All posts by Marcos García-Gasco

The Spanish data protection watchdog (AEPD) has launched a first call for companies to start adapting to the new General Data Protection Regulation (GDPR), which will take effect from 25 May 2018. GDPR represents a major change in the management and culture of personal data protection. The AEPD outlines the following key areas to prepare for implementation: 1. Consent. The GDPR sets out that consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data. This excludes the so-called tacit consent, permitted by current Spanish data protection regulations.In the AEPD's view, consent obtained prior to the GDPR's entry into force will be only lawful provided that informed consent complies with the new GDPR rules when these take effect in 2018. Thus, the AEPD recommends that entities that until now have used … Continue Reading ››
Datonomy's correspondents in Spain report on an important decision in the continuing saga of RTBF actions against Google. What's new? On 14 March 2016, the Spanish Supreme Court (Tribunal Supremo) issued an important ruling in favor of Google Spain on the right to be forgotten. The judgment held that claims concerning the right to be forgotten should be submitted directly to Google Inc in the United States. The Spanish Supreme Court's decision The Supreme Court considered that only Google Inc (headquartered in US) should be considered as a data controller, determining the purposes and means of the processing of personal data for Google Search. The Court considers that Google Spain is not involved in the processing of personal data necessary for the operation of the search engine (for instance, indexing or storing data from third-party websites), and therefore, it should not take over the claims brought by users seeking to exercise the right to … Continue Reading ››
Retailers are increasingly using facial recognition technologies to track customers in-store.  This technical innovation has positive connotations for both, retailers and customers, by targeting loyal clients and higher spenders, and improving users’ store-buying experience. However, a special emphasis should be placed on privacy issues, so as not to compromise data subjects’ fundamental right to data protection.  The Spanish Data Protection Agency (AEPD) issued some guidance on this hot topic (0328/2012 and 0392/2011).  In this post, we look at the issues retailers need to factor in order to stay on the right side of data protection law. Facial recognition systems may be considered highly invasive, since images can be captured and processed from a range of viewpoints without the knowledge of the data subject. As pointed out by the Article 29 Working Party, even when a data subject is aware that a camera is operating, there may be no … Continue Reading ››
The Court of Justice of the European Union (“CJEU”) made a historic ruling  in the case of Google v Spain [Case C‑131/12]. The CJEU ruled that Googleis responsible for the processing that it carries out of personal data which appear on web pages published by third parties. The decision is something of a surprise given that it goes against the Advocate General’s Opinion delivered last year, and indeed is quite a bold statement by the CJEU on what it sees as the future of data protection in the internet age and the legal responsibilities of search engines. Background The case arose after a complaint that was brought against Google by a Spanish individual, Mario Costeja González, to the Spanish Data Protection Authority (AEPD). Mr González had been the subject of an auction notice for unpaid debts that was published in a widely-read newspaper in Spain around a decade ago.  Despite the time … Continue Reading ››