Data Protection


The regulation on the protection of personal data has undergone significant changes following the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation or “GDPR” ) and of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (“LOPDGDD”).

Compliance with current European and Spanish regulations has become a matter of vital importance for all types of companies, regardless of their size. These are just some of the measures that every company that processes personal data is obliged to implement:

  • Risk assessment: It is necessary to make a prior assessment of the risks inherent to each data processing, in order to adopt appropriate security measures.
  • Consent of the data subject: When the data processing is based on the consent of the data subjects, such consent must be freely given, specific, informed and unambiguous. Ir requires a clear affirmative action.
  • Information to be provided: Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: the identity and the contact details of the controller; the contact details of the data protection officer, where applicable; the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; the legitimate interests pursued by the controller or by a third party, if applicable; the recipients or categories of recipients of the personal data, if any; the period for which the personal data will be stored; the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability, etc. This information shall be provided in a clear and understandable way, and should be visible both in the Privacy Policy of the website and in each form where personal data are collected (contact forms, registration, shopping cart, etc.).
  • Records of processing activities: Each controller shall maintain a record of processing activities under its responsibility. That record shall contain all the following information: the name and contact details of the controller; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations; where applicable, transfers of personal data to a third country or an international organisation; where possible, the envisaged time limits for erasure of the different categories of data; where possible, a general description of the technical and organisational security measures, etc. The obligation to maintain a record of processing activities does not apply to those companies employing fewer than 250 persons unless the processing they carry out are likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data.
  • Data Protection Officer (DPO): It is mandatory to designate a DPO where the core activities of the company consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or consist of processing on a large scale of special categories of data (ideology, religion, health …).
  • Data Processing Agreements: Where processing is to be carried out on behalf of a controller (eg. external accountants, shipping companies, marketing, computer maintenance, etc.), it is mandatory to sign a contract with the data processor, with the content indicated in the GDPR.
  • Security measures: Each company shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  • Confidentiality agreements: They must be signed both with those third parties or data processors that provide us with some service, as with the company’s own employees who have access to the personal data.
  • Notification of a personal data breach: In the case of a personal data breach (for example through a hacker attack), the company shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. In some cases, the personal data breach must be also communicated to the data subjects without undue delay.
  • Data Protection Impact Assessment (DPIA): It must be carried out, with the requirements indicated in the GDPR, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
  • Rights of the data subjects: Apart from the already known rights (Access, Rectification, Erasure and Opposition), the GDPR includes some additional rights that companies must guarantee to the data subjects. These are the right to restriction of processing, the right to data portbility, and the right not to be subject to a decision based solely on automated processing, including profiling.

At Domènech Corbella – Legal Services we offer comprehensive advice on data protection and ensure that our clients are up to date in compliance with the new regulations (GDPR and LOPDGDD).


  • Implementation of data protection regulations in your company: We individually analyze the needs of each company in relation to the compliance with the GDPR and the LOPDGDD, and we offer comprehensive advice in order to avoid possible penalties derived from breach of such regulations.
  • Preparation, review and drafting of the basic legal documents on Privacy: We will draft the Privacy Policy, the Cookies Policy, the data protection clauses and the rights exercise forms for your company’s website. 
  • Drafting, review and negotiation of contracts: Confidentiality agreements and clauses, Data Processing Agreements, contracts on other matters that include clauses on privacy, confidentiality or protection of personal data, etc.