Lines of business

Data Protection Consultancy

Our services support ongoing compliance with applicable legislation, and we provide updates in response to any regulatory developments affecting personal data protection.

At Urbaser we provide specialist consultancy in Data Protection, in full alignment with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), and Organic Law 3/2018 of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD).

Data Consulting anywhere in Spain

The Supplier may deploy a qualified technician to any location within the territory of Spain to carry out a bespoke assessment of the Client’s requirements in relation to the protection of Personal Data.

Corporate bodies, sole traders or other organisations, that collects or otherwise processes Personal Data relating to natural persons (including but not limited to customers, patients, or employees) shall be deemed responsible for the security and lawful protection of said data.

The protection of individuals with respect to the processing of their Personal Data constitutes a fundamental right governed by various legal instruments, and is currently regulated under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”) concerning the protection of natural persons regarding the processing of Personal Data and the free movement of such data, which repealed Directive 95/46/EC.

This EU Regulation seeks to ensure a proportionate balance between data subjects’ rights to the protection of their Personal Data and the lawful free movement of such data, establishing a harmonised legal framework for Data Protection within the context of an increasingly interconnected and technologically advanced society.

What does Data Protection Consulting look like?

We provide consultancy in Data Protection, in full alignment with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), and Organic Law 3/2018 of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD).

Data Protection Consultancy Service:

  • Risk Analysis Report. Initial analysis in relation to the possible risks to the protection of the data processed by the Client.
  • Technical Visit to the Client’s facilities.
  • Preparation of a new Security Document for your clinic.
  • Putting together of all necessary documentation for regulatory compliance: Register of Activities, Reports, Contracts, Clauses (for patients, mails, web), confidentiality obligations, authorisations, etc.
  • Audit Report. Prepared by a specialised professional team.
  • Impact Assessment Report only in case the risk analysis carried out determines the need for such a report.
  • Permanent advice on data protection via the customer portal (www.urbaser.com), telephone and e-mail.
  • Follow-up of the outcome of the Impact Assessment and/or Audit through the continuous sending of alerts.
  • Data Protection Officer (DPO) service where appropriate.

Service Phases:

Urbaser offers a service for ensuring compliance with applicable Data Protection Legislation, structured into the following sequential phases:

  • Phase 1 – Initial Risk Analysis to identify any potential risks to the rights and freedoms of Data Subjects whose Personal Data is processed by the Client.
  • Phase 2.- Technical visit to the Client’s premises for the purpose of collecting all relevant operational and processing information required to comply with applicable Data Protection obligations.
  • Phase 3.- Generation of all necessary documentation for regulatory compliance (Register of Activities, reports, contracts, clauses and consents, audits, notifications), based on the data obtained in Phase 2. An Impact Assessment shall be undertaken only where the risk analysis conducted in Phase 1 indicates that such an assessment is required under applicable law.
  • Phase 4.- Delivery of documentation prepared during Phase 3.3.
  • Phase 5 – On an annual basis, the Supplier shall carry out a further visit to the Client’s premises to review and record any identified modifications, followed by the preparation and delivery of updated reports to the Client.

The Data Protection Service includes the appointment of a Data Protection Officer (DPO) in all instances where such designation is mandatory pursuant to Article 37(1) of the GDPR and Article 34(1) of the LOPD-GDD. A DPO shall also be designated where mutually agreed by the Parties on a voluntary basis. The new regulation is complex, and Personal Data must be processed in a secure and compliant manner. To support the Client’s alignment with said framework, it shall be necessary not only to implement appropriate technical and organisational security measures and produce new reports, but also to promote increased awareness, engagement and commitment within the Client’s organisation to continuously evaluate and reduce the risks associated with the processing of Personal Data.

Under this principle, information provided to data subjects, both regarding the conditions of processing that concern them and in response to the exercise of their rights, must be delivered in a concise, transparent, intelligible, and easily accessible format, using clear and plain language.

Overly complex language and references to legal texts should be avoided.

