
Using Candidate CVs from LinkedIn: GDPR Limits in Recruitment
Of interest to youWhen companies may use LinkedIn profiles or CVs in recruitment and what GDPR limits apply.

Cookie Dark Patterns: When Consent Is Not Valid
Of interest to youWhat cookie dark patterns are, why they may invalidate consent and a practical checklist for cookie banners.

Consent or Pay: Privacy, Personalised Advertising and the GDPR
Of interest to youWhat consent or pay means, what the EDPB requires and when consent may not be freely given under the GDPR.

Publishing Images Found on Social Media: GDPR Risks
Of interest to youWhen reusing images found on social media may breach the GDPR and what companies, media and creators should check.

EU-US Data Privacy Framework: What Companies Should Check
Of interest to youWhat the EU-US Data Privacy Framework is, when it helps international transfers and what companies should verify.

Rejecting Non-Essential Cookies: What the AEPD Requires
Of interest to youWhat the Spanish Data Protection Authority requires for rejecting non-essential cookies and how companies should configure banners.

Amendment to Spain’s Data Protection Act: Key Points for Companies
Of interest to youKey points of the amendment to Spain’s Data Protection Act and what companies should review for GDPR compliance.

Loss of an Employee Document and GDPR Breach Notification
Of interest to youWhy losing an employee document may be a personal data breach and when employers must assess GDPR notification duties.

Real Estate Agencies and the GDPR Duty to Inform Data Subjects
Of interest to youWhy real estate agencies must inform clients about personal data processing and how to comply with GDPR transparency duties.

Fitness Apps and Location Privacy: When Exercise Data Reveals Too Much
Of interest to youHow fitness apps and activity maps can reveal sensitive locations, and what users and organisations should do to reduce privacy risks.

Data Is a Fingerprint: Reidentification and Anonymity Risks
Of interest to youWhy supposedly anonymous data may still identify people and what organisations should review before sharing or analysing datasets.

LinkedIn Contacts: Privacy, Fake Profiles and Business Risks
Of interest to youRisks of accepting LinkedIn contacts without checking them: fake profiles, phishing, social engineering and professional exposure.

Political Opinions and Data Protection: Key Lessons from Spain’s Constitutional Court
Of interest to youKey lessons from the Spanish Constitutional Court ruling on political parties, political opinions and personal data processing.

How to Choose a Good Data Protection Service for Your Company
Of interest to youKey points for choosing a reliable data protection service: GDPR knowledge, processor agreements, clear deliverables and ongoing support.

Cybersecurity Challenges for Businesses: Practical Checklist
Of interest to youFour cybersecurity challenges for businesses and a basic checklist to reduce risks, protect data and respond to incidents.

Subsidised Training Fraud in Spain: How to Detect It
Of interest to youHow to detect fraud in subsidised training courses in Spain, what evidence to keep and what to review before applying rebates.

How to Protect Against a Trojan: Measures for Businesses and Users
Of interest to youWhat a trojan is, how it infects devices and how to reduce the risk of data theft, fraud and personal data breaches.

Unauthorised Access to Medical Records: GDPR Risks
Of interest to youLegal risks of unauthorised access to medical records and key GDPR controls for clinics and healthcare providers.

Images of Minors in Schools: Consent, Websites and Social Media
Of interest to youWhen a school may publish photos or videos of students, how to manage consent, social media, families and image removal.

Employee Health Data: How to Process It Under the GDPR
Of interest to youHow to process employee health data: what the company may know, common mistakes, confidentiality, minimisation and AEPD guidance.

Unsolicited Commercial Calls in Spain: AEPD Rules and Risks
Of interest to youWhen unsolicited commercial calls are lawful in Spain, AEPD requirements, Robinson List impact and risks for companies.

Data Protection Officer: When Appointing a DPO Is Mandatory
Of interest to youWhen appointing a Data Protection Officer is mandatory, DPO functions, common mistakes and official AEPD, EDPB and LOPDGDD sources.

Equality Plan in Spanish Companies: Obligation, Register and LGTBI Measures
Of interest to youWhich companies need an equality plan in Spain, what it includes, pay register, salary audit and mandatory LGTBI measures for companies.

Mandatory Whistleblowing Channel in Spain: Guide for Companies
Of interest to youGuide to mandatory whistleblowing channels in Spain: affected companies, Law 2/2023 requirements, whistleblower protection and data protection.

Public Wi-Fi Networks: Risks and Tips to Protect Your Data
Of interest to youRisks of using public Wi-Fi networks and tips to protect your data: HTTPS, VPN, fake networks, devices, online banking and remote work.

