Interview with CP Legal about the scope of data protection for companies

Cristina Prados, CEO of the company CP Compliance i Privacitat Legal, has been dedicated for years to an essential subject in the information society in which we live, data protection. It offers companies adaptation services in the matter, training for companies in this area, the data protection officer service, among others. Today, it brings us closer to this world, which we have all heard about, but about which there are also many doubts.

Hello Cristina, first of all, and to situate ourselves, what is data protection?

Data protection is framed in article 14 of the Constitution of the Principality of Andorra, which guarantees the right to privacy, honor and one's own image. It is the result of technological evolution and the need to adapt to possible contexts and attacks against these fundamental rights. The regulations aim to protect the personal data of all natural persons, regardless of their nationality and wherever they reside, thus preserving their private life.

But what exactly is personal data?

Personal data is any information that identifies or makes a natural person identifiable. This data can range from telephone numbers, addresses, emails, to vehicle license plates, images from a video surveillance camera, resumes, biometric data such as facial recognition or fingerprint, religious or political affiliations...

What are the main risks associated with data protection in companies today?

Companies have a lot of information about clients, potential clients, their own workers, potential candidates and suppliers, among others. Not having good procedures for collection, treatment, storage, transfer, deletion can lead to sanctions, but at the same time the loss of customer confidence and irreparable damage to the company's reputation. Guaranteeing these procedures means reducing the risks of security violations, data leaks, possible complaints to the authority in the matter by interested parties...

Where are the regulations in Andorra?

On October 28, 2021, Andorra approved Qualified Law 29/2021 on Data Protection. Although we already had a regulation from 2003, in 2019 the Principality of Andorra signed Convention 108 of the Council of Europe with which it committed to complying with and adapting national laws to the principles and standards established by this convention and European regulation. . In this way, the national regulations were updated to comply with the obligations arising from this Convention and Regulation (EU) 2016/679 of the European Parliament, of April 27, 2016.

Do all companies have to adapt to the regulations or is it exclusive in some fields?

The law applies to all those responsible and/or in charge, both public and private, who are either domiciled or incorporated in the country, or use processing means located in the country.

By responsible we understand that natural, legal person or authority that determines the purposes and means of processing personal data and that ensures its correct compliance, such as, for example, my company when it collects data from my clients, and as for those in charge of the processing, are those that process personal data on behalf of the data controller, such as, for example, an accounting agency that processes my clients' data to provide me with accounting services and issue receipts to them.

It must be pointed out that there are exceptions, and it will not be considered necessary to apply the regulations in those cases in which personal or domestic treatments are carried out, for which there is no professional connection, or in cases of data of deceased persons or by competent authorities that carry out functions of prevention, investigation, prosecution of criminal infractions...

How do you work from your company in the face of a company that wants to adapt its procedures to Regulatory Compliance?

Adaptation to regulations is one of the services we offer to CP Compliance and Legal Privacy, in which we analyze all types of data processing carried out by the companies that come to us. We carry out an analysis of the risks associated with that data, we prepare the necessary records to monitor the personal data cycle, we carry out, if necessary, the Impact Assessment, and we prepare what we call the procedures phase, because in the development of the company's own functions, some documents and steps to follow are incorporated to ensure correct processing of the data both in the collection, conservation, exercise of the rights of the interested parties, possible security leaks... We also offer the Data Protection service, and training of workers.

You mentioned the Data Protection Officer service. What is this figure? Is it mandatory?

The Data Protection Officer is a figure that in some cases is mandatory and in others recommended. The data protection officer is a professional with specialized knowledge in law and data protection matters. It can be part of the staff or, as would be our case, provided as a service externally. The function would be to advise and inform the person responsible and in charge of the obligations, supervise the established policies, train and raise awareness among the staff, manage the exercises of the rights of the interested parties, cooperate with the control authority, acting as a point of contact...

You have mentioned that you train your staff. What role does staff training in this matter play within an organization?

Staff training is essential, because in reality they are the ones who collect, process, access the data and those who directly contact the interested parties, whether they are clients, candidates, suppliers, users of the website... That they understand the The importance of data protection is crucial so that they protect the information available to them, take appropriate security measures, comply with established protocols, respond to possible incidents... For example, there is no point in preparing information clauses for clients, if when the client comes to sign a contract for the provision of services, the person who drafts and makes him sign the contract is not aware that he has to also add and have this information clause signed. Another example would be, if there is a security violation, and we do not have trained personnel, it can be ignored and not take the necessary measures to amend it or the relevant communication.

If a company does not comply with the regulations, can there be sanctions? Who manages these sanctions?

Yes, sanctions can be imposed by the control authority, which in Andorra is the Data Protection Agency. An investigative phase would be opened in which the Agency's inspectors would proceed to analyze the case, and finally, the Agency's management would issue the corresponding sanction. Among the corrective powers of the Agency we find warnings, reprimands, temporary or definitive limitations or prohibition of data processing, administrative fines, among others. Financial sanctions can be between 500 and 100,000 euros depending on their severity.

Is the Agency currently operational?

Yes, the Agency was created in 2005 and is an independent body with full capacity to act. The latest data we have is from 2022, where a total of 3,864 queries were made and 18 administrative files were processed.

Is there anything new to highlight from the Agency?

Currently, the most notable thing in recent days is the opening of a public participatory process with which a guide for data protection in the real estate sector will be created. A sector that is raising some doubts in reference to the limitation of personal data they request.

Do you want to be up to date with corporate news?
Join our monthly newsletter and find out all the news about the firm
Continue reading...