Information clauses must clearly and accessibly explain the content to which they directly relate, regardless of the data subject’s familiarity with the subject matter.

The GDPR defines this principle as the requirement for Controllers to implement appropriate technical and organisational measures to ensure, and be able to demonstrate, that processing activities are carried out in compliance with the Regulation.

From the outset, Controllers must embed appropriate organisational and technical safeguards into processing activities to ensure that the GDPR principles are effectively applied. Controllers must ensure that only data necessary for the specific purposes are processed, in terms of volume, scope, retention, and accessibility.

This principle requires organisations to assess which data are being processed, for what purposes, and what processing activities are involved.

Based on that assessment, Controllers must explicitly determine how they will apply the measures required under the GDPR, ensure those measures are appropriate for achieving compliance, and be able to demonstrate this to data subjects and the relevant supervisory authorities. In summary, the principle requires organisations to take a conscious, responsible, and proactive approach to all processing of personal data under their control.

The GDPR outlines a set of measures that Controllers, and in some cases Processors, must implement to ensure their processing activities comply with the Regulation and to demonstrate that compliance.

These proactive accountability measures include:

  • Data analysis
  • Maintenance of a Record of Processing Activities
  • Data protection through data governance
  • Security measures
  • Notification of personal data breaches
  • Data Protection Impact Assessment
  • Data Protection Officer

The DPO is a key component of the GDPR framework and serves as a guardian of compliance within organisations. However, ultimate responsibility for ensuring compliance remains with the Controller or Processor.

The DPO must be appointed based on their professional capabilities, particularly their expert knowledge of data protection law and practice. Formal qualifications or certification are not mandatory.

The DPO must act independently and is responsible for advising and informing the Controller or Processor and for monitoring compliance with the GDPR. The full scope of the DPO’s duties is set out in Article 39 of the GDPR. It is important to note that the DPO may be an internal or external resource and can be either an individual or a legal entity.

Video surveillance shall only be used where less privacy-intrusive measures are not feasible. Recording images of public highways for security purposes is prohibited, as this responsibility lies with the Security Forces and Corps, except where it is indispensable for the intended purpose or unavoidable due to the camera’s location. In all cases, any processing of data unnecessary for the specified purpose must be avoided. The installation of sound recording or video surveillance systems shall under no circumstances be permitted in areas designated for the rest or recreation of workers or public employees, such as changing rooms, toilets, canteens, and similar locations.

Processing of images for security purposes via video surveillance must comply with the GDPR, including maintaining a Record of Processing Activities as required by Article 30.

The right to information under Article 13 must also be observed. To this end, a layered approach may be adopted as follows:

  • Display signage indicating the area is under video surveillance, identifying the data controller, and informing data subjects of their rights under Articles 15 to 22 of the GDPR.
  • Ensure that the information required by Article 13 is made available to data subjects.

Security measures must be implemented in accordance with: Article 32 of the GDPR, which requires appropriate technical and organisational measures to ensure a level of security proportionate to the risk. Where a third party manages the cameras, this entity shall be considered a data processor and must comply with the obligations set out in Article 28 of the GDPR.

Data shall be deleted no later than one month after collection, except where retention is necessary to establish evidence of acts affecting the integrity of persons, property, or facilities. In such instances, the images must be made available to the competent authority within 72 hours of the recording’s existence becoming known.

Where cameras do not record images but allow real-time viewing, this shall also be subject to GDPR provisions as personal data processing occurs. Consequently, compliance with the requirements is mandatory. Obligations to be observed include maintaining the Record of Processing Activities and ensuring the right to information as detailed above.

The GDPR permits Member States to set an age below 16 years, provided it is not lower than 13 years. In Spain, pursuant to Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights, Article 7 stipulates that the processing of personal data of minors may only be based on their consent if they are aged 14 or older. Exceptions apply where the law requires the involvement of holders of parental authority or guardianship for the conclusion of the legal act or transaction in which consent to processing is sought.
Processing of personal data of minors under the age of 14 based on consent shall only be lawful where such consent is given by the holder of parental authority or guardianship.

