Innovation and Technology

Guidelines, reports and technical surveys

In this section you can find documents developed by the AEPD (guidelines, reports, surveys, ...) designed to disseminate knowledge among controllers, processors and those interested parties in data protection.

General surveys

• Introduction to the Hash Function as a Personal Data Pseudonymisation Technique [nov 2019]
• A Guide to Privacy by Design [oct 2019]
• K-anonymity as a privacy measure [jun 2019]
• Guide on personal data breach management and notification [jun 2018]

Specific surveys

• Guidelines for Implementation of the Eighth Additional Provision and Twelfth Final Provision of the LOPDGDD [feb 2020]
• RGPD compliance of processings that embed Artificial Intelligence. An introduction [feb 2020]
• Guide on drones and data protection [may 2019]

Risk management

• List of the types of data processing that require a DPIA (art 35.4)
• Indicative list of the types of data processing that do not require DPIA (art 35.5) [aug 2019]

Internet and mobile systems

• DNS Privacy [nov 2019]
• A Guide on the use of cookies [nov 2019]
• The duty to inform and other accountability measures for mobile devices [may 2019]
• Access to applications on the screen for Android devices [may 2019]
• User controls for ad personalisation on Android [may 2019]
• Survey about preinstalled apps in Android and privacy risks [mar 2019]
• Analysis of information flows in Android. Tools for compliance with accountability [mar 2019]
• Survey on Device Fingerprinting [feb 2019]

Tools for controllers

The AEPD has developed tools and help material to assist with compliance with general data protection regulation for small businesses, entrepreneurs and developers, and other types of controllers.

• Template For Data Protection Impact Assessment Report (DPIA) For Public Administrations
• Template For Data Protection Impact Assessment Report (DPIA) For Private Sector
• Tool to help compliance with RGPD for entities that carry out low risk processing activities
• Tool to carry out risk analysis and privacy impact assessment

In any case, controllers and processors should not forget to verify that they comply with all the requirements and obligations that guarantee compliance with GDPR and national rules on data protection.

Technical posts in the AEPD blog

The Agency has a blog in which different articles of interest on personal data protection are published periodically. Bellow is an extract of the most interesting technical posts published so far.

General posts

• Consent receipt: A tool for transparency and proactive accountability [feb 2020]
• Encryption and Privacy II: Lifespan of personal data [jan 2020]
• Do you know Gestiona? [jan 2020]
• Encryption and Privacy: Encryption in the GDPR [nov 2019]
• Privacy Engineering [sep 2019]

Data breach posts

• Notification of personal data security breaches during the state of alarm [april 2020]
• Data breach: communication to the to the data subject [feb 2020]
• Data breaches: protect yourself against the loss or theft of a portable device [oct 2019]
• Personal data breaches: what they are and how to respond [jun 2019]
• Personal data breaches: protect yourself against ransomware [may 2019]

Collaborations and Tecnological Awards

In the framework of the promotion of research on the fundamental right to data protection, the AEPD announces awards, in different categories, to encourage innovation in terms of privacy.

In the call of 2019, the following technological awards have been convened in the field of research and entrepreneurship in the protection of personal data: 

Emilio Aced Personal Data Protection Research Award

This award recognises data protection works and projects carried out in the context of scientific and technical research, with a strictly practical approach, in which the application of data protection principles in the field of scientific and technical development is studied, analysed or developed in order to guarantee the rights and freedoms of individuals.

Awarded work 2019:

Award: Julien Armand Pierre Gamba, Mohammed Ahmed Fahim Rashed, Abbas Razaghpanah, Juan Manuel Estévez Tapiador y Narseo Vallina-Rodríguez. Stony Brook University (Universidad Carlos III de Madrid y IMDEA Networks Institute).

• Un análisis de software de Android preinstalado’, un estudio sobre los riesgos que el software preinstalado en dispositivos Android tiene para la privacidad.

Secondary award (Accésit): Mikel Recuero Linares. Subdirección General de Evaluación y el Fondo Europeo de Desarrollo Regional (FEDER “Una manera de hacer Europa”).

• La investigación científica con datos personales genéticos y datos relativos a la salud: perspectiva europea ante el desafío globalizado’

Ángela Ruiz Entrepreneurship in Protection of Personal Data Award

This award recognizes the development of an original, creative, innovative business activity, product or service with a social impact in relation to data protection and the guarantee of the rights and freedoms of individuals.

Awarded work 2019:

Award: Molinapps S.L.U. Armando Molina Betancor.

• Datos de salud en dispositivos móviles y seguridad jurídica. La solución DocToDoctor©

Links to documents of interest

This section includes a collection of links to documents and surveys of interest published by other entities and organizations, national and international.

• European Data Protection Board

  • EDPB: Guidelines 4/2019 on Article 25 Data Protection by Design and by Default [nov 2019]
  • EDPB: Guidelines 3/2019 on processing of personal data through video devices [jul 2019]

 

• ART.29 WP: Statement of the WP29 on encryption and their impact on the protection of individuals with regard to the processing of their personal data in the EU [april 2019]
• ART.29 WP: Guidelines on Personal data breach notification under Regulation 2016/679 [feb 2018]
• ART.29 WP: Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 [oct 2017]
• ART.29 WP: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 [april 2017]
• ART.29 WP: Guidelines on the right to data portability [april 2017]
• ART.29 WP: Guidelines on Data Protection Officers (DPO) and "large-scale" notion. [dec 2016]
• ART.29 WP: Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones [jun 2015]
• ART.29 WP: Opinion 05/2014 on Anonymisation Techniques [april 2014]
• ART.29 WP: Opinion 02/2013 on apps on smart devices [feb 2013]
• ART.29 WP: Opinion 3/2012 on developments in biometric technologies [april 2012]

 

• European Data Protection Supervisor
  • EDPS: Connected Cars [dec 2019]
  • EDPS: Smart Meters in Smart Homes [oct 2019]
  • EDPS: Smart Speakers and Virtual Assistants [jul 2019]
  • EDPS: Meeting the challenges of big data [nov 2015]

 

• European Commission – IA HLEG: A definition of AI: Main capabilities and disciplines [april 2019]
• European Commission – IA HLEG: Ethics guidelines for trustworthy AI [april 2019]

 

• Council of Europe: Guidelines on Artificial Intelligence and Data Protection [jan 2019]
• Council of Europe: Artificial Intelligence and Data Protection: Challenges and Possible Remedies [jan 2019]

 

• ENISA: Recommendations on shaping technology according to GDPR provisions - Exploring the notion of data protection by default [dec 2018]
• ENISA: Recommendations on shaping technology according to GDPR provisions - An overview on data pseudonymisation [nov 2018]
• ENISA: Handbook on Security of Personal Data Processing [dec 2017]
• ENISA: Guidelines for SMEs on the security of personal data processing [dic 2016]

 

• Harvard University: Privacy Tools Project