Cybersecurity for Small Businesses: Common Mistakes and Checklist
Of interest to youCommon cybersecurity mistakes in small businesses and a basic checklist: passwords, MFA, backups, updates, permissions and breaches.

Data Protection for Websites and Blogs: Legal Checklist
Of interest to youData protection checklist for websites and blogs: privacy policy, legal notice, cookies, forms, email marketing and providers.

GDPR for Self-Employed Professionals: Obligations and Checklist
Of interest to youGDPR guide for self-employed professionals: obligations, basic checklist, provider contracts, security measures and AEPD tools.

Employee Data Protection Training: Benefits and Key Content
Of interest to youWhy employee data protection training reduces errors, breaches and GDPR risks. Benefits, minimum content and how to document it.

Data Breach: When to Notify the AEPD and What to Do in 72 Hours
Of interest to youWhat to do after a personal data breach: when to notify the AEPD, when to inform affected individuals and how to act within 72 hours.

Working Time Records and Data Protection in Spain
Of interest to youHow to implement working time records in Spain while complying with the GDPR: legal basis, employee information, geolocation, biometrics and minimisation.

Online Fraud and Scams: How to Identify and Avoid Them
Of interest to youGuide to identifying online fraud and scams: phishing, smishing, vishing, fake stores, warning signs and what to do if you fall for one.

How to Identify a Website You Should Not Buy From
Of interest to youChecklist to detect fraudulent online stores: warning signs, unsafe payments, HTTPS, legal details and what to do if you already paid.

Secure Passwords: Basic Tips to Protect Your Accounts
Of interest to youTips to create secure passwords, avoid password reuse, use password managers and enable multifactor authentication.

Cloud Backup: Advantages and Good Practices for Companies
Of interest to youAdvantages of cloud backup and good practices to protect data, prevent ransomware, comply with the GDPR and restore information on time.

How to Detect Phishing: Warning Signs and What to Do
Of interest to youGuide to detecting phishing: warning signs, checklist before clicking, what to do if you fall for it and prevention measures for companies.

Secure Corporate Email: 12 Key Measures to Protect Business Data
Of interest to youCorporate email security guide: passwords, MFA, phishing, BCC, encryption, internal policies and breach response.

Equality Plan in Spain: Obligations, Salary Record and Fines
Of interest to youGuide to equality plans in Spain: who must have one, diagnosis, salary record, pay audit, negotiation, registration and fines.

Updating Data Processing Agreements under the GDPR
Of interest to youGuide to reviewing and updating data processing agreements under GDPR: Article 28, providers, subprocessors, security and audits.

Images of Children at School: GDPR Fine for Publishing Photos
Of interest to youGuide to publishing images of children at school, consent, photo removal requests, social media, YouTube and GDPR fines in Spain.

Employee Health Data: Fine for Sharing Medical Information
Of interest to youGuide to employee health data, GDPR, confidentiality, minimisation and the risks of sharing medical information at work.

Workplace Monitoring Technologies and Employee Privacy Rights in Spain
Of interest to youGuide to workplace monitoring technologies in Spain: CCTV, geolocation, corporate email, AI, employee privacy and data protection compliance.

Fine for Failing to Appoint a Data Protection Officer in Spain
Of interest to youGuide to when appointing a Data Protection Officer is mandatory in Spain, what the GDPR and Spanish law require, and what fines may apply.

Unsolicited Commercial Calls in Spain: AEPD, Robinson List and Fines
Of interest to youUpdated guide to unsolicited commercial calls in Spain, the Robinson List, AEPD Circular 1/2023, consent, legitimate interest and fines.

Fine for adding someone to a WhatsApp group without consent
Of interest to youThe AEPD fined a sports club 4,000 euros for adding a former user to WhatsApp groups without consent. GDPR lessons for companies.

Lawyer fined for sending personal data by WhatsApp
Of interest to youA Spanish lawyer was fined for sending a court judgment with personal data by WhatsApp. Key GDPR lessons on legal basis and confidentiality.

Right to be forgotten for cancer survivors in Spain
Of interest to youSpain recognises the right to be forgotten for cancer survivors after five years without relapse, limiting discrimination in insurance and mortgages.

Identifying people through anonymous web browsing patterns
Of interest to youAnonymous web browsing data can identify people when URLs, habits and clickstream patterns are combined. GDPR lessons for data brokers and analytics.

Twitter metadata is a privacy nightmare
Of interest to youTwitter/X metadata can reveal behavioural patterns and identify users even when the content of a post appears anonymous.

Can Bitcoin Be Acquired by Adverse Possession? Blockchain, Digital Ownership and the Risk of Confusing Control with Legal Title
Of interest to youCan Bitcoin adverse possession apply in Spain? We explain why blockchain control is not always legal title and what companies with crypto-assets should document.

Data Processing Agreement under GDPR: when it is required and what it must include
Of interest to youLearn when a Data Processing Agreement is required under GDPR, what clauses it must include, and how to review processors, subprocessors, security, AI and international transfers.

Personal tools used for work: what companies should know after the Vivendi/Lagardère ruling
Of interest to youA recent EU General Court ruling confirms that professional communications kept in personal tools may be requested under strict conditions. Here is what companies should review now.

School Cyberbullying Lawyers: The Deepfake Mistake
Of interest to you
School Cyberbullying Lawyers: The Deepfake Mistake That Condemns the Principal
As school cyberbullying lawyers, we have seen this scene too many times. It is Tuesday morning and a group of families enters your office, visibly upset. They…

Can hotels request a copy of your ID or passport?
Of interest to youThe Spanish Data Protection Agency says hotels and lodgings should not request or keep copies of guests ID or passports. Practical GDPR guidance for accommodation businesses.
Dall-eData Protection Authorities: Official Links Directory
Of interest to youWorldwide directory of data protection authorities with official links to AEPD, EDPB, European supervisory authorities and international privacy regulators.

Real cases of fines for cookies
Of interest to youReal cookie fine cases show common compliance failures: banners, consent, cookie policies and dark patterns. Practical lessons to reduce GDPR risk.

The Equality Officer: Roles, Training and Requirements
Of interest to youIn a context where gender equity emerges as a fundamental pillar, the figure of the equality officer positions itself as an indispensable piece within the business ecosystem. Their role extends beyond public bodies or specific projects, integrating…

Biometric Data Processing in the Workplace: the AEPD Guide
Of interest to youThe AEPD treats workplace biometric processing as sensitive. We explain when it may be used, the legal risks and what companies should review.

Special Categories of Data Under the GDPR: Practical Guide
Of interest to youPractical guide to special categories of data under the GDPR: health, biometric, political, religious and sexual orientation data, Article 9 exceptions and safeguards.

Cookie Banner Sanction: Consent, Rejection and AEPD Criteria
Of interest to youCookie banner sanction: consent, rejection, cookie policy and AEPD criteria to avoid fines for non-compliant cookie banners.

The new US-EU Privacy Framework
Of interest to youThe new US-EU privacy framework has arrived. On 10 July, the European Commission adopted the adequacy decision on the US-EU privacy framework.
Does the new US-EU Privacy Framework comply with the adequate level of protection?
The European…

AEPD Cookie Guide: Key Changes for Websites
Of interest to youAEPD Cookie Guide: accept, reject, configure, non-essential cookies, misleading patterns and adaptation deadline for websites.

Is the end of spam calls?
Of interest to youWhat does the General Telecommunications Law ("LGT") say about "spam" calls?
Is the end of spam calls? The General Communications Law ("LGT") was published on 28 June 2022.
In its article 66.1.b) it mentions that end users of interpersonal…

Property agency fined for exposing images of minors
Of interest to youThe fine imposed on a property agency for exposing images of minors has highlighted the importance of protecting the rights of minors.
An individual filed a complaint with the Spanish Data Protection Agency, with the aim of highlighting the…

How can I record my employees?
Of interest to youAbsence of the duty to inform when installing security cameras at work.
How can I record my employees?
On 18 May 2022, an individual filed a complaint with the Spanish Data Protection Agency against his employer. He installed video surveillance…

Face recognition in exams: Is it proportionate?
Of interest to youThe Catalan Data Protection Authority (Autoritat Catalana de Protecció de Dades) has sanctioned the Universitat Oberta de Catalunya for collecting biometric data from its students through face recognition, in order to verify that they were…

Photographing Customer ID Documents: GDPR Risks and Data Minimisation
Of interest to youWhy photographing or copying customer ID documents may breach the GDPR and what less intrusive alternatives companies should assess.

ChatGPT in Business: Ally, Risk and Data Protection
Of interest to youHow to use ChatGPT in business with data protection criteria: risks, internal policy, personal data and human review.

