Intellectual Property

Data Protection Agency issues Audit regulation

The Data Protection Agency (DPA) issued Disposition 5/2008 establishing the procedure to perform audits in data controller premises. The aim of Disposition 5/2008  is to regulate how audits are going to take place and to describe its stages. Under this new regulation the data protection agency will send a note with a questionnaire to the company several days before the inspection. In a later stage, the DPA could visit the premises and request access to the databases and verify compliance with security regulations, registrations and other requirements of the law.


Through Disposition 7/2008 the “Guidelines for good data protection practices in personal databases of the public sector” have been approved. The Guidelines explain the application of data protection rules in public sector databases. The Guidelines also include a sample confidentiality agreement for the public sector. In these Guidelines, the DPA also explains the relationship between data protection law and the freedom of information regulations.

By means of Disposition 9/2008, the Data Protection Agency has postponed for one year the deadline to implement medium and critical security measures under the Data Protection Law and its regulations (Disposition 11/2006). Basic security measures were not postponed. In addition the DPA has issued a document that can be used as a template to implement the Security and Privacy Policy that each data controller must have already in place.


For further information on this topic please contact Pablo A. Palazzi