1. What is the GDPR?

The General Data Protection Regulation (GDPR) is a European regulation that regulates the protection of data of citizens living in the European Union. The Regulation entered into force on May 24, 2016 and began to be mandatory as of May 25, 2018.

2. To which companies or organizations the GDPR is applied?

The regulation will be applied as usual to data managers or responsibles established in the European Union, and extends to managers and responsibles not established in the Union provided they perform treatments derived from an offer of goods or services for citizens of the Union.

3. What is the LOPDGDD?

The Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD) is a Spanish Organic Law that adapts the Spanish legal system to the General Data Protection Regulation and completes and develops its provisions. In addition, the Law recognizes and guarantees a new set of citizens’ digital rights.

4. What is a personal data?

According to article 4 of the GDPR a personal data is all that information about an identified or identifiable natural person. Any person whose entity can be determined, directly or indirectly, in particular by means of an identifier, such as a name or an identification number, will be considered an identifiable natural person.

5. Will the GDPR and the LOPDGDD apply to my company?

According to article 2 of the LOPDGDD, the aforementioned law will be applied to any totally or partially automated treatment of personal data, as well as to the non-automated processing of personal data contained or intended to be included in a file. That is to say, they will apply to any organization, in the public, private sector and the third sector, that possesses or uses information about people (or personal data). Almost all organizations have personal information about their employees, customers and suppliers.

6. What will happen if I am not in agreement with the GDPR?

In the case of carrying out an audit and verifying that the organization is not in compliance with the GDPR, fines of up to € 20,000,000 or 4% of the annual worldwide turnover may be filed. For larger organizations, fines could be significantly greater than € 20,000,000 as set out in article 83 of the GDPR.


7. Does the entry into force of the GDPR mean that I must designate a data protection officer (DPO)?

The GDPR, in its article 37, establishes that only the following types of organization must designate a DPO:
  1. Public authorities, except for courts that act in their judicial capacity.
  2. Organizations whose central operations require regular and systematic monitoring of large-scale individuals.
  3. Organizations whose main activities consist of processing special categories of personal data (ethnic origin, political opinions,
    philosophical beliefs, union affiliation, data related to health or data related to the life or sexual orientation of an individual). Organizations that do not fit into any of the above categories are recommended to designate a DPO voluntarily.

8. Can I appoint an external company to be my Protection Data Officer?

YES. The Data Protection Officer (DPO) may be internal or external, individual or legal entity specialized in that area. The GDPR requires the person to have specialized knowledge in Law, and specifically, in data protection. The DPO must act independently and be assigned a series of functions such as informing, advising and supervising compliance with the GDPR.


9. How can I find a DPO?

In CAD we offer you the service of external Data Protection Officer, so that you can be informed, advised and guaranteed the application of the General Data protection regulation and the LOPDGDD.