Legal obligations

Penalising Procedure

Services

Plan for Adapting Computing Systems and Procedures to the Data Protection legislation

DOES YOUR ORGANISATION NOT HAVE DATA ABOUT WORKERS, AGENTS, SUPPLIERS, CLIENTS OR OTHER DATA CONCERNING PRIVATE INDIVIDUALS? TAKE A GOOD LOOK AT THE LEGAL OBLIGATIONS ON DATA PROTECTION

You have to consider the Directives 95/46 and 97/66 and the 108 European Convention on Data Protection, the national laws, other regulations in the sector and the Instructions issued by each National Data Protection Agency. In Spain, the 15/1999 Enabling Act, of December 13, on the Protection of Data of a Personal Nature (DPEA), which replaced the former LORTAD, and the Royal Decree 1720/2007, of December 21, by which the regulations concerning Security Measures for files that contain data of a personal nature were passed into law. These are the two basic provisions which are compulsory for all companies and professionals that process data of a personal nature in the undertaking of their work to comply with. Practically 100% of companies and professionals handle personal data in the undertaking of their work (Clients, Workers, Suppliers, Partners…).

The Laws inform you that the File Supervisor, the individual with ultimate responsibility (the Entity, Company or Organism), or the Processing Supervisor, as appropriate, will have to take the measures of a technical and organisational nature necessary to guarantee the security of the data of a personal nature and prevent them from being altered, lost, processed or accessed in an unauthorised manner. Account must be taken of the condition of the technology, the nature of the data stored and the risks that they are exposed to, whether its source is human activity or the physical or natural setting. But, do you have time to go over all the legislation, review the information system and interpret where you could be breaking the law? Or, if you decide to carry out the work yourself, who can guarantee for you that you have done it well?.

There is also a set of obligations relating to the compilation of data, consent, storage, preservation, use, specially-protected data, the communication or transferring of data, access, correction, the creation of files, registration with the Spanish Data Protection Agency, tests with real data, Telecommunications, Auditing, etc.

LEGAL OBLIGATIONS
 The legal obligations can be summarised in four fundamental aspects:

  • Recording of the data files at the Spanish Data Protection Agency.

  • Adoption of the related security measures, based on the Standard of security that is required.

  • Drawing up of the legal documentation that contains all the measures adopted, along with the drafting of all the appendices.

  • Drafting of the contracts and application of the clauses necessary for the compilation of data, the processing of third party data and the transfers or communications of data.

    • PENALISING PROCEDURE
    In the best of circumstances, your Organisation had a deadline to adapt to the regulations until the year 2002. Compliance with legal obligations is essential in order to avoid the heavy penalties that could result from an inspection, which may come about as the result of a complaint and in an ex-officio manner.
    The DPEA classifies the possible infringements as minor, serious and very serious. In Sections 44 and 45, you can find all the information relating to the penalties. Doubtless the most significant fact is that these range from € 601 to € 601,101 (100 million pesetas)

    The most common or possible cases need to be highlighted:

    • Not registering a file with the Data Protection Agency is penalised with a minimum fine of € 601, which -depending on the circumstances- could reach € 60,101.

    • Not having set up the security measures that the Regulations instruct is penalised with a minimum fine of € 60,101, which may reach € 300,506.

    • Not making the entry of a file is a minor infringement. The fine will be between € 601 and € 60,101. If this obligation is systematically ignored, it may be categorised as very serious, and the penalty will be set at between € 300,506 and € 601,012.

    • Processing the data with violation of the legal guarantees constitutes a serious infringement, with a penalty of between € 60,101 and € 300,506.

    • Maintaining the files, premises, programmes or equipment that contain the files without the proper security measures constitutes a serious infringement and so this carries a penalty of between € 60,101 and € 300, 506.

    • Hindering the exercising of the right to access or not furnishing the information requested constitutes a serious infringement with a penalty of between € 60,101 and € 300,506; doing this systematically constitutes a very serious infringement and carries a penalty of between € 300,506 and € 601,012.

    The European Data Protection Agencies, including the Spanish Agency (AEPD) make use of a team of inspectors who hold the rank of public authorities in the performance of their tasks. So, do not overlook the fact that not adapting your company means being outside the law, and hence you could be inspected and penalised.

    SERVICES

    When you are faced with a change in the law you may throw up your hands, not only because of the cost that this may involve but also due to the time that you are going to need to provide the right solution in the adaptation process. You will also seek to ensure that the changes affect the way you work to a minimum or at least, these changes lead to an added value for your clients.

    We are well aware of this, so we are going to remind you what the true value of the work that we carry out is:

    • Involvement of the Staff in the Company Security Policies

    • Involvement of the Partners and Suppliers in the Security Policy

    • Commitment of loyalty to the Information from Clients, Workers and Creditors

    • Information System Productivity Improvement

    • Improvement of the Image of the Organisation


    PLAN FOR ADAPTING COMPUTING SYSTEMS AND PROCEDURES TO THE DATA PROTECTION LEGISLATION

    There are two types of Measures in a Plan for Adapting Computing Systems and Procedures to the Data Protection legislation. Information processes link the whole of the business structure. For this reason, it is fundamental that those staff members who are needed to identify these processes take part in the preliminary analysis of the information.

    One-off Action

    • Analysis of Information Systems existing in the Company

    • Identification of the files existing in the Company

    • Registering of Files at the Data Protection Agency

    • Drafting of clauses, contracts and any other necessary documentation

    • Drafting of the Security Document (Security Policy)

    • Training and Awareness-raising of Staff

    • Legal and technical advice up to one month after the Implementation


    Regular Action
    • Ongoing legal and technical consultancy

    • Development of the job description for the Security Supervisor

    • Regular controls of the verification and biannual actualisations

    • Confialis Certification Seal

    • Regular distribution of information bulletin with legal updates and news

    • Legal assistance in case of denunciation or inspection, till the exhaustion of the administrative procedures













    Regular controls of the verification and biannual actualisations Confialis Certification Seal Regular distribution of information bulletin with legal updates and news Legal assistance in case of denunciation or inspection, till the exhaustion of the administrative procedures
    ® 2004 All Rights Reserved Aragón Nº197 - 36206 - VIGO - Spain  -  Tlp. 902 995 802 | +34 986 114 561 (foreign)  info@confialis.com  C.R.N.: 1/2004/9.615,0