Many entrepreneurs are emerging, hence companies and self-employed should be aware that the personal data they collect, and the process does not belong to them and therefore have a responsibility to protect it appropriately.
Digitalization has put the processing of personal data at the center of the economy and the scale of collection and sharing of personal data has increased abysmally so far.
Companies and self-employed in one way or another collect personal data and are obliged to comply with the Data Protection regulation if in the course of their activity they collect personal information. This data can be from suppliers, customers, employees, web pages or even from curriculum vitae!
Table of contents:
- Regulation
- What is Data Protection?
- What type of Self-Employed foresees the Data Protection regulation?
- How to comply with the LOPD?
- What sanctions are imposed in case of not properly complying with the law?
Regulation of Data Protection in Spain
With the Organic Law 3/2018 of December 5, 2018, on the Protection of Personal Data and Guarantees of Digital Rights (LOPDGDD), the Spanish legal system was adapted to the European General Data Protection Regulation (GDPR).
Additionally, the right to data protection is constitutionally recognized in Article 18.4 of the Spanish Constitution (1978), is configured as a Fundamental Right.
Looking for implementing Data Privacy for your company? Use our service to be GDPR compliant.
What is Data Protection?
When we talk about the Data Protection regulation, we are referring to the legislation that regulates the obligation of any company or self-employed person involved in any phase of the processing of personal data, to ensure the security of such data.
What type of Self-Employed foresees the Data Protection regulation?
Spanish Data Protection regulation distinguishes between three types of Self-employed, namely:
- Self-employed partners of a company.
- Self-employed with employees.
- Self-employed without employees.
How to comply with the LOPD?
As we have been seeing, the self-employed person is responsible for complying with the data protection regulation. Normally he does not delegate the activity, so he is ultimately responsible for the personal data, deciding on its use, it’s processing, and its purpose. In this sense, the sanctions for not complying with the Law will fall on his person.
1. The identification of the files with personal data
As a professional who develops an activity, it is likely that you store the personal data of employees, customers, suppliers, or users of your website. In this case, the first step to follow is to identify the files in which the personal data of customers or users are collected.
2. Security levels of data files
The more sensitive information is collected, the more security measures must be implemented. There are 3 levels of data protection:
- Basic security level: For all files or personal data processing (contact data information, names, addresses, telephone numbers, NIF/CIF, e-mail, etc.)
- Medium security level: For data relating to administrative or criminal offenses, Social Security and Tax administration data.
- High security level: For data concerning ideology, trade union affiliation, religion, beliefs, rational origin, health, or sex life.
3. Creation of a Security Document
It will detail how the personal data collected will be treated. Such as the files included, the employees accessing the personal data, the inventory of the systems processing the data, the respective security systems installed and an incident log.
4. Duty of information
Companies and self-employed must inform the people whose data is being stored of: Why they use their data; specify who is ultimately responsible for safeguarding their data; the purpose of their data; inform them of their rights and how they can exercise them.
5. Obligation of proof of consent
The owner of the data that is being handled must give his or her express consent and the collectors of such data also have the obligation to prove that consent. Tacit consent is not allowed in any case.
6. Conducting audits
Provided that the data that is managed is of medium or high protection level, it is mandatory to carry out an audit every two years.
What sanctions are imposed in case of not properly complying with the law?
The management of personal data protection has become an important necessity, as the misapplication or non-observance of the legislation in this respect can lead to significant sanctions by the Spanish Data Protection Agency.
Penalties for non-compliance with the data protection law can reach up to 20 million euros or 4% of the annual turnover. Infringements are divided into minor, fine up to 40.000€, serious, fine from 40.000€ to 300.000€, and very serious, fine between 300.001€ to 20.000.000€.
Examples of sanctions imposed by the Spanish Data Protection Agency:
- A business was fined 3.000€ for not having a cookies policy.
- A business was fined 3.000€ for throwing away documents containing personal data without destroying them.
- A Consultancy firm was fined 4.000€ for unauthorised transfer of data.
- A company was fined 4.000€ for not having a Privacy Policy on its website compliant with GDPR.
- Penalties of 50.000 and 80.000€ to an electricity company for unlawful processing of personal data.
Remember, it is important to put yourself in the hands of professionals who are able to offer you all the necessary advice to adapt to Data Protection regulations.