The data controller is the person who decides on the purpose and means of data processing, regardless of whether or not this person carries out the actual processing of the information.
They may be responsible for processing data belonging to a natural person, a legal person or an organisation.
In the case of the public authorities, the administrative body with powers over the matter in relation to which, or for the exercise of which, the processing of personal data is required, will be responsible for processing the data, provided it has the capacity to make decisions on the purpose and means of this processing.
The interested parties must be able to easily identify who makes decisions about the purpose and means of processing their data. For this reason, although it would be possible to designate a legal person as responsible for data processing, in relation to data processing carried out by public authorities, it is more appropriate to assign this responsibility to the administrative body of the corresponding public authority (ministry, general management, mayor's office, city council, etc.)
For more information on this matter, please see Opinion CNS 24/2018.
The GDPR increases the number of matters about which information should be made available to data subjects and modifies aspects of how such information should be provided.
Notwithstanding the above, there is no legal obligation to inform data subjects again about the requirements established in the GDPR with respect to data collected prior to 25 May 2018. According to that provided in the Regulation, the obligation to provide information applies solely to data collected after that date. Nonetheless, if circumstances allow, a recommendable good practice may be to take advantage of communications events with the people concerned to inform them of the new aspects established by the GDPR.
The records could be organised around specific processing operations linked to a basic purpose common to all of them (for example, “customer management”, “accounts management” or “human resources management and payroll”), or in accordance with other criteria.
Another possible way of organising these records of processing activities is based on the files that controllers had notified to the Catalan Data Protection Register, which could be used to detail all the processing operations being carried out on every structured set of personal data. You can download the files you have declared to the Register through this link.
The Catalan Data Protection Authority has designed a simple application to manage recording of processing activities which controllers and processors may use if they so wish. You can download the app through this link.
According to Article 30, section 5, of the GDPR, the obligation to maintain a record of processing activities shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9, section 1, or personal data relating to criminal convictions and offences referred to in Article 10.
The position of the Article 29 Working Party on this issue is that the provision should be interpreted in the sense that it will not be applied to an enterprise or organisation employing fewer than 250 persons unless:
a) the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects;
b) the processing is not occasional;
c) the processing includes special categories of data as referred to in Article 9, section 1, or personal data relating to criminal convictions and offences referred to in Article 10.
Controllers or processors that process data which falls into any of these categories are obliged to maintain the record of processing activities.
According to the fifth transitional provision of the LOPDGDD, data processing contracts and agreements established prior to 25 May 2018 shall remain valid until their stipulated date of expiry.
Indefinite commissions shall remain valid until 25 May 2022.
However, during such validity either of the parties may request the other to modify the contract or agreement to adapt it to that established in Article 28 of the GDPR.
Where a type of processing operation, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Article 35.3 of the GDPR establishes that a Data Protection Impact Assessment (DPIA) is required, in particular, in the case of:
“a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
b) processing on a large scale of special categories of data referred to in Article 9.3, or of personal data relating to criminal convictions and offences referred to in Article 10; or
c) a systematic monitoring of a publicly accessible area on a large scale.”
To determine what is meant by “large scale”, reference can be made to the Article 29 Data Protection Working Party opinion in their guidelines on Data Protection Officers (DPOs), which considers that assessment of whether the processing is conducted on a large scale should consider the following factors:
- the number of data subjects concerned - either as a specific number or as a proportion of the relevant population
- the volume of data and/or the range of different data items being processed
- the duration, or permanence, of the data processing activity
- the geographical extent of the processing activity.
Article 35.4 of the GDPR provides that supervisory authorities must establish and make public a list of the kind of processing operations that are subject to the requirement for a Data Protection Impact Assessment. This Authority considers that a DPIA must be carried out in the processing operations included in the following list (Catalan version available).
This list contains guidelines relating to the DPIA and determination of whether the processing is likely to result in a high risk as established in Regulation (EU) 2016/679, adopted by the Article 29 Data Protection Working Party on 4 April 2017 (hereinafter, WP 248) and endorsed by the European Data Protection Board at its Meeting of 25 May 2018.
The list is not exhaustive and will be updated regularly. The absence of a particular processing operation from the list does not signify that no DPIA is required. Confirmation should always be made that the processing is not likely to result in a high risk to the rights and freedoms of natural persons, especially if new technologies are being used.
These criteria apply not only to controllers that wish to carry out processing operations included in the list, but also to bodies and institutions that intend to draw up a draft legislative provision which involves one or more of those operations. In such a case, if the draft legislation has been subjected to a Data Protection Impact Assessment, the controller will not be required to conduct another following enactment.
Once the DPIA has been performed and prior to initiating the processing, the controller should submit a consultation addressed to this Authority, unless the existence of the high risk to the rights and freedoms of natural persons has been mitigated by implementation of the appropriate technical and organisational measures.
For further information, see the Guidelines of the Article 29 Working Party on the Data Protection Impact Assessment (DPIA) and determining whether processing is likely to result in a high risk for the purposes of Regulation (EU) 2016/679 (WP 248), endorsed by the European Data Protection Board (EDPB) at its Meeting of 25 May 2018, and the APDCAT Guide to the Data Protection Impact Assessment in the GDPR .
You will find a Data Protection Impact Assessment (DPIA) template through this link.
In its WP 248 guidelines, the Article 29 Working Party considers that a DPIA is not required if the processing operations were assessed by a supervisory authority prior to 25 May 2018 and the way in which they are carried out has not changed since that assessment. However, a DPIA should be conducted when the processing operations have changed since the previous assessment and are likely to present a high risk to the rights and freedoms of data subjects.
All public authorities and their related or dependent public bodies, where they are responsible for processing personal data, must choose a data protection delegate (DPD). This may be an employee at the public authority (internal DPD) or an organisation or company that is external to the public authority (external DPD).
We must be notified of the choice of DPD via the following form.
The GDPR does not establish specific qualifications for the Data Protection Officer (DPO). It only requires the DPO to have expert knowledge of national and European data protection law and practices, and a deep understanding of the GDPR. This will enable him or her to identify the risks associated with processing operations taking into account their nature, scope, context and purpose. Consequently, the DPO’s professional qualities should be determined according to the processing operations performed by the organisation and the level of protection required by the data being processed.
However, the DPO should have knowledge of the sector of activity in which the processing takes place, and of the organisation and its processing operations and information systems.
The person in charge of data processing may hire the services of a data protection delegate from a professional, organisation or company outside their organisational structure, as long as the professional competencies referred to in the GDPR are justified and there are no conflicts of interest.
The appointment of an external data protection delegate requires a contract detailing the data processing requirements, so that they may access any personal information for which the administration is responsible, where necessary in order to carry out the role of data protection delegate.
Once the data protection delegate has been chosen, their contact information must be published so that the interested parties may contact them easily and directly, and we must also be notified of the choice through the following form.
For more information on this matter, please see Opinion CNS 31/2018.
While exercising their powers of assistance and technical cooperation in the municipalities, town councils can provide data protection delegate services to local bodies. A city council may designate an organisation or person working for the council office as a data protection delegate, provided there is no conflict of interest.
For more information on this matter, please see Opinion CNS 23/2018.
The Data Protection Officer (DPO) may be a member of staff of the controller or processor or may fulfil the tasks on the basis of a service contract. The DPO can undertake tasks and functions other than those that strictly correspond to the data protection officer.
However, to ensure the DPO exercises his or her duties with complete independence, the controller or processor must prevent the DPO from taking on other tasks and functions that may give rise to a conflict of interest. Consequently, it is not possible to appoint as data protection officer a person who, at the same time, has duties that involve participation in the process of taking decisions regarding processing operations or in the implementation of such decisions in such key aspects as security measures, which would be the case of the chief information security officer.
In contrast to the RLOPD, the GDPR does not establish a list of measures to be applied based on basic, medium or high levels of security. It leaves determination of the security measures to be adopted in each case to the criteria of the controller and the data processor, following assessment of the risks.
In any case, the controller and the processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The measures provided for in the RLOPD and already adopted may prove useful, but an analysis should be conducted in each case to verify whether they are sufficient or require modification.
Public sector bodies should take into consideration the First Additional Provision of the LOPDGDD, which establishes that bodies listed in Article 77, section1, therein must comply with the corresponding security measures stipulated in the National Security Framework (ENS). In accordance with the first paragraph of the First Additional Provision, the ENS must consider the risk entailed in processing personal data, adapting risk determination criteria to that established in the GDPR.
If a personal data breach occurs the controller must notify the competent supervisory authority within 72 hours of having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
In general, the controller is deemed to be aware of a data breach when that controller is certain it has occurred and knows enough about its nature and scope. The mere suspicion that something has failed or realisation that some kind of incident has taken place, without knowing the exact circumstances, should not give rise to notification since, in most cases, it is impossible in these conditions to ascertain to what extent there may be risk to the rights and freedoms of the data subjects.
Notwithstanding the above, in cases which may have significant impact due to their characteristics it may be recommendable to contact the APDCAT as soon as evidence appears that an anomalous situation has occurred with respect to data security. These first contacts should however be completed with a formal, more comprehensive, notification within the term established in the Regulation.
Situations may exist in which notification of some of the required aspects within the first 72 hours is not possible because, for example, of the complexity in fully determining the scope of the breach. In such cases notification may be made at a later time, accompanied by an explanation of the reasons for the delay.
Notification of a personal data breach should be made using the following notification form.
The notification should contain the information established by the GDPR, which includes such elements as the nature of the personal data breach, the categories of data and data subjects concerned, the measures adopted by the controller to resolve the breach and, where applicable, the measures applied to mitigate the possible effects on the data subjects. When full information cannot be given at the time of the notification it may be provided in various stages.
Irrespective of the notification to the Supervisory Authorities, Controllers must document all personal data breaches. This is an obligation established by the GDPR and is very similar to the Incident Register provided by the Regulation implementing the LOPD.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller should communicate the breach in clear and plain language to the data subjects without undue delay, except when:
- the Controller has implemented adequate protection measures, such as rendering the personal data unintelligible to any person who is not authorised to access it
- the controller has taken subsequent measures which ensure that the high risk is no longer likely to materialise
- it would involve disproportionate effort
A high risk exists when the data breach is likely to cause serious damage to the natural persons concerned. This could occur, for example, if confidential information is disclosed such as passwords or participation in certain activities, if sensitive data are disclosed on a large scale or if financial damage may be caused to the data subjects.
The aim of such notification is to enable data subjects to take measures to protect themselves from the consequences of the personal data breach. Thus the GDPR stipulates that they should be notified without undue delay.
The intention is always that the data subject should be able to react as soon as possible. For the same reasons, the GDPR adds that the content of the notification should include recommendations on the measures that data subjects can take to mitigate the consequences of the personal data breach.