Skip to main content

Featured

Inadequate Password Complexity Policies

Some online services have lenient password complexity policies, allowing users to create weak passwords easily. This poses a security risk: Reduced Security: Weak password complexity policies make it easier for attackers to guess passwords or use dictionary attacks. False Sense of Security: Users may perceive their accounts as more secure than they actually are when allowed to create weak passwords. To overcome this challenge, organizations should enforce strong password complexity policies that require users to create passwords with a blend of upper and lower case cultivations, numbers, and special characters. Additionally, they can encourage the use of multi-factor validation (MFA) for an added layer of security. Lack of User Education Many users lack awareness of password security best practices, leading to suboptimal password choices: Weak Password Creation: Users may not understand the importance of strong passwords or how to create them. Limited Awareness of Risks: ...
Post a Comment
Read more

International data transfer request procedure

The most commonly used way to legally adapt international data transfers is to obtain the corresponding prior and specific authorization for one or a set of international transfers from the director of the AEPD, which, in any case, must be preceded by rigorous compliance with all the requirements. related to the regulation of said transfer (signing of contracts, verification of compliance of the transferee, etc.).

For these purposes, and in accordance with the provisions of article 5.1.j ), the natural or legal person, public or private, or administrative body located in Spanish territory that carries out a transfer of personal data to a third country.

In the same way, and in accordance with the provisions of article 5.1.ñ ), the data importer is considered to be the natural or legal person, public or private, or administrative body receiving the data, in case of international transfer of the same to a third country, whether it is responsible for the treatment, processor or third party.

To obtain the authorization of the AEPD to carry out the international transfer of data, it is necessary to provide adequate guarantees of respect for the protection of the private life of those affected and their fundamental rights and freedoms, as well as the exercise of their respective rights. .

Thus, it is considered that the appropriate guarantees are provided:

1.            When a written contract is concluded between data exporter and importer, using the standard contractual clauses approved by the European Commission.

2.            Within a multinational group of companies, when binding corporate rules are used, also known as Binding Corporate Rules (BCR).

To request authorization , based on any of the standard contractual clauses mentioned above, certain documents must be provided, depending on the type of transfer that we are going to make.

These documents are:

1.            When the exporter is responsible for the file:

1.            Request letter with identification of the files that are the object of the transfer, indicating the code with which the file is registered in the General Data Protection Registry.

2.            Contract based on the standard contractual clauses signed by the parties (original copy or certified photocopy) and, where appropriate, sworn translation into Spanish.

3.            Sufficient powers of attorney of the signatories and, where appropriate, sworn translation into Spanish.

4.            The registration of the files must be completely up-to-date (sections relating to "Collectives" and "Security Measures").

2.            When the data exporter is in charge of the treatment:

1.            Request letter with identification of the exporter-manager and the importer-sub-manager.

2.            Contract based on the contractual clauses signed by the parties (original copy or certified photocopy) and, where appropriate, sworn translation into Spanish.

3.            Framework contract between the data controller and the data processor / exporter in which the latter is authorized to subcontract and international transfer of data and, where appropriate, sworn translation into Spanish.

4.            Sufficient powers of attorney of the signatories and, where appropriate, sworn translation into Spanish.

To request authorization based on binding corporate rules, you must:

1.            Prepare and submit a request letter with identification of the exporting companies, importing companies and the files that are the object of the transfer, indicating the code with which the file is registered in the General Data Protection Registry.

2.            Provide a copy of the binding corporate standards (BCR).

3.            Provide a copy of the formal authorization granted by the lead authority.

4.            Ensure that the applicant has sufficient powers.

5.            Carry out the registration of the files, which must be completely updated (sections relating to "Collectives" and "Security Measures").

6.            All documents must be provided, if they are in a language other than Spanish, with their proper sworn translation into Spanish.

Finally, it should be taken into account that the authorization of international data transfers must be processed in the General Data Protection Registry in accordance with the procedure established in the first section of Chapter V of Title IX of the RLOPD:

1.            The procedure begins at the request, always, of the exporter who intends to carry out the transfer.

2.            Where appropriate, the applicant may be required to complete or modify the documentation submitted within a period of 10 days, established in article 71.1 of Law 30/1992 on the Legal Regime of Public Administrations and Common Administrative Procedure. If your notification has not been received, you will be deemed to have withdrawn your request, proceeding to file your request.

3.            Optional public information process (10 days).

4.            Once the legally required requirements have been fulfilled, the director of the Agency will decide to authorize the international transfer of data, and the authorization resolution will be transferred to the General Data Protection Registry, in order to proceed with its registration.

5.            The General Data Protection Registry will automatically register the international transfer authorization.

6.            The maximum term to issue and notify resolution will be three months from the date of entry into the Spanish Agency for Data Protection of the request.

7.            If within said period an express resolution has not been issued and notified, the international transfer of data will be understood to be authorized.

The authorization request must contain, at least:

1.            The identification of the file affected by the transfer, indicating its name and the file's registration code in the General Data Protection Registry.

2.            The transfer on which the authorization is requested and the purpose that justifies it.

3.            The documentation that incorporates the necessary guarantees to obtain the authorization, that is:

1.            The BCR, together with the documentation that proves its binding nature and its effectiveness within the business group, as well as all the documentation that proves the possibility that the affected subject or the AEPD may demand the corresponding responsibility in case of damage to the affected party or violation of data protection regulations by any importing company.

2.            The contract for the international transfer of personal data, which includes the corresponding standard contractual clauses, proving, in addition, the concurrence of sufficient power in its grantors.

During the processing of the request for authorization for the international transfer of personal data, the AEPD may open a public information period, which must be announced in the BOE, so that any natural or legal person can examine the procedure, and where appropriate, present the corresponding allegations.

The term for the allegations , in this case, is ten days from the publication in the BOE . After this period, if allegations have been received, the AEPD must send them to the applicant for the authorization who, within the same period (10 days), can allege whatever it deems appropriate.

 

Popular Posts