Every year, January 28 is dedicated, within the huge and diverse calendar of “Days of…”, to Data Protection. It is a small excuse that we have to give a little more visibility to the issue that concerns us. However, as is usually said in these cases, European Data Protection Day is every day. Surely if we consider, as citizens, to find in our daily activity a moment of relationship between what we have in front of us and the scope of the protection of people's rights to the care of their data, we will quickly identify more than one. Even if it is starting with that video surveillance camera that has the bakery where we buy breakfast or make our first coffee in the morning.
On the occasion of this anniversary, the Catalan Data Protection Authority published a decalogue that deals with the most relevant issues of privacy and data protection in the current context, such as data protection and minors, the use of social networks and mobile devices, artificial intelligence, teleworking, the Internet of Things, consent and data protection rights, video surveillance and the role of data protection delegates. It is a good effort to disseminate these issues and is appreciated. At the same time, being aware of the dimension of everything that safeguarding people's privacy implies is overwhelming. Each concept that the APDCAT instructs us on is in itself of a depth and a measure that can overwhelm the layman. Professionals are assumed to be responsible for understanding it, calibrating it and being able to transmit it in the best way. Providing value in pedagogy and facilitating regulatory compliance.
The road ahead is long. Very long. Despite the awareness-raising efforts, in the field of the GDPR, the control authority that has processed the most sanctions in all of Europe is that of Spain. The Spanish Data Protection Agency (AEPD) is not the one that sanctions the most harshly, but it is the leader in sanctioning cases for violations of the European data protection regulation. In any case, pay attention to the fines, because between December and January, the AEPD has imposed sanctions amounting to 11 million euros on two banking entities: BBVA and CaixaBank.
In both cases, the origin is related to issues that affect anyone who processes personal data: the collection of data, the information provided and the consent of the interested party. It seems basic at this stage of the game, but even at these levels of the company there may be deficits in the information that must be provided when personal data is obtained from the interested party. And on the other hand, also, in the requirements established for the provision of valid consent, that is to say as a specific, unambiguous and informed manifestation of will.
