Data Protection Law for SMEs: How should they manage personal data?

Since its birth, on December 13, 1999, the Organic Law on the Protection of Personal Data (LOPD) has raised many questions to all those responsible for its compliance. In article 2 of its development, it establishes that it is under the scope of application of the Data Protection Law the person responsible for any commercial activity that handles personal information within the Spanish territory.

In addition, it is also subject to this Law who does so outside the limits of the European Union but using means located in Spain,or that Spanish regulations are applied to it by virtue of the duty to observe any rule of Public International Law.

Little is outside the scope of the LOPD:personal information used by natural persons in their particular activities, information protected by other laws as classified matters, and those related to terrorist activities or organized crime.

So far it is clear to whom the Spanish Agency for Data Protection directs its gaze as the highest authority in charge in Spain of supervising the correct compliance with the legislation on the Protection of Personal Data.

What is data protection?

Data protection is one more means to guarantee the fundamental right to honor, personal and family privacy and self-image contained in article 18 of the Spanish Constitution.

Therefore, the proper use of all personal information of the citizens of our country is supervised within the framework of their relationship with companies, freelancers, and both public and private bodies and authorities.

In this sense, the regulations are categorical and impose sanctions ranging from 900 euros in the mildest cases, to 600,000 euros for very serious infractions that are also repeat offenders, intentional and considered of special magnitude according to the criteria of the legislator.

These criteria are exhaustively included in the Law on the Protection of Personal Data in number 45 of its articles.

Data Protection Agency: How to protect my personal data

As a Public Law entity responsible for controlling our personal data, the Data Protection Agency acts with its own legal personality and full capacity, collaborating with the Government through the Ministry of Justice. It corresponds to the specific functions of protection of personal data and it is essential to address it when the rights are infringed or the correct exercise of them is sought.

Of special vigilance are the so-called ARCO rights,that is: Access, Rectification, Cancellation and Opposition over which they hold absolute power before the person responsible for owning the files or organized set of personal data in any form of creation or organization.

Protection of Personal Data for Freelancers and Companies

SMEs and the self-employed are in the crosshairs of the LOPD. The personal information provided by both customers and suppliers in the management of their business relationships is particularly vulnerable to possible breaches in the field of personal data protection.

The legislation requires that the data be collected for processing in the form of files, with the consent of its owner, for a specific purpose. In short, these must be accurate and complete. Also, once the purpose for which they registered disappears, they must be canceled.

The lack of information, knowledge and / or specialized or available personnel of small companies to comply with the legal requirements on data protection implies a serious risk for its operation and future projection.

Lack of means does not prevent liability and its possible consequences in case of inspections or claims.

The advance in commercial technology, such as e-mail marketing that has meant a very useful progress in commercial promotion, is sometimes one of the most visible and massive ways of breaching data protection regulations.

New European regulation

On May 25, 2016, the European General Data Protection Regulation (RGPD) came into force, even more demanding and complex than our LOPD.

The consent of the owner of the data can no longer be simply tacit, express acceptance is required which entails a specific processing channel.

There is also the figure of the Data Protection Officer known as DPO, from the English Data Protection Officer,who requires specific legal knowledge in this area and independent action.

As a filming for its fulfillment, Europe grants a period of adaptation to the Data Protection Regulation that will end on May 25, 2018.

Perhaps, the most advisable thing for SMEs and freelancers is to put themselves in expert hands, subcontracting the advisory service and implementation of a personal data processing system that meets the legal requirements. A new effort for entrepreneurs and freelancers that is expected to result, at least, in greater confidence of their customers.