Coronavirus and GDPR , the Spanish AEPD weighs in:

  • Data protection should not be used to hinder or limit the effectiveness of the measures taken by authorities in the fight against the pandemic.
  • Consent may not be required. Appropriate legal bases for the processing of personal data for the control of epidemics and their spread,

The Spanish AEPD has published guidelines on patient health data protection.

The guidelines track the requirements of GDPR as applicable to patient data including the obligation to provide adequate disclosure under Article 12 and data subject rights.

Key Takeaways

  • In the field of health care the right to suppression of clinical history data is very

Latin American Data Protection Authorities and the Spanish Data Protection Authority have issued a joint statement on data processing and Artificial Intelligence.

Key recommendations:

1. Comply with local regulations on the treatment of personal data.

2. Conduct a data protection impact assessment.

3. Embed privacy, ethics, and security by design and by default.

4. Operationalize

On the heels of the Planet49 decision, the Spanish data protection authority AEPD has fined Vueling Airlines €30,000 (reduced to €18,000 for payment in full) for failure to provide a compliant cookie disclosure/consent under GDPR.

Key takeaways (pertaining to cookies that require consent under GDPR):

  • You need to provide the individual with the ability to

The Spanish AEPD has published a “white list” of data processing operations that DO NOT require a Data Protection Impact Assessment (DPIA) under GDPR:

  • Processing carried out under guidelines previously established or authorized by the DPA
  • Processing carried out under the guidelines of an approved code of conduct
  • Processing necessary to comply with a legal

Tardiness with transposing data protection laws comes with a hefty fine.

The European Commission is asking the Court of Justice of the European Union to impose financial sanctions on Greece and Spain for failing to transpose the rules on the Data Protection Law Enforcement Directive before the May 6, 2018, deadline, according to a news

The IAPP: International Association of Privacy Professionals, reports on Spain’s new GDPR implementation law, which provides clarity to some gray areas.

Highlights include:

  • the data processor may address a data subject’s rights on behalf of the controller if this is provided in the contract or other legal instrument that binds controller and processor.
  • requests from