORDING TO THE GDPR?
Yes, certainly. The revolution around personal data and its protection in each of the EU countries brings with it a total change of mentality and culture. Just to have some renewed texts, and to save some papers that the company commissioned has prepared for us in a folder is not understanding the scope of the situation.
For example, and only in the field of security among the existing obligations of the person responsible is to elaborate a security document, which will collect the measures of a technical and organisational nature in accordance with the current safety regulations that shall be required Compliance for all those with access to personal data and whose concretion is found in article 88 of the RLOPD. This document will have to be constantly renewed and adapted before any change in circumstances, computer equipment, software, security measures, contracts with third parties relating to data protection, etc. I.e., a continuous review will be required from us and our professional or business behavior with data protection must be proved to be proactive showing the company or the professional has initiative and ability to anticipate future needs or problems in this field.
Security measures
The principle of data security laid down in article 9 of the organic law 15 / 1999, requires the file responsible action technical and organisational necessary to ensure the security of personal data and prevent its loss, alteration, treatment or unauthorised access. These measures have been developed in the Title VIII regulation LOPD development, approved by the Royal Decree 1720 / 2007 of 21 december.
“article 9. Data security.
- 1. The responsible for the file, and, where appropriate, the processor, they shall take all measures necessary technical and organisational that ensure the security of personal data and prevent its loss, alteration, treatment or unauthorised access, given the state of technology, the nature of the data stored and the risks they are exposed important human action or environmental nature. physical or
- 2. Not be recorded personal data in files not fulfilling conditions to be determined by regulations regarding its integrity and security and treatment centres, premises, equipment, systems and programmes.
- 3. Rules shall set out the requirements and conditions to be gathering files and persons involved in the treatment of data referred to in article 7 of this Law. “
Regulation for the development of LOPD (RLOPD) has regulated the matter so that provides for multiple forms of material organisation and staff security which is present in practice. Thus, regulates a set of measures designed to the files and treatments and non-automated structured to provide the responsible a clear framework for action.
Article 79 of the RLOPD provides that those responsible for the treatments or files and processors shall introduce security measures with accordance with title VIII of regulation, regardless of its system of treatment.
Article 80 of RLOPD notes that security measures due to the files and treatments are on three levels: core, medium and high and then article 81 specifies the implementation of safety levels to implement according to the type of personal data to be dealt with.
Finally between the obligations of the responsible to formulate a document security, which include the measures commensurate technical and organisational to the existing safety standards which will be compulsory for all those with access to personal data and whose realization is in article 88 of RLOPD.
To facilitate those responsible of the files the adoption of provisions in RLOPD on security measures, the Spanish Data Protection Agency has developed a Safety guide data which includes a summary table of security measures, checks to the conduct of the audit of security and a model Security document, which can serve as a guide in the implementation of the provisions of the Regulation.
In addition, those responsible for the processing of data (i.e. professionals and companies) have obligations the breach of which would cause them serious penalties: thus for example there are obligations such as the duty to obtain consents of those affected (people of which we handle data), where the data are acquired without other coverage or legal basis, duty to notify them of their rights of access, rectification, opposition, the duty to communicate (to the authority of data protection control and to those affected) of the security gaps as they occur.
Sorry, the comment form is closed at this time.