The AEPD (Spanish Data Protection Authority) has among its objectives to promote and disseminate knowledge about the privacy risks that arise with the development of new services, applications and with technological evolution and how to manage them with sustainable solutions from the point of view of the rights and freedoms of citizens, as well as presenting useful tools to facilitate the regulatory adaptation to SMEs and entrepeneurs.
Breaking news regarding accountability
- Privacy in Online Meetings
- Audit Requirements for Personal Data Processing Activities involving AI
- Guide on use of cookies
- IoT (II): from the internet of things to the internet of bodies
- Identification in online payment services
Basic tools for accountability compliance
The AEPD has developed tools and help material to assist with compliance with general data protection regulation for small businesses, entrepreneurs and developers, and other types of controllers. This section lists those tools that are common to all types of processings. In the section "Guides, reports and technical notes" you can find specific material that extends their scope to specific treatments, technologies or controllers.
In any case, controllers and processors should not forget to verify that they comply with all the requirements and obligations that guarantee compliance with GDPR and national rules on data protection.
Risk management
The following resources support the obligation to carry out a risk analysis of personal data processings:
- Guía práctica de análisis de riesgos para el tratamiento de datos personales (only in Spanish, soon available in English)
- Tool for conducting risk analysis and data protection impact assessments (only in Spanish, soon available in English)
- Tool to help compliance with GDPR for entities that carry out low risk processing activities: FACILITA GDPR
- Tool to help entrepreneurs and technology start-ups to comply with data protection regulations: FACILITA-EMPRENDE
Data Privacy Impact Assessment
The following resources support the obligation to carry out a data privacy impact assessment of personal data processings:
- Guía práctica para las evaluaciones de impacto en la protección de datos personales (only in Spanish, soon available in English)
- Listas de tipos de tratamientos de datos que requieren EIPD (art 35.4) (only in Spanish, soon available in English)
- Lista orientativa de tipos de tratamientos de datos que no requieren una evaluación de impacto relativa a la protección de datos (art 35.5) (only in Spanish, soon available in English)
- Template For Data Protection Impact Assessment Report (DPIA) For Public Administrations
- Template For Data Protection Impact Assessment Report (DPIA) For Private Sector
Data Protection by Design and by Default
The following resources support the obligation to take into account, from the initial stages of definition and analysis of the processing, appropriate technical and organisational measures for ensuring, by design and by default, data protection principles implementation:
- A Guide to Privacy by Design
- Guidelines for Data Protection by Default
- Protección de datos por defecto: Listado de medidas (only in Spanish, soon available in English)
Personal Data Breach Management
The following resources support the obligation to implement incident recording and notification mechanisms in order to properly manage any possible security breache that may arise during personal data processing.
- Guide on personal data breach management and notification
- Tool to assess the obligation to communicate a personal data breach to the data subjects: COMUNICA-BRECHA RGPD
- Notification form for reporting a personal data breach to the Supervisory Authority (only in Spanish)
- Security breach site (only in Spanish, soon available in English)
Guidelines, reports and technical surveys
In this section you can find documents developed by the AEPD (guidelines, reports, surveys, ...) designed to disseminate knowledge among controllers, processors and those interested parties in data protection.These resources are grouped by categories and ordered by publication date.
