L.O.P.D [Spanish Law 15/99 Organic Law referent to Data Protection])
Adaptation of your company to the L.O.P.D (15/99) [Spanish Law 15/99 Organic Law referent to Data Protection]
The rules which must be obligatorily regarded in Spain for all and every company dealing with personal data are contained basically in two legal texts: The “Ley Orgánica de Protección de Datos de Carácter Personal (LOPD)” [Organic Law referent to Data Protection (LOPD)] and the “Reglamento de Medidas de Seguridad de los ficheros automatizados con datos personales” [Regulation of Security Measures for Computer Files containing Personal Data].
Any person can search for their most important suppliers and their competitors in the AEPD site [Spanish Agency for Data Protection Site] where they can consult the registered records and if the Organic Law referent to Data Protection is being accomplished.
We must not underestimate the risk relative to the non-accomplishment of the LOPD. If a non-satisfied client, user or employee files a plaint against you, the AEPD can start an investigation which can result in a fine. A future client can even demand from you, for the purpose of entering into a collaboration agreement with your company, to confirm that you are accomplishing the rules contained in the LOPD before giving you his/her data.
The services that VERITAS CONSULTING can provide for you include all the following:
- Analysis of the data processed by the company
The first step to adapt your company to the requirements of the “Ley Orgánica de Protección de Datos de Carácter Personal (LOPD)” [Organic Law referent to Data Protection (LOPD)] is to identify the Personal Data files used by your company. Then, a study of the files kept by your company must be made, examining their use, the established security measures, the access of the persons related to them to the data and the lacks of security of the computerized system.
- Determining the Applicable Security System
The Applicable Security System can be one of the following: High, Medium or Basic. The level which is applicable to the company will be determined once the files with personal data are known and depending on the nature of the data contained in these, the personal data files will be categorised and will be adjusted to Law and the principles that derive from it.
- Inscription of the Personal Data Files
An inscription in the Data Protection Agency must be made for each personal data file, filling the pertinent official forms.
- Making the Security Manual
Depending on the degree of security which may be applicable, one will have to make a security manual adapted to the needs and requirements of the company.
This manual is the guide that must be followed to implement the necessary and essential measures to guarantee the security of the company.
Full of detail, it is the core on which the Spanish L.O.P:D. is based.
The Security Manual must contain, at least, the following sections:
- Application Scope of such document with specific details of the protected resources.
- Measures, rules, proceedings and standards addressed to guaranteeing the level of security in the Regulations.
- Functions and obligations of the staff.
- Structure of the personal data files and description of the information systems which are used to process them.
- Proceedings to notify, manage and reply to incidents.
- Proceedings to make security copies and recover data.
- Identifying the person responsible or persons who are responsible of the security automatic files.
- Planning of the periodic controls which must be made to verify the accomplishment of the contents of the document in itself.
- Definition of the measures which are necessary when a storage medium is going to be reused or rejected.
- Definition of the functions and obligations of each of the persons with access to the personal data and information systems.
- Adaptation of the Documents of the Company
The full adaptation to the L.O.P.D. requires the modification of every document containing or requiring personal data. Such documents must inform the owner of the data about the aim for which such data were acquired, as also about the existence of a data file on which one can consult, modify or cancel such data.
The existing documents should be analyzed and be informed about what documents should be modified and what changes should be made to fulfil the requirements of the Law.
Also, the access and transfer of files on behalf of third parties should be contained in a document depending on the existing legal relation between confidentiality agreements or compromises.
The staff of the company should be informed about these rules, so that they are aware of the responsibilities and obligations derived, from a start, from the disciplinary regime contained in the L.O.P.D. which implies a different use or an illegal assignment of personal data.