News

The AEPD collects more than 23 million euros in penalties in the first seven months of the year

The Spanish Data Protection Agency (AEPD) closed the first seven months of the year with a collection in penalties of 23.46 million euros. This is what emerges from the Privacy Insights 2021 report, prepared by BDO.

In it, the different advances and recent regulatory changes in terms of privacy between countries and regions around the world, as well as its impact on everything related to the transfer and protection of data and information exchange.

Among the most notable novelties are: increased legal complexity of the flow of personal data of citizens of the countries of the European Economic Area with the rest of the world, technically international data transfers, or the discussion of regulations inspired only partially by European legislation, highlighting the increase in sanctions in Europe, particularly in Spain.

Specifically, in Spain, since 2018, the AEPD has published approximately 295 sanctioning resolutions, thus becoming one of the most active data protection authorities in Europe in issuing sanctioning measures and responding to complaints and requests from interested parties. These sanctions have affected companies of all sizes for very different infractions: from unreported security breaches, emails without hidden copy, insufficient security measures or information on data protection, lack of guarantee on the treatment by providers, or the transfer of data between companies, as explained in its BDO report.

Warning, scroll to continue reading

David Molina, expert from the Digital + IP law department has stated that “So many sanctioning resolutions are a double-edged sword, there is more risk that companies are exposed to a procedure here, but there is also the opportunity to see what bad practices have been sanctioned in other entities to learn from it and reduce our own legal risks “.

Models adapted to the new reality

Regarding international transfers of personal data, David Molina is optimistic and acknowledges: “It is true, they are more difficult to manage than before, but recommendations, new standard contractual clauses and methodologies have also been published”. And adds: “Before the Schrems II ruling, we knew that the legal approach was to some extent” false “and now the existing mechanisms are more reliable in the long term”.

In recent months, in the context of teleworking, companies have been forced to adapt their operating models to this new reality. Although international organizations recognize the importance of privacy compliance and companies are striving to comply with legislation, they have limited staff, insufficient global coverage and, in many cases, have failed to update policies and procedures. . This situation has caused a increased inquiries and investigations by the Data Protection Authority, misuse of data and, in the worst case, data leakage, as can be seen from the report prepared by BDO.

In this sense, Albert Flores, specialist in the Risk Advisory Services area of ​​BDO recalls that “The definition, application and review of the different security measures and controls must be approached from the point of view of continuous risk management, and according to the cybersecurity risk situation existing today that fully impacts the privacy of entities and their providers “.

Related Articles

Leave a Reply

Your email address will not be published.