The advent of Data Clean Room
Of interest to youThe purpose of finding a balance between Data Protection and the need to share it is an issue that is constantly in the spotlight.
Digital platforms, brands... must have access to user data in order to achieve better performance as closely…

Two Valencian companies fined almost half a million euros for using pirated software
Of interest to youSeveral companies face fine for illegal software
The use of unlicensed software is one of the main threats to digital security in companies. It involves security vulnerabilities for users and companies, giving rise to attempts to invade devices…

Transborder data transfers
Of interest to youThe scope of transborder data transfers
The publication of the General Data Protection Regulation (GDPR) on May 25, 2016 in the European Union, served as inspiration worldwide for the implementation of data privacy laws.
Many countries,…

Free VPNs: Privacy and Security Risks You Should Know
Of interest to youRisks of free VPNs: activity logging, advertising, fake apps, data leaks and a checklist for choosing a reliable VPN.

Sexual harassment in the company
Of interest to youSexual harassment in the company. Last October 7, Organic Law 10/2022, of September 6, on the integral guarantee of sexual freedom, came into force.
In its article 12, it contemplates the commission of crimes and other conducts against…

Sanction for recording underage soccer match
Of interest to youIn procedure PS/00313/2021, the Spanish Data Protection Agency (AEPD) has imposed a fine of €3,000 on a company specialized in recording soccer matches for capturing images of minors without prior consent from their parents.
Sanction for…

Sending an email without blind copy
Of interest to youIs it possible to send emails with addresses without blind copy?
Sending an email without blind copy can involve fines.
The AEPD states that email addresses are considered personal data. Therefore, their processing must comply with data…

Lack of information on the processing of personal data
Of interest to youThe AEPD imposes penalties to real estate companies of up to 5,000 € for not informing the interested party of the processing of their personal data.
Several affected parties have filed complaints to the AEPD, in relation to the use of their…

Video Surveillance in Public Spaces: GDPR Limits for Private Cameras
Of interest to youWhen private cameras may capture public spaces, AEPD limits and a checklist to reduce GDPR sanction risk.

How to Recover a Domain Name: Legal and Technical Steps
Of interest to youHow to recover a lost, hijacked or third-party domain: evidence, registrar, ICANN, trademarks, legal action and prevention.

Bad References About a Former Employee: Employment and GDPR Risks
Of interest to youGiving bad references about a former employee may create employment, reputational and data protection risks without a valid basis.

Black Friday and Privacy Policy
Of interest to youDoes your website comply with the Data Protection Law for Black Friday?
The importance of the Privacy Policy of websites
On August 26, 2022, an individual filed a complaint to the AEPD against a company for not providing sufficient information…

Whistleblowing Channel: From Draft Law to Law 2/2023 in Spain
Of interest to youThe draft law on whistleblowing channels led to Law 2/2023 in Spain. What changed and what companies should review.

Advertising through influencers
Of interest to you theInfluencers, the best tool to reach your target audience.
Advertising through influencers. The widespread use of the communication strategy in social networks has allowed brands to reach the public in a very simple way through the so-called…

Cyclist fined for taking pictures of car number
Of interest to youA cyclist was fined for taking pictures of car number
Cyclist fined for taking pictures of car number. The Bavarian Data Protection Authority (DPA) found the cyclist's action unlawful.
The cyclist's aim was to send the pictures to the police…

Microsoft 365 in Schools: Privacy, Cloud Services and GDPR Lessons
Of interest to youLessons from the Microsoft 365 schools debate: cloud platforms, minors, contracts, international transfers and GDPR compliance.

The DPO in the European Union
Of interest to youIn this article we will analyse the figure of the DPO in the EU (European Union).
Javier Sempere Samaniego, Data Protection Officer of the Spanish General Council of the Judicial Power, has prepared for the Spanish Professional Privacy Association…

Digital Markets Act DMA: key obligations
Of interest to youThe Digital Markets Act DMA regulates gatekeepers and core platform services. Key obligations and practical effects for digital businesses in the EU.

Company WhatsApp groups and GDPR
Of interest to youWhen companies can add employees to WhatsApp groups and what the GDPR requires: legal basis, minimisation and confidentiality.

Mandatory whistleblowing channel for companies in Spain
Of interest to youSpain Law 2/2023 requires many companies to implement an internal whistleblowing channel with confidentiality, deadlines and data protection safeguards.

Digital Services Act DSA: key obligations
Of interest to youThe Digital Services Act DSA is now applicable, setting obligations for online platforms, marketplaces, search engines and intermediary services in the EU.

The ICO condened four companies for making abusive commercial calls.
Of interest to youThe ICO condened four companies for making abusive commercial calls. These companies have paid a £370,000 fine, for making more than 800,000 abusive commercial calls to individuals.
These phone calls consisted in offering home repairs. They…

