The AEPD (Spanish Data Protection Authority) has among its objectives to promote and disseminate knowledge about the privacy risks that arise with the development of new services, applications and with technological evolution and how to manage them with sustainable solutions from the point of view of the rights and freedoms of citizens, as well as presenting useful tools to facilitate the regulatory adaptation to SMEs and entrepeneurs.
Guidelines, reports and technical surveys
In this section you can find documents developed by the AEPD (guidelines, reports, surveys, ...) designed to disseminate knowledge among controllers, processors and those interested parties in data protection.
- Introduction to the Hash Function as a Personal Data Pseudonymisation Technique [nov 2019]
- A Guide to Privacy by Design [oct 2019]
- K-anonymity as a privacy measure [jun 2019]
- Guide on personal data breach management and notification [jun 2018]
- Guidelines for Implementation of the Eighth Additional Provision and Twelfth Final Provision of the LOPDGDD [feb 2020]
- RGPD compliance of processings that embed Artificial Intelligence. An introduction [feb 2020]
- Guide on drones and data protection [may 2019]
- List of the types of data processing that require a DPIA (art 35.4)
- Indicative list of the types of data processing that do not require DPIA (art 35.5) [aug 2019]
Internet and mobile systems
- DNS Privacy [nov 2019]
- The duty to inform and other accountability measures for mobile devices [may 2019]
- Access to applications on the screen for Android devices [may 2019]
- User controls for ad personalisation on Android [may 2019]
- Survey about preinstalled apps in Android and privacy risks [mar 2019]
- Analysis of information flows in Android. Tools for compliance with accountability [mar 2019]
- Survey on Device Fingerprinting [feb 2019]
Tools for controllers
The AEPD has developed tools and help material to assist with compliance with general data protection regulation for small businesses, entrepreneurs and developers, and other types of controllers.
Template For Data Protection Impact Assessment Report (DPIA) For Public Administrations
Template For Data Protection Impact Assessment Report (DPIA) For Private Sector
- Tool to help compliance with RGPD for entities that carry out low risk processing activities
- Tool to carry out risk analysis and privacy impact assessment
In any case, controllers and processors should not forget to verify that they comply with all the requirements and obligations that guarantee compliance with GDPR and national rules on data protection.
Technical posts in the AEPD blog
The Agency has a blog in which different articles of interest on personal data protection are published periodically. Bellow is an extract of the most interesting technical posts published so far.
- Consent receipt: A tool for transparency and proactive accountability [feb 2020]
- Encryption and Privacy II: Lifespan of personal data [jan 2020]
- Do you know Gestiona? [jan 2020]
- Encryption and Privacy: Encryption in the GDPR [nov 2019]
- Privacy Engineering [sep 2019]
Data breach posts
- Notification of personal data security breaches during the state of alarm [april 2020]
- Data breach: communication to the to the data subject [feb 2020]
- Data breaches: protect yourself against the loss or theft of a portable device [oct 2019]
- Personal data breaches: what they are and how to respond [jun 2019]
- Personal data breaches: protect yourself against ransomware [may 2019]
Collaborations and Tecnological Awards
In the call of 2019, the following technological awards have been convened in the field of research and entrepreneurship in the protection of personal data:
Emilio Aced Personal Data Protection Research Award
This award recognises data protection works and projects carried out in the context of scientific and technical research, with a strictly practical approach, in which the application of data protection principles in the field of scientific and technical development is studied, analysed or developed in order to guarantee the rights and freedoms of individuals.
Awarded work 2019:
Award: Julien Armand Pierre Gamba, Mohammed Ahmed Fahim Rashed, Abbas Razaghpanah, Juan Manuel Estévez Tapiador y Narseo Vallina-Rodríguez. Stony Brook University (Universidad Carlos III de Madrid y IMDEA Networks Institute).
- Un análisis de software de Android preinstalado’, un estudio sobre los riesgos que el software preinstalado en dispositivos Android tiene para la privacidad.
Secondary award (Accésit): Mikel Recuero Linares. Subdirección General de Evaluación y el Fondo Europeo de Desarrollo Regional (FEDER “Una manera de hacer Europa”).
- La investigación científica con datos personales genéticos y datos relativos a la salud: perspectiva europea ante el desafío globalizado’
Ángela Ruiz Entrepreneurship in Protection of Personal Data Award
This award recognizes the development of an original, creative, innovative business activity, product or service with a social impact in relation to data protection and the guarantee of the rights and freedoms of individuals.
Awarded work 2019:
Award: Molinapps S.L.U. Armando Molina Betancor.
Links to documents of interest
This section includes a collection of links to documents and surveys of interest published by other entities and organizations, national and international.
European Data Protection Board
- ART.29 WP: Statement of the WP29 on encryption and their impact on the protection of individuals with regard to the processing of their personal data in the EU [april 2019]
- ART.29 WP: Guidelines on Personal data breach notification under Regulation 2016/679 [feb 2018]
- ART.29 WP: Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 [oct 2017]
- ART.29 WP: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 [april 2017]
- ART.29 WP: Guidelines on the right to data portability [april 2017]
- ART.29 WP: Guidelines on Data Protection Officers (DPO) and "large-scale" notion. [dec 2016]
- ART.29 WP: Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones [jun 2015]
- ART.29 WP: Opinion 05/2014 on Anonymisation Techniques [april 2014]
- ART.29 WP: Opinion 02/2013 on apps on smart devices [feb 2013]
- ART.29 WP: Opinion 3/2012 on developments in biometric technologies [april 2012]
- European Data Protection Supervisor
- European Commission – IA HLEG: A definition of AI: Main capabilities and disciplines [april 2019]
- European Commission – IA HLEG: Ethics guidelines for trustworthy AI [april 2019]
- Council of Europe: Guidelines on Artificial Intelligence and Data Protection [jan 2019]
- Council of Europe: Artificial Intelligence and Data Protection: Challenges and Possible Remedies [jan 2019]
- ENISA: Recommendations on shaping technology according to GDPR provisions - Exploring the notion of data protection by default [dec 2018]
- ENISA: Recommendations on shaping technology according to GDPR provisions - An overview on data pseudonymisation [nov 2018]
- ENISA: Handbook on Security of Personal Data Processing [dec 2017]
- ENISA: Guidelines for SMEs on the security of personal data processing [dic 2016]