It is mandatory to publish the contact details of the DPO and to inform the AEPD (Agencia Española de Protección de Datos) of its designation for companies who voluntarily decided to have it, in any case, this figure is required by the GDPR.
Technology law (or IT law) refers to the set of legal rules developed and applied to regulate every aspect regarding information and communication technologies.
Thus, this law has been consolidated as a new legal branch. This branch of law was not available until the arrival of the Internet and it has taken on more and more relevance thanks to the rise of the entire digital ecosystem that we see today.
”Privacy is not something that I'm merely entitled to, it's an absolute prerequisite.- Marlon Brando
Personal Data Protection is a fundamental right to all citizens which cannot be violated by any type of organization. Following the approval of the General Regulation on Data Protection (GDPR) which has repealed Directive 95/46/EC. Following the entry into force of the GDPR on 25 May 2018, organizations must be able to prove compliance with this regulation and apply the security measures according to risk analysis of the people whose data is processed.
Auditech helps organizations to adjust their activities to these regulations, following a structure that allows implementing actions gradually.
There are 5 phases of our work:
Phase 1: First Evaluation
Determine the initial requirements of the GDPR and the rest of the regulations that apply regarding data protection. Then, we perform a gap diagnosis in order to know the degree of control established under the regulations that apply and what is missing to achieve total compliance.
This analysis is the starting point and is one of the key factors in determining the progress of implementation.
Phase 2: Define the Action Plan
Our team will define and report on the action plan used to implement the GDPR:
- Record the activity of the process
- Analyze the grounds for validating processing
- Comply with the duty to inform
- Proceedings to execute rights
- Evaluate the relationship with procedure providers
- GDPR risk analysis
- Control objective selection and process controls
- Data protection officer
- Website legal review
Phase 3: Implementation Consulting Service
This phase involves implementing and running the system with the assistance of our legal team. Below is a list of the steps to be taken:
- Define and implement a risk response plan
- Establish controls to achieve control objectives
- Introduce and execute learning and knowledge programs
- ISMS operations and resource management
- Privacy impact assessment and risk analysis
- Data protection from design and default. “Privacy By Design”
Phase 4: Testing
This phase is about testing the controls and procedures developed.
- Regular checks for legal compliance
- Establish and monitor procedures
- ISMS Review
- Risk assessment review and residual risk level
- Action and event log
Phase 5: Maintenance
Our team will monitor the GDPR compliance in your organization during the maintenance phase, supporting the legal team during the rest of the contract.
- Asesoramiento en la implementación de cualquier mejora
- Advice to make any improvement
- Certificate and Seal of Excellence in Data Protection
DPO as a Service
A DPO or "Data Protection Officer" is the legal professional responsible for monitoring the organization's privacy and data protection laws.
Those companies required to appoint a DPO or Data Protection Officer are:
- Companies whose main activities involve processing operations that, depending on their nature, scope or purposes, require systematic stakeholder monitoring on a large scale
- Companies whose activities involve processing special categories of personal data on a large scale
Other companies may voluntarily assign a DPO to improve and increase personal data protection.
Companies which are not forced to assign a DPO must have a security officer to monitor their compliance with the GDPR and data protection. These roles are compatible and should be appointed to manage different duties, such as technical ones.
DPO as a service offers the following benefits:
- Lower cost than hiring a DPO or a security officer
- GDPR compliance with better results in a shorter period of time
- This is a standard process, which can be customized and scaled to any company
- There is no conflict between DPO activities and the company’s objectives They are always in line with the company’s needs
- Learning and continuous training at no cost for the company
Our DPO service covers at least the following duties:
- Assessment and advice to the company and the staff responsible for processing the GDPR regulations and other EU data protection rules.
- Monitor and seek to ensure GDPR regulations and other EU data protection requirements as well as the company’s policies on personal data protection
- Monitor assigned responsibilities
- Foster training and awareness of staff involved in processing operations
- Monitor related audits
- Cooperate with CISO to enhance organizational security and performance
- Cooperation with the control authority (AEPD in Spain)
- Act as a link between the authority responsible for monitoring the proceedings, which includes prior advice
Legal Tech Expert
A Legal Expert is an authorised specialist who aims to work with the Legal Administrations to gather and analyse information regarding electronic evidence obtained from electronic devices that can be used as evidence in legal proceedings.
Our experts are part of the Asociación Nacional de Tasadores y Peritos Judiciales Informáticos.