General surveys
- Guidelines for Data Protection by Default [oct 2020]
- Recommendations to protect personal data in situations of mobility and telecommuting [april 2020]
- Introduction to the Hash Function as a Personal Data Pseudonymisation Technique [nov 2019]
- A Guide to Privacy by Design [oct 2019]
- K-anonymity as a privacy measure [jun 2019]
- Guide on personal data breach management and notification [jun 2018]
Specific surveys
- Audit Requirements for Personal Data Processing Activities involving AI [jan 2021]
- Technologies and Data Protection in Public Administrations [dec 2020]
- 14 misunderstandings with regard to biometric identification and authentication [jun 2020]
- Technologies in the fight against COVID19 [may 2020]
- Guidelines for Implementation of the Eighth Additional Provision and Twelfth Final Provision of the LOPDGDD [feb 2020]
- GDPR compliance of processings that embed Artificial Intelligence. An introduction [feb 2020]
- Guide on drones and data protection [may 2019]
Risk management
- List of the types of data processing that require a DPIA (art 35.4) [sep 2019]
- Indicative list of the types of data processing that do not require DPIA (art 35.5) [aug 2019]
Internet and mobile systems
- Guide on use of cookies [jan 2021]
- Measures to minimise internet tracking [sep 2020]
- Infographic: Measures to minimise internet tracking [sep 2020]
- Guidelines for social distance and access control apps due to COVID-19 [jun 2020]
- Introduction to 5G technologies and their risks in terms of privacy [may 2020]
- Protection of minors on the Internet [april 2020]
- DNS Privacy [nov 2019]
- The duty to inform and other accountability measures for mobile devices [may 2019]
- Access to applications on the screen for Android devices [may 2019]
- User controls for ad personalisation on Android [may 2019]
- Survey about preinstalled apps in Android and privacy risks [mar 2019]
- Analysis of information flows in Android. Tools for compliance with accountability [mar 2019]
- Survey on Device Fingerprinting [feb 2019]
Technical posts in the AEPD blog
The Agency has a blog in which different articles of interest on personal data protection are published periodically. Bellow is an extract of the most interesting technical posts published so far.
General posts
- Privacy in Online Meetings [feb 2021]
- IoT (II): from the internet of things to the internet of bodies [jan 2021]
- Identification in online payment services [dec 2020]
- IoT (I): What is IoT and which risks does it entail [dec 2020]
- Blockchain (II): Basic concepts [nov 2020]
- Group Privacy [oct 2020]
- Data Governance and Data Protection Policy [sep 2020]
- Data protection and security [april 2020]
- Personal data and emergencies [april 2020]
- Connected Cars [april 2020]
- Consent receipt: A tool for transparency and proactive accountability [feb 2020]
- Do you know Gestiona? [jan 2020]
- Privacy Engineering [sep 2019]
Encryption and privacy posts
- Encryption and Privacy IV: Zero Knowledge Proofs [nov 2020]
- Encryption and Privacy III: Homomorphic encryption [jun 2020]
- Encryption and Privacy II: Lifespan of personal data [jan 2020]
- Encryption and Privacy: Encryption in the GDPR [nov 2019]
Internet and mobile systems posts
- Privacy risks when logging in other applications with social media accounts [oct 2020]
- URL shorteners [jul 2020]
- Recommendations to Prevent Digital Harassment [may 2020]
Data breach posts
- Personal data breaches: Ransomware and risk management [dec 2020]
- Personal data breaches: online productivity platforms [jun 2020]
- Personal data security breaches: Top 5 technical measures to be taken into account [april 2020]
- Notification of personal data security breaches during the state of alarm [april 2020]
- Phishing Campaigns Regarding The Coronavirus [mar 2020]
- Data breach: communication to the to the data subject [feb 2020]
- Data breaches: protect yourself against the loss or theft of a portable device [oct 2019]
- Personal data breaches: what they are and how to respond [jun 2019]
- Personal data breaches: protect yourself against ransomware [may 2019]
Collaborations and Tecnological Awards
In the framework of the promotion of research on the fundamental right to data protection, the AEPD announces awards, in different categories, to encourage innovation in terms of privacy.
In the call of 2019, the following technological awards have been convened in the field of research and entrepreneurship in the protection of personal data:
Emilio Aced Personal Data Protection Research Award
This award recognises data protection works and projects carried out in the context of scientific and technical research, with a strictly practical approach, in which the application of data protection principles in the field of scientific and technical development is studied, analysed or developed in order to guarantee the rights and freedoms of individuals. You can access the data of the call in this link.
Awarded work 2019:
Award: Julien Armand Pierre Gamba, Mohammed Ahmed Fahim Rashed, Abbas Razaghpanah, Juan Manuel Estévez Tapiador y Narseo Vallina-Rodríguez. Stony Brook University (Universidad Carlos III de Madrid y IMDEA Networks Institute).
Secondary award (Accésit): Mikel Recuero Linares. Subdirección General de Evaluación y el Fondo Europeo de Desarrollo Regional (FEDER “Una manera de hacer Europa”).
Ángela Ruiz Entrepreneurship in Protection of Personal Data Award
This award recognizes the development of an original, creative, innovative business activity, product or service with a social impact in relation to data protection and the guarantee of the rights and freedoms of individuals. You can access the data of the call in this link.
Awarded work 2019:
Award: Molinapps S.L.U. Armando Molina Betancor.
Links to documents of interest
This section includes a collection of links to documents and surveys of interest published by other entities and organizations, national and international.
-
European Data Protection Board
- EDPB: Guidelines 4/2019 on Article 25 Data Protection by Design and by Default [oct 2020]
- EDPB: Guidelines 07/2020 on the concepts of controller and processor in the GDPR [sep 2020]
- Response to the proposal of a member of the European Parliament regarding the possibility of requiring that all new laptops entering the European Union market be equipped with a camera cover [jun 2020]
- EDPB: Guidelines 05/2020 on consent under Regulation 2016/679 [may 2020]
- EDPB: Guidelines 3/2019 on processing of personal data through video devices [jul 2019]
- ART.29 WP: Statement of the WP29 on encryption and their impact on the protection of individuals with regard to the processing of their personal data in the EU [april 2019]
- ART.29 WP: Guidelines on Personal data breach notification under Regulation 2016/679 [feb 2018]
- ART.29 WP: Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 [oct 2017]
- ART.29 WP: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 [april 2017]
- ART.29 WP: Guidelines on the right to data portability [april 2017]
- ART.29 WP: Guidelines on Data Protection Officers (DPO) and "large-scale" notion [dec 2016]
- ART.29 WP: Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones [jun 2015]
- ART.29 WP: Opinion 05/2014 on Anonymisation Techniques [april 2014]
- ART.29 WP: Opinion 02/2013 on apps on smart devices [feb 2013]
- ART.29 WP: Opinion 3/2012 on developments in biometric technologies [april 2012]
- European Data Protection Supervisor
- EDPS: Personal Information Management Systems [jan 2021]
- EDPS: Quantum Computing and Cryptography [august 2020]
- EDPS: Outcome of own-initiative investigation into EU institutions’ use of Microsoft products and services [jul 2020]
- EDPS: Contact Tracing with Mobile Applications [may 2020]
- EDPS: Connected Cars [dec 2019]
- EDPS: EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data [dec 2019]
- EDPS: Smart Meters in Smart Homes [oct 2019]
- EDPS: Smart Speakers and Virtual Assistants [jul 2019]
- EPDS: Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit [april 2017]
- EDPS: Meeting the challenges of big data [nov 2015]
- Council of Europe
- European Commission
- IA HLEG: A definition of AI: Main capabilities and disciplines [april 2019]
- IA HLEG: Ethics guidelines for trustworthy AI [april 2019]
- European Union Agency for Cybersecurity (ENISA)
- Recommendations on shaping technology according to GDPR provisions - Exploring the notion of data protection by default [dec 2018]
- Recommendations on shaping technology according to GDPR provisions - An overview on data pseudonymisation [nov 2018]
- Handbook on Security of Personal Data Processing [dec 2017]
- Guidelines for SMEs on the security of personal data processing [dic 2016]
- Harvard University:
- National Institute of Standards and Technology (NIST)
- Privacy Framework
- Privacy Engineering Program
- Workloads of Counting Queries: Enabling Rich Statistical Analyses with Differential Privacy [feb 2021]
- Summation and Average Queries: Detecting Trends in Your Data [dec 2020]
- Counting Queries: Extracting Key Business Metrics from Datasets [oct 2020]
- Threat Models for Differential Privacy [sep 2020]
- SP 800-53B Security and Privacy Controls for Information Systems and Organizations [sep 2020]
- Differential Privacy for Privacy-preserving Data Analysis: An Introduction to our Blog Series [jul 2020]
- Spreadsheet (.xlsx) version of SP 800-53B controls