Businesses race against the clock as they prepare for the GDPR implementation in May

Spain - 

With two months to go before the new EU General Data Protection Regulation (GDPR) becomes active, businesses are working against the clock in order to be up and ready when the time comes. The two year extension afforded by the European regulation is coming to an end and there are still many doubts raised as to how it can effectively be applied.

Furthermore, the new Data Protection Law currently going through parliament is still pending approval, and will not be ready by 25 May, the date on which the European Regulation will begin to apply, and it may not even be passed at all this year. However,  Spain is not the only one in this predicament, nor will the laws of other member states -barring Germany and Austria - be ready in time.

With a view to mitigating this lack of regulatory precision, both the Working Group mentioned in Article 29, and the Spanish Data Protection Agency are offering various guidelines to help businesses interpret the new regulation and bring their companies into line.

This was the view put forward by Alejandro Padín counsel in the Commercial department and head of Privacy and Information Technology at the Garrigues Madrid office, in workshops held this week in Madrid and Barcelona explaining how to comply with the EU General Data Protection Regulation in a timely and effective manner. The workshops, attended by around 800 people interested in learning how to effectively address the effects of the new regulation, and avoid the consequences of failing to do so, were also disseminated to all the firm's offices in Spain, testimony to the enormous interest and concerns raised in respect of the imminent implementation of the new regulation.


At the Barcelona event, a round table was chaired by Garrigues partner José Ramón Morales, with Alejandro Padín participating, alongside Misi Borrás, partner in the Labour department and Francisco Marín, Commercial department associate. At the Madrid workshop, Javier Marzo, partner in the Commercial Department, introduced the event, which was also attended by Alejandro Padín, this time he spoke alongside Braulio Molina, partner in the firm, who outlined the effects that the new Regulation would have on Human Resources departments, while Katiana Otero, associate in the Commercial department, explained how companies’ marketing departments would be affected.

The speakers analysed the specific aspects that businesses will need to consider in May, taking into account the most recent innovations in this regard, and offered attendees an emergency kit to deal with the GDPR by way of a guide for companies, with information on what to do and how to comply, providing a snapshot of the ideal scenario in order to be ready for 25 May 2018.

Steps to be taken

Alejandro Padín explained that the regulatory framework surrounding the GDPR is extremely complex, and requires expert advice and assistance. He also indicated that it will be a challenge for all businesses, in particular those concerned with data matters. In this regard, he underlined the fact that the digital economy has two main elements: the storage of information on a major scale and analysis of that data in a hyper-efficient manner. He concluded by indicating that it is important to create a route map to ensure compliance with the Regulation.

In turn, Braulio Molina focused on Human Resources which will be considerably impacted by the GPDR. He addressed issues such as biometric data processing in the employment sector - fingerprints, biometric digital signature, facial images etc. - all of which requires a specific legal analysis in the light of the new regulations. He also addressed issues relating to video surveillance and control of employees' e-mails in the light of case law that has analysed the question in a detailed manner in several significant rulings, such as the famous  Barbulescu judgment of the Court of Justice of the European Union, of 5 September 2017, or the most recent judgment of the Supreme Court on 8 February this year. Finally, he emphasised that processing the data of employees in business groups is a particularly complex issue.

Katiana Otero looked at the effects of this regulatory revolution on corporate marketing departments. She explained that marketing campaigns based on data analysis require in- depth study in order to adapt them to the GDPR, and advised that it is important to establish priorities when undertaking a project to adapt to the Regulation in an orderly manner. It is also essential to correctly diagnose and identify data processing in order to comply with applicable regulations.

All the speakers coincided in pointing out that analysis of the figure of the data protection officer, is a fundamental component of any plans for compliance. In short, there are several relevant legal rulings to be taken into account in any project designed to adapt to the GDPR, and their correct application may be decisive for the future of businesses.