Article 154 of the Civil Code grants parents with parental authority access to their children’s health information, enabling them to fulfil their duties in safeguarding the child’s health in accordance with the obligations arising from the exercise of parental authority.

Such access is limited exclusively to holders of parental authority and does not extend to other family members. Minors aged 14 and over may also exercise their right to access their own medical records; however, this right does not restrict the ability of holders of parental authority over non-emancipated minors to access those records.

Any complaints arising from the refusal to provide medical records of minors to parents with parental authority should be directed to the relevant health or judicial authorities.

Since 25 May 2018, the obligation to register files, whether public or private, in the Register of Files maintained by the Spanish Data Protection Agency, as well as in the registers of the relevant regional authorities, has been removed.

  • Designate a Data Protection Officer where required by law or voluntarily appointed.
  • Prepare the register of processing activities.
  • Analyse the legal bases for processing personal data.
  • Conduct a risk analysis.
  • Review and update security measures considering the risk analysis conducted.
  • Establish mechanisms and procedures for managing data security breaches.
  • Carry out a Data Protection Impact Assessment where necessary.
  • Adapt personal data collection forms to reflect the information rights under the GDPR.
  • Update procedures to enable the exercise of data subjects’ rights concerning their personal data processing.
  • Assess whether data processors provide adequate guarantees of GDPR compliance.
  • Implement contracts with data processors in accordance with GDPR requirements.
  • Develop and enforce data protection policies.

Beyond the right to information, the GDPR grants data subjects the rights to access, rectification, erasure (“right to be forgotten”), objection, portability, restriction of processing, and to object to automated decision-making (including profiling). These rights are exercised against the data controller. They may also be exercised in cases involving a data processor, provided there is an agreement between the controller and the processor.

When these rights are exercised, the controller must respond within one month of receiving the request. This period may be extended by up to two additional months if necessary, considering the complexity and number of requests. In such cases, the controller must notify the data subject of the extension within one month of receiving the request, explaining the reasons for the delay.

The GDPR defines data security breaches, commonly referred to as “security breaches” in broad terms, encompassing any incident that results in the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data that is transmitted, stored, or otherwise processed.

Examples such as the loss of a laptop, unauthorised access to an organisation’s databases (even by internal staff), or the accidental deletion of records all qualify as security breaches under the GDPR and must be addressed in accordance with the Regulation. The harm caused by a security breach may be material or immaterial, ranging from possible discrimination of affected individuals due to misuse of their data, to identity theft, economic loss, or public exposure of confidential information.

A security breach is considered known once there is certainty that it has occurred and sufficient understanding of its nature and scope. A mere suspicion of a breach, or recognition that an incident has occurred without any knowledge of its circumstances, should not trigger notification at this stage, since in most cases it would be impossible to assess the potential risk to the rights and freedoms of the data subjects.

Contracts with data processors entered before the GDPR came into effect in May 2018 must be amended and adapted to comply with its provisions; generic references to the applicable GDPR articles are not sufficient.

In this regard, it is important to highlight that the fifth transitional provision of Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights states:

“The data processor contracts signed prior to 25 May 2018 under the provisions of Article 12 of Organic Law 15/1999, of 13 December, on the Protection of Personal Data shall remain valid until their indicated expiry date or, if concluded indefinitely, until 25 May 2022.

During these periods, either party may request the other to modify the contract to ensure compliance with Article 28 of the GDPR.”

Contact

If you wish to contact the industrial waste area please fill in the following form.

Sedes de Soluciones Sanitarias

Silueta del mapa de españa y canarias

Mallorca (900 922 903)

Barcelona (900 922 903)

Cartagena CEE (900 922 903)

Vigo (900 922 903)

Las Palmas (900 922 903)

Madrid (900 922 903)

Málaga (900 922 903)

Sevilla (900 922 903)

Tarragona (900 922 903)

Tenerife (900 922 903)

Valencia (900 922 903)

Valladolid (900 922 903)

Vitoria (900 922 903)

Zaragoza (900 922 903)