In the first part In this series of articles, we explain some basic legal issues for setting up your digital business, particularly with regard to legal form which to adopt (usually self-employed or limited company) and the importance of seeking professional advice on the selection and registration of your trademark and domain name.
In this second part, we will look at the basic legal issues that you should take into account in your digital business in terms of data protection and from digital law.
Data protection
Once registered with the tax authorities and social security, the company has been set up (if we have opted for this legal form) and the trademark has been registered, we are ready to start trading. However, it is very likely that during its development the company will have to make some kind of processing of personal data, whether from customers, from workers, from suppliers, or all of them. In this case, the company is subject to the obligations imposed by the relevant legislation, primarily the General Data Protection Regulation (Regulation 2016/679 of April 27, GDPR) and the Organic Law on Personal Data Protection and Guarantee of Digital Rights (Organic Law 3/2018, of December 5, LOPDGDD).
The obligations set forth in these regulations cannot be taken lightly, as penalties are provided for in the event of non-compliance. administrative penalties of up to 20 million euros. And in the case of companies, the penalty may amount to an equivalent of 41% of the previous year's turnover, provided that this amount exceeds the aforementioned €20 million. Furthermore, it should be noted that, in accordance with current legislation, it is up to the employer to prove that they have fulfilled all their obligations..
That being the case, we must refer to the main data protection obligations that employers must fulfill.
Firstly, the GDPR states that every controller and processor must keep a recording of processing activities. The data controller is the natural or legal person who decides why and how personal data will be processed. The data processor is the natural or legal person who processes personal data on behalf of the data controller, for example, the advertising agency that processes the company's customer data when carrying out a marketing campaign aimed at them, or the agency that processes employee data when preparing payroll. The relationship between the controller and the processor must be governed by a data processor agreement, with the content provided for in the GDPR.
The record of processing activities will contain various information relating to the data processing carried out within the company (the types of processing carried out, its purpose, the measures adopted for data security, etc.), and must be available upon request by the Spanish Data Protection Agency (AEPD).
Not all companies are required to keep a record of processing activities, only those that employ 250 or more workers. However, companies with fewer than 250 employees will also be required to keep a record of processing activities when certain types of data belonging to so-called special categories (race, ideology, religion, trade union membership, health, sex life or sexual orientation, or health, genetic or biometric data) are processed, or when data relating to criminal convictions and offenses are processed, or, in the most common case, when the processing of personal data is not occasional but part of the company's regular business.
Another obligation to which those responsible for and in charge of personal data processing may be subject is the appointment of a data protection officer (DPO). Specifically, companies must appoint a DPO when the processing to be carried out requires regular, systematic, and large-scale monitoring of personal data. Similarly, a DPO will be required when the processing of data, although not regular and systematic, is large-scale and relates to the special categories of data mentioned above, or to data relating to criminal convictions and offenses.
The DPO is the person responsible for advising the company on all matters relating to data protection and to ensure that legal obligations in this area are met. In addition, it acts as channel of communication with the AEPD and, frequently, with the interested parties whose data is processed by the company.
The DPO may be a natural or legal person, a worker of the company or a external contