The Spanish AEPD has published a “white list” of data processing operations that DO NOT require a Data Protection Impact Assessment (DPIA) under GDPR:

  • Processing carried out under guidelines previously established or authorized by the DPA
  • Processing carried out under the guidelines of an approved code of conduct
  • Processing necessary to comply with a legal

Tardiness with transposing data protection laws comes with a hefty fine.

The European Commission is asking the Court of Justice of the European Union to impose financial sanctions on Greece and Spain for failing to transpose the rules on the Data Protection Law Enforcement Directive before the May 6, 2018, deadline, according to a news

The IAPP: International Association of Privacy Professionals, reports on Spain’s new GDPR implementation law, which provides clarity to some gray areas.

Highlights include:

  • the data processor may address a data subject’s rights on behalf of the controller if this is provided in the contract or other legal instrument that binds controller and processor.
  • requests from