the art of being legal

What is the General Data Protection Regulation (GDPR) and how does it affect me?



The General Data Protection Regulation (GDPR) is a law of the European Union which regulates the way that companies process and use the personal data that they collect from consumers. It is direct EU law, not a directive, so it didn’t need to be implemented by each of the EU states. It came into effect on the 25th of May 2018 and it is the Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales which adapts the Spanish legal system to the GDPR.


Does the GDPR apply to me?

The GDPR clearly applies to you if you are established in the European Economic Area (EEA) and process personal data. It also applies to those who are not established in the EEA but who:

  • Offer goods or services to individuals in the EEA.
  • Monitor behaviour of individuals in the EEA.
  • Are established in a place where EU law applies by virtue of public international law.


What counts as 'personal data'?

Personal data is any information related to an identified or indentifiable living person (the data subject). This includes both data that may cause someone to be identified directly (by means of that data) or indirectly (by means of that data in combination with other data).

Children are particularly protected by the GDPR, so you need to bear this in mind if you might be processing the data of children.


What are the principles of the GDPR?

There are 7 principles of the GDPR, set out in Article 5 and summarised below.

Personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject”.
    • This is where the legal bases come in (explained below). You must make sure that you choose the correct legal basis/bases before starting to process and that you treat your data subjects fairly and transparently.
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”
    • You must limit the purposes that you use the data for, so make sure you are clear with your data subjects about the possible uses of their data from the start.
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
    • You must minimise the amount of data your process, collecting and processing only that which is necessary.
  4. accurate and, where necessary, kept up to date”
    • You must take steps to identify and correct incorrect data. This links to some of the data subjects rights (explained below).
  5. “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes”
    • You must limit the amount of time that you store personal data.
  6. “processed in a manner that ensures appropriate security of the personal data
    • You must use appropriate technical and organisational measures for security.

And finally, “the controller shall be responsible for, and be able to demonstrate compliance” with the aforementioned principles.

  • Make sure that those other 6 principles are included in policy and practice from the start and that you can demonstrate that this is the case.


Am I a controller, a processor or a data protection officer?

  • The controller is the person or body that has decided to process personal data (or caused another entity to process it) and who decides on the purpose and means of the operation. He/she exercises judgement on the processing of personal data.
  • The processor follows instructions from another party (the controller) with regard to the processing of personal data. He/She does not decide what data to process, why to process it, who to collect it from, etc.
  • The data protection officer (DPO) is a position necessary only in cases when the processing is carried out by a public authority or body or when the core activities of the controller or processor consist either of processing which requires regular and systematic monitoring of data subjects on a large scale, or of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10. The DPO informs and advises the controller or processor, monitors copliance with the GDPR, provides advice regarding impact assessments, and communicates and cooperates with the supervisory authorities.


What are my obligations as someone who processes personal data?

In short, you are obliged to follow the principles of the GDPR whenever you process personal data, but let’s look at some specific obligations in detail.


Demonstrate compliance

The first thing that needs to be borne in mind before you start processing data is that you must comply with GDPR by design (meaning that you ensure that you consider and apply data protection principles from the outset of every project) and by default (meaning that implementing those principles is your default position). The GDPR must be in the foundations of everything you do regarding processing.

However, not only will you have to comply with the GDPR, you will also have to be able to demonstrate that compliance to a regulator. This includes:

  • Keeping records of all of the processing carried out (e.g. the purpose of the processing, the categories of data subjects, who the data is shared with, security measures that are in place etc.). The requirements of these records are set out in Article 30 of the GDPR.
  • Adopting internal policies and measures which support the principle of data protection by design and by default.
  • Carrying out data protection impact assessments in cases when processing operations are likely to result in a high risk to the rights and freedoms of natural persons, and taking action to minimise those risks.
  • Appointing a data protection officer if necessary.


Establish your legal bases for processing data

There are 6 main legal bases that you can use to legitimise your collection and processing of personal data (outlined in Article 6).

However, bear in mind that if you are processing any of the special categories of data such as health or religion, you need to refer to the 10 bases in Article 9, and if you are processing data relating to criminal convictions and offences, you need to refer to Article 10.


The 6 main legal bases for processing are:

  • Consent
    • “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
  • Necessary for contract
    • “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
  • Necessary for legal obligation
    • “processing is necessary for compliance with a legal obligation to which the controller is subject”
  • Necessary for vital interests
    • “processing is necessary in order to protect the vital interests of the data subject or of another natural person”
  • Necessary for a task in public interest or official authority
    • “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
  • Necessary for legitimate interests
    • “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”


Protect the data subjects' rights

The GDPR strengthened the rights of data subjects to view, control, correct, and erase the data that you hold on them, so you need to make sure that it is clear to them how they can exercise these rights, and support them to exercise these rights if and when they choose to do so. Some of these rights are absolute, others are not, and you can find more information about them in Chapter III of the GDPR.


Bear in mind that data subjects have the right to be informed about the details of the processing of their personal data that is being/will be carried out.  That's why it's so important to draft and make available an easily accessible and understandable privacy policy.  Check out the following article to find out about what you should include in your privacy policy:



Prepare for personal data breaches

You must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, protecting the data you process as much as possible. This might look like encryption, prevention against loss or destruction of data, regular testing of security measures, etc.

However, breaches do happen and so you need to know exactly what you will do if it happens to you. After becoming aware of the personal data breach, the breach must be documented and the data controller must report said breach to the competent supervisory authority within 72 hours, unless the breach “is unlikely to result in a risk to the rights and freedoms of natural persons”.

If the breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also communicate it to the data subject in a timely manner.


With these increased rights and protections for data subjects have come increased sanctions as well. Maximum fines for incompletion of the obligations under GDPR are €20 million or 4% of the undertaking’s annual turnover, whichever is higher, and then there is the possible cost to reputation.

It’s incredibly important to take data protection seriously and to bear it in mind even before you start processing personal data. Should you feel the need for support to create and carry out your company’s privacy framework, Conesa Legal can help you. We offer advice about how to implement it legally in Spain.

Get in touch here: 

Abigail Sked

Publication date: 17 July 2023

Last updated: 26 March 2024