The AEPD adopted a digital pact for the protection of individuals

On January 21, the Spanish Data Protection Agency (“AEPD”) launched the Digital Pact for the protection of individuals (“Digital Pact”). The Digital Pact aims to (i) promote privacy both in public and private entities; and (ii) strengthen “the commitment to privacy in entities’ sustainability policies and business models, reconciling the fundamental right to data protection with innovation, ethics and competitiveness.”

The Digital Pact is voluntary, but the entities joining the pact agree to (i) implement its principles and guidelines; (ii) adopt “appropriate and effective measures;” and (iii) “prove that data processing activities comply with the applicable provisions (the GDPR and the Spanish Data Protection and Digital Rights Guarantee Act) and that the adopted measures are effective, reviewing and updating these measures when necessary.” The entities joining the Digital Pact also agree to provide their employees and users with all of the AEPD’s tools and resources, to raise awareness about the importance of privacy. Membership will last one year, and it will be automatically extended unless the member entity withdraws from the pact.

The Digital Pact seeks to strengthen digital rights and obligations and to ensure that all digital actors are aware of the consequences and liability (civil, criminal and administrative) arising from data protection violations.

The Digital Pact includes three documents:

• Membership Letter, in which entities publicly agree to protect personal data (including customer, user and employee data) and to use technology ethically and responsibly through more specific commitments.
  
  These commitments include, e.g., (i) informing about the Priority Channel and other AEPD resources; (ii) promoting a harassment-free workplace (including the digital environment); (iii) encouraging innovation and digital transformation ethically, responsibly and transparently; (iv) establishing remote working guidelines protecting employee privacy; and (v) launching privacy training and awareness raising campaigns.
• Digital Responsibility Commitment (“DRC”), in which entities agree to fulfill digital requirements internally, disseminating and advancing these requirements both internally and with third parties.
  
  These requirements include (i) ensuring transparency and disclosure to users regarding any collected data, the purposes of the processing and the exercise of users’ rights; (ii) applying data processing principles; (iii) ensuring lawful processing; (iv) appointing a data protection officer, promoting the appointment even if it is not required; and (v) applying privacy by design and by default.
  
  The DRC also provides the potential liability for entities and individuals in case of non-compliance with these requirements, and it includes a set of principles to promote digital and ethical responsibility. These principles are aimed at ensuring transparency, preventing technology from perpetuating biases and inequality, protecting children and promoting gender equality.
  
  The DRC includes an Appendix with tools, guidelines, materials and resources to facilitate compliance with data protection requirements.
• Privacy best practice guide for the media and entities with their own broadcasting channels. The AEPD seeks to fight digital violence in any means of communication, broadcasting channels or social media.
  
  This guide targets private entities, particularly the information technology and communication sector and the media. It provides specific commitments to protect victims of violence or cyber violence, preventing (i) the disclosure of non-public figures’ identity or any information revealing it; and (ii) the posting of unnecessary images, even in cases of public social media profiles.

Any entities that agree to the commitments can join the Digital Pact. Many entities have already joined, including associations, public bodies and private companies.

The contents of this Digital Pact will be presented in the I Privacy, Innovation and Sustainability Forum, which will be held on January 28, 2021 on the occasion of the International Data Protection Day. The AEPD will broadcast this event on its website.

Authors: Adaya Esteban y Carolina Urbano