Latest Developments in Spain regarding the GDPR


On 25 May, the 9th Annual Open Session was held by the Spanish Data Protection Agency (SDPA). These yearly open events allow the SDPA to integrate with companies, organisations and professionals in the privacy sector. This year, the open session focused mainly on the practical implications of the General Data Protection Regulation (GDPR).

During the session, the SDPA presented the trial version of a data processing tool (named "tool for NANOPYMES"). It is introduced as a general assistance programme, aimed to assist small companies and professionals who process low-risk personal data in their GDPR compliance.

This tool consists of four stages:

  • 1st stage: Ensuring that processing high-risk activities is eliminated.
  • 2nd stage: Collecting information regarding the data controller.
  • 3rd stage: Collecting information regarding the data processing.
  • 4th stage: A document with all the information needed by the data controller is created in order to comply with the GDPR.

The objective of this tool is for small and medium-sized enterprises (SMEs) to verify that their data processing is being carried out at a low or very low-risk, and that at the end of the questionnaire, they are aware of the minimum documents required to be able to demonstrate that they comply with the GDPR. The use of this tool does not guarantee the full compliance of the GDPR.

As reported, this practical resource, presented as an online questionnaire, is in its testing phase and has been offered to different businesses and professional associations, so that they can evaluate it and provide their comments and suggestions.

In addition to this, the SDPA explained certain aspects of the GDPR which represent a substantive change against our current regulation under the Directive: for example, the Security Document as we know it today in Spain (a catalogue of security measures) is withdrawn. However, within the record of processing activities, the data controller will be able to include the proposed security measures.

While the Government is working on drafting a new Spanish Data Protection Organic Act, the SDPA has launched several guidelines which focus on important aspects of the new GDPR. Some of these guidelines are as seen below: