2. IMPLEMENTATION PROCEDURE: KEY ISSUES Free information 1. CONCEPT OF PERSONAL DATA PROTECTION 2. ANALYSIS AND DETECTION OF PERSONAL DATA PROCESSING 3. IDENTIFICATION OF THE RESPONSIBILITIES OF THE DIFFERENT DEPARTMENTS 4. CLASSIFICATION OF FILES 5. CREATION OF AN INTERNAL COMPANY POLICY 6. IDENTIFICATION OF THE PROCESSING OF PERSONAL DATA BY THIRD PARTIES 7. IDENTIFICATION OF THE NEED TO TRANSFER DATA BETWEEN COMPANIES 8. SECURITY DOCUMENT, NOTIFICATION, FILE REGISTERS AND CERTIFICATION OF CORRECT IMPLEMENTATION DOCUMENTS FOR THE IMPLEMENTATION OF DATA PROTECTION Payment required 9. PROCEDURE DOCUMENTS 10. COMPLEMENTARY AND IT GOVERNMENT DOCUMENTS 11. SECURITY AND AUDIT DOCUMENTS www.yourlegalconsultants.com [email_address]
4. 1. CONCEPT OF PERSONAL DATA PROTECTION Concept The protection of personal data is governed by Organic Law 15/1999, of 13 December, on the protection of personal data, and its regulations . Personal data is all numeric, alphabetical, graphic, photographic, acoustic or any other type of information concerning identified or identifiable natural persons It is classified into three levels : Basic Medium High We must make a special mention of personal data in relation to health: Information on the present, past and future physical or mental health of an individual. In particular, information referring to a person's percentage of disability or genetic information is considered health data . www.yourlegalconsultants.com [email_address]
5. 2. ANALYSIS AND DETECTION OF PERSONAL DATA PROCESSING The processing of personal data may be conducted internally or outsourced : A. Internal processing Examples: 1. Marketing- Mailing of sales information, etc. 2. Human Resources – Receipt of CVs, the carrying out of psychological assessments, etc. 3. Quality – Processes associated with personal data 4. Legal – Contracts, debts, audits, etc. B. Processing of data by third companies 1. Accounting firms 2. Lawyers It is important to bear in mind that the security manager should give clear instructions to subcontracted companies with regard to security measures . www.yourlegalconsultants.com [email_address]
6. 3. IDENTIFICATION OF THE RESPONSIBILITIES OF THE DIFFERENT DEPARTMENTS It is important that each department is aware of its responsibility with regard to the protection of personal data: A. Each type of data to be processed requires the adaptation of instructions to each department in the company Examples: 1. Marketing- Was the data subject’s consent obtained for sending sales information? 2. Human Resources – Is the information that is received for job applications used only for this purpose? 3. Quality – Can the information associated with processes be simplified so that it can be classified as basic level data? 4. Legal – In what cases is it necessary to obtain the data subject's consent? B. What are the advantages of appointing a personal data coordinator in each department? 1. Supervise interaction with other departments 2. Approval of processes to avoid complaints It is important to centralise information in accordance with the instructions of the systems manager . www.yourlegalconsultants.com [email_address]
7. 4. CLASSIFICATION OF FILES Personal data is protected through the use of security measures appropriate to the nature of the data (basic, medium, high) If the three types of data are stored in the same file, high level data security measures apply It is advisable to classify files on the basis of the nature of the data contained therein in order to provide the appropriate security measures The systems or security manager plays a vital role in this classification Nevertheless, it is important that the different databases or files that might be organised separately are unidentifiable It is important to know when the systems can be designed according to these criteria or, alternatively, the files can be classified according to their applicability. For example: (contacts in internal information systems, psychological assessments, etc.) www.yourlegalconsultants.com [email_address]
8. 5. CREATION OF AN INTERNAL COMPANY POLICY A very effective tool for ensuring that company policy with regard to personal data is known and observed by all employees is to include several clauses in the policy to prevent possible data leakage, just to mention an example . Company policy is an internal document that sets out codes of conduct and aims to prevent conduct that could lead to the dismissal of employees . It is a very effective tool for the Human Resources Department when it comes to defining possible offences. For the IT Department, it is a tool that prevents misuse of internal and external communication systems. For the Legal Department, internal company policy is useful for the prevention of intellectual property offences . When defining company policy, it is important to enlist the cooperation of the company’s senior management and, when applicable, company associates . www.yourlegalconsultants.com [email_address]
9. 6. IDENTIFICATION OF THE PROCESSING OF DATA BY THIRD PARTIES It is necessary to draw a distinction between the communication and disclosure of data The communication of data does not entail the processing of personal data by third parties, but it does involve the use of the data to perform specific functions. (The development of a Web project, etc.) The disclosure of data, however, involves the processing of personal data for the development of services (the carrying out of promotional campaigns by third parties, the payment of wages by third parties, etc.) When services that are outsourced to third parties require the communication of data, when the project has been completed, the data should be returned or destroyed, and this obligation should be set out in writing. When services that are outsourced require the processing of data, the security manager should take account of a number of instructions that ensure the security of the data, and which should be conveyed to the persons concerned. It is important to sign the appropriate documents for each situation. www.yourlegalconsultants.com [email_address]
10. 7. IDENTIFICATION OF THE NEED TO TRANSFER DATA BETWEEN COMPANIES There are two different situations, but with the same objective : A. There is a group of companies that will probably share data B. There is a transfer of data to another company with which the company has a business collaboration relationship. In both cases, the data is transferred, but the scope of the transfer requires that this be organised in different ways and the security manager has various alternatives available. It is important to define the situations before signing the documents governing the transfer of data between companies . www.yourlegalconsultants.com [email_address]
11. 8.SECURITY DOCUMENT, NOTIFICATION, REGISTERS AND CERTIFICATION The security document sets out the appropriate security measures and indicates the security level (basic, medium, high) of files that have already been registered in the Data Protection Agency or Competent Supervisory Authority register . Any changes to a file registered in the Register must be communicated to the Data Protection Agency register . It is advisable to design information systems in accordance with criteria that guarantees the nature of the personal data processed, ensuring the quality, safekeeping and availability of the data . The information systems manager or information services manager should make every effort to ensure implementation of the proposed security measures and inform the security manager accordingly . Nevertheless, it is vital to adequately segregate information systems on the basis of the nature of the personal data to be processed . It is important to certify information systems if substantial changes are made that affect the security thereof. In this way, we can be sure that information systems are properly supervised and that the security document is current and up-to-date . www.yourlegalconsultants.com [email_address]
12. DOCUMENTS FOR THE MANAGEMENT OF PERSONAL DATA Payment required www.yourlegalconsultants.com [email_address]
13.
14.
15.
16. Thank you for your interest [email_address] For personal queries, please contact: www.yourlegalconsultants.com [email_address]