Category Archives: Spain

Agencia Española de Protección de Datos (AEPD)

The AEPD starts an investigation to evaluate the Yahoo´s largest data breach

On 15 December 2016, Yahoo admitted that a large cyber attack affected more than a billion personal accounts worldwide which include different personal information such as names, email addresses, phone numbers, photos and other personal files stored online and even passwords and other encrypted or unencrypted security codes. This disclosure follows September’s incident in which the company admitted the theft ascribed to an unnamed foreign government that affected more than 500 million users dating back to 2014.

Yahoo breach is now being investigated and causes are under investigation. Meanwhile, it’s notifying users who may have been affected by the breach and making them changes their passwords.

The Director of the Spanish Data Protection Agency (AEPD) has expressed her intention to open an investigation to clarify the massive theft of data. In this regard, the AEPD is considering whether to impose sanctions if it determines that Yahoo has not informed users of a security breach.

Agencia Española de Protección de Datos (AEPD)

Facebook Stops WhatsApp Data Sharing Across Europe

On 16 November 2016, WhatsApp announced it had temporarily blocked user data from being shared with its parent company Facebook along Europe. It means that Facebook would only make use of WhatsApp data to prevent spam.

As a consequence, the Spanish Data Protection Agency (AEPD) initiated in early October an investigation to examine the communications and the treatment of personal data made between WhatsApp and Facebook. More specifically, it will study what information collected from WhatsApp users is sent to Facebook, for what purpose, how long it is kept and what options users are offered if they wish to object.

Background of the case

In 2014, Facebook bought WhatsApp and it pledged not to share user data with its new parent. Last August, the company made changes to its terms and conditions which allowed user data to be shared with its parent company as well as Facebook group of companies including Messenger and Instagram for services including advertising and product development purposes. The messaging app argued that it would allow for a better advertising experience and would help fight spam.

According to the WhatsApp blog´s “By coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp”. “Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you’ve never heard of”.

Agencia Española de Protección de Datos (AEPD)

Changes in Whatsapp´s Privacy Policy

In 2014, Facebook bought WhatsApp and it pledged not to share user data with its new parent. However, last August, the company announced a big change to its privacy policy as the new terms and conditions allows to share some user data (such as the phone number and the last time the client used the application) with its Facebook family of companies for undetermined range of services.

According to the WhatsApp blog´s “By coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp”. “Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you’ve never heard of”.

Facebook has maintained that its end-to-end encryption system will remain in place for the purpose of respecting the user´s privacy and giving an improved experience without third-party banner ads and spam.


Agencia Española de Protección de Datos (AEPD)

Spanish DPA publishes the Annual Report of 2015

On June 21st, 2016, the Spanish DPA presented the Annual Memory of 2015. The Memory explains exhaustively the activity and functioning of the various areas of the institution, it summarizes the most important trends, decisions and procedures of the year and analyses present and future challenges in the field of data protection. More importantly, it gives an overview of the cooperation in which the Agency has engulfed during the year 2015. The AEPD has, inter alia, signed a new collaboration agreement, participated to events and seminars, intervened in EU Working Parties or sent experts for evaluation missions. Moreover, its international cooperation does not preclude the Agency from cooperating with other regional Spanish DPAS (Catalan Authority of Data Protection, Basque Agency of Data Protection).

Agencia Española de Protección de Datos (AEPD)

Companies will be able to monitor their employees with video-surveillance cameras without their consent

Background of the case

The company had detected that one of the employees might have been misappropriating funds in one of its stores. Based on this suspicion, the company decided unilaterally to install video-surveillance cameras alerting to the cameras’ installation in a visible place on the shop’s window, but without informing its employees formally.

On 3 March 2016, the Spanish Constitutional Court issued the Judgment 7222-2013. In that resolution, it has stated that when a company suspects that some irregularities are being committed, the monitoring of its employees with video-surveillance cameras without their specific consent is justified. Then, it is not necessary to inform the employees of the specific purpose why such cameras are being installed.

More specifically, the Judgement stated the following:

a) Legitimate purpose. The camera was installed due to the suspicious activity that one of the employees in the store was stealing from the cash register.

b) The employee was generically informed about the video-surveillance cameras installation as it had. Under those circumstances, the Constitutional Court stated that it was not required to explicitly inform the employees the reason why the mechanism had been carried out.

c) Proportionality. The installation allowed the company to verify the irregularities committed by the employees (suitable), the video-surveillance camera was the last way to be implemented by the company in order to know who exactly was stealing money (necessary), the recording were limited exclusively to the cash register area (proportional).

Agencia Española de Protección de Datos (AEPD)

AEPD approves the update of Google privacy policies

In March 2012, Google changed its privacy policy and its conditions of use, designing a new model based on combined information given by a user. As a consequence, the Spanish Data Protection Agency (AEPD) started a procedure against Google which concluded in December 2013.

It declared illegal its way of processing of personal data, identified three critical breaches on the data protection legislation and a very high penalty was imposed. The final report stated that Google needed to take necessary measures to bring its policy of privacy to Spanish legislation.

Last month and three years later, the AEPD informed the Woking Group of the progress in Google privacy policy. It has established that Google introduced substantial changes in the areas that had been required such as the field of information, consent and the exercise of users´ rights.

Furthermore, Google has committed itself to adopting a wide range of improvements such as; to increase the list of services with specific privacy policies, to extend privacy campaigns to other products or services (e.g. Android users), to conduct a continuous dialogue with AEPD regarding to the implementation of new measures and finally, to inform of future changes that could affect the citizens’ privacy.

Agencia Española de Protección de Datos (AEPD)

Final version of the Strategic Plan approved by the AEPD

On 20 November 2015, the Spanish Data Protection Agency (AEPD) approved its “Strategic Plan” for the period 2015-2019. The Plan is the result of the public consultation process from 15 to 31 October 2015.

A specific timetable to implement a wide range of actions has been created. In this sense, the AEPD has focused on the following areas.

Strategic axis n. 1: Prevention for a more effective protection (protection of citizens, protection of minors and education, actions in relation to public administrations, certification, accreditation and audit and other prevention measures).

Strategic axis n. 2: Innovation and data protection “Confidence factor and quality guarantee”

Strategic axis n. 3: A collaborative, transparent and participatory agency (the promotion of a culture of data protection, communication tools, website and dissemination)

Strategic axis n. 4: An agency closer to privacy authorities, officers and professionals (relationships with stakeholders, SMEs, privacy and IT professionals).

Strategic axis n. 5: A more agile and efficient agency (solution for international challenges, simplification and improvement in management, digital AEPD and definition of the AEPD status and competences).

This document is the result of a public consultation from 15 to 30 October. The final version includes the elaboration of an annual report with the level of compliance with the Strategic Plan, new proposals and any corrective measures to be taken in case of non-compliance.

The report will be sent to the Constitutional Committee of Congress and made public on the AEPD website.

Agencia Española de Protección de Datos (AEPD)

New communication from the AEPD for the implementation of the judgment of Safe Harbour

According to the European Court of Justice’s invalidation of the Safe Harbour mechanism, which allowed the transfer of personal data to U.S. companies certified under the Safe Harbour Program, it is no longer possible to transfer data to the U.S. based on the above mentioned Agreement.

In November 2015, the Spanish Data Protection Agency (AEPD) sent a letter to all companies that operate in Spain and had previously notified the AEPD of cross-border data transfers to Safe Harbour certified companies. This communication outlined that Safe Harbour certifications were no longer valid. In this regard, the AEPD stated that companies must implement other mechanisms to continue transferring data under the aforementioned Program. In particular, the AEPD is requiring the companies to inform not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States.

Finally, last December, the AEPD issued a new communication on the implementation of the judgment of Safe Harbour which is the object of analysis in the assessment.

 

Agencia Española de Protección de Datos (AEPD)

The Spanish Supreme Court requires the scope of the “right to oblivion” against the media

On 15 October 2015, the Spanish Supreme Court handed down its first ruling which applied the so-called “right to be forgotten” to internet search engines but expanding to editors. It stated that detrimental information affecting individuals without public relevance should not be accessible to Internet search engines when the news has lost relevance over a considerable period of time.

The background of the case

In 1985, a prestigious national newspaper published a new in paper version about two people who were arrested on drug trafficking and drug use charges. In 2009, when these persons had already served their time and had their criminal records erased, details about their arrest, their imprisonment and other personal information could still be found on the top links led to those old newspaper stories.

The claimants asked the newspaper to completely remove information relating to their conviction and imprisonment from the defendant’s digital archives and to adopt the necessary measures to ensure that the story no longer showed up in online search results.

Spain’s highest court rejected a petition by claimants to eliminate their whole harmful information from its online. The Court, however, ordered that the defendant´s were responsible for ensuring that the personal information couldn’t be easily accessed through online search engines.

Agencia Española de Datos Personales (AEPD)

Developing a new Strategic Plan with stakeholders by the AEPD

On 15 October 2015, the AEPD issued its “Strategic Plan” which will be implemented during the period 2015-2018. It aims to lay the foundations for the main priorities of the AEPD and a wide variety of stakeholders such as citizens, experts in data protection, data controllers and public and private organizations have been involved in drafting it.

At this moment, the Plan has been submitted to public consultation in order to set out a series of new initiatives which are structured in the following five main strategic areas: 1. Prevention to more effective protection; 2. Innovation and privacy: trust factor and quality assurance; 3. Measures for increasing collaboration, transparency and participation; 4. A more practical-oriented programme, closer to the needs of individuals, privacy controllers and professionals; 5. Enhancing efficiency.