This offers our clients a number of advantages, some of which we would like to highlight:
- The findings are evaluated and tested by an Expert Board in the Association
- There is a Civil Responsibility Insurance specific to the sector
- Forensic laboratories and tools specialized in forensic analysis
- Professional constantly training
Here are some of the cases where we may find the need to contact an IT expert:
- Analyze and authenticate emails
- Organization information theft
- Conflicts derived from IT service development and contracts
- Analysis and removal of electronic evidence
- IT legal advice
- Authenticate messages in instant messaging apps
- Expert report analysis
Currently, we rely greatly on ICTs, and on ICT service providers. Miswriting or badly negotiating a contract can be very harmful to the company in the long, medium and short term:
- The intellectual property of developed products (source codes)
- Service standards
- Supplier reliability
- Conflict resolution
- Termination of contracts
- Transfer to third parties
- Know-How sharing
Due to the lack of knowledge regarding the rights and obligations to be taken into consideration when signing this type of agreements and services, Auditech offers assessment focused on the most relevant aspects of each contract depending on the type of products or services acquired (Customized development, Licence of use, Maintenance, Outsourcing, Application Service Provider (ASP), Service Level Agreement (SLA) Infrastructure as a Service (IaaS), Software as a Service (SaaS) Platforms as a Service (PaaS), On demand Service Agreement (OSA) Cloud Computing.
- 1. Assessment and advice the client on the main legal aspects of each service (source codes)
- 2. Drafting of the most important clauses in contracts that benefit the client’s business
- 3. Direct negotiation of clauses with the supplier
- 4. We provide recruitment the right legal security to avoid legal proceedings
Companies and freelancers with websites must comply, apart from the regulations in force in their country, with another set of regulations depending on the products or services they offer, the place where they direct them, whether or not the buyer is a consumer or user, the standard of the hosting where they host the platform, the domain, the brand, and data protection.
In Auditech, we offer a comprehensive legal service that will allow you to launch your corporate website or online shop fulfilling regulations in force at all times, we also cover the consultancy work involved.
- From a data protection point of view, currently, all entities, whether in the public or private sector, hold archives or databases, either on paper or on digital media, which contain data relative to natural persons (workers, users, customers, or suppliers) subject to data protection regulations.
- This legislation requires a series of obligations, whether legal, organizational or technical, to be complied with in order to process such data, starting from the moment it is collected, processed, transferred, or passed on to third parties.
- Companies must therefore adapt their workflows and management to these regulations. This requires setting up important security measures to prevent loss, misuse, or improper access to data. Usually, companies are not aware of the appropriate legal measures and formalities to be taken. Despite this, we see an increasing number of inspections, complaints, and sanctions imposed for non-compliance.
- Some web components install cookies or similar tools on users’ devices to track their browsing, analyze their behaviour, or display more targeted advertising. In order to do so, users must comply with the so-called Cookie Act.
- Legislation requires that the user is duly informed of the cookies used on the website, their purpose and to enable procedures to obtain consent for their installation and use.
- Electronic commercial communications are regulated by several European guidelines, and in Spain by the Law on Information Society Services (LISS). Taking into account that these communications are addressed to specific people, the General European Data Protection Regulation, in force since May 2018, comes into play. Therefore, sending electronic communications must comply not only with the LSSI regulations but also with the GDPR.
- Online and social network raffles and contests are one of the main tools of a brand’s commercial strategy. Organizers must understand the principles of these types of events, according to the legislation that applies, in order to avoid possible sanctions.
- Organizing raffles and contests requires making a legal base available to users in order for them to accept and read them at any time. Furthermore, it is advisable, although not compulsory, to have them officially recorded by a notary for any future claims or concerns from users, participants, or interested third parties and to arrange raffles at a notary.
Intellectual Property Rights
Our legal team responsible for intellectual and industrial property, experts in technology law and new business models can take care of anything related to copyright (software patents, scientific, etc.), inventions, designs, and know-how, and can provide advice on any possible conflicts that may arise in the process.
In Auditech we base our intellectual and industrial property service with preventive and agile advice, offering solutions from the beginning.
- Authors have two types of rights: moral rights of the work and economic rights, which allows the owners the right to derive financial reward from the use of their works by others. Therefore the inventor of a work can prohibit or authorize its reproduction, interpretation, or broadcasting by any means.
- A patent is a title that grants the author an exclusive right to exploit a new product or the improvement of a product for a period no longer than twenty years. A utility model, on the other hand, is a title that grants the right to exploit an invention considered to be less inventive exclusively for a period of ten years.
Our commercial department advises our clients on the best way to protect their inventions and designs. Furthermore, we represent our clients in all administrative and extra-judicial proceedings related to validation, infringements, ownership, and other matters related to patents, utility models, know-how, and designs.
Payment Card Industry Data Security Standard (PCI DSS) is the "PCI Qualified Security Assessors" set of controls. This standard covers the core aspects of information security and applies to the people, processes and technologies involved in card payment systems.
PCI DSS is a complex standard that applies to all organizations that store, process or submit card payment data, as well as organizations that may have an impact on a credit card processing security environment.
This service focuses in two directions:
Searching for Certification
If you are seeking certification according to the PCI DSS standard, we provide support to your organization throughout the certification process until you have achieved compliance with the highest value for your organization.
If you only seek to comply with the regulation’s standards and not to certify their compliance, we will act as a technical office to ensure compliance with it and provide the highest possible value to your processes.