Tag: data protection

Business Advice Spain > B.A.S. BLOG >



Faceapp has been all over the news recently. The app has been around for a couple of years, but has gained sudden popularity over the last few weeks. With the popularity came the privacy concerns. The company behind Faceapp is based in Russia, or at least so it seems. It however subjects its terms to Californian law and chooses that state as venue for dispute resolution. How will European Data Protection Autorities (DPA) react to Russia based Faceapp & the territorial scope of GDPR.



Our question is how the EU regulators or the European Data Protection Board (EDPB) will deal with this (Russian) app? The governing body has elaborated on the territorial scope of GDPR and in our opinion this app would qualify to fall within that scope. It seems that Faceapp has all the intention to provide services to European citizens and that it places cookies on their browsers to monitor behavior.

The result would be that it needs to comply with GDPR and if it doesn’t it may be subject to disciplinary powers (including fines) of data protection agencies (“DPAs”).

Paper Tiger

How will European DPA´s enforce any action that it may take against this app and all other apps (or services providers) that fall within the scope of GDPR but are located in countries where enforcement is difficult? If the DPA´s do not take any action, how will that look when other companies do get fined and enforced over similar offences. The GDPR runs the risk that it will become a paper tiger for these kinds of cases.


If you are interested to know more about the material and or territorial scope of the GDPR and if your activities would fall within that scope and if so, what you should be complying with. Do contact us for further information and counsel or call +34 610 739 364.

GDPR, the legal obligation to inform your customer.

GDPR, the legal obligation to inform your customer.

The General Data Protection Regulation is about to come into force on the 28th of May 2018. We are getting a lot of requests for advice and notice that although companies are willing to comply, a lot of new details are generally not known. For example: you become are aware that you had a data breach. Do you tell the person affected? Or do you have the legal obligation to inform your customer?

Yes, when: 

  1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons*, the controller shall communicate the personal data breach to the data subject without undue delay.

And the notification shall describe in clear and plain language the nature of the personal data breach and contain at least the following information and measures:

  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

No, when: any of the following conditions are met:

  1. the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  2. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
  3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

* These are (high) risks to the rights and freedoms of natural persons: The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

Are you ready?!

Do contact us if you would like more information on the subject. Business Advice Spain is highly experienced in Data Protection matters. It has helped American companies for the last 15 years establish themselves in Europe.

Non EU companies should appoint a DPO in Europe

Non EU companies should appoint a DPO in Europe

The new General Data Protection Regulation (“GDPR”) that will come into force in May 2018 requires companies that the accessibility of the Data Protection Officer (“DPO”) should be effective for Data Subjects and other players. To ensure that the DPO is accessible, the Working Party 29 (the cluster of European data protection authorities) recommends that the DPO be located within the European Union, whether or not the controller or the processor is established in the European Union. However, it cannot be excluded that, in some situations where the controller or the processor has no establishment within the European Union 25, a DPO may be able to carry out his or her activities more effectively if located outside the EU.  You may appoint an external company to be your Data Protection Officer. We can become your DPO and/ or help you find one.

Contact us if you would like us to review your data protection policy and make it compliant with the GDPR. We have vast experience in data protection matters. And when it comes to American companies we have more than 15 years of experience in helping them establishing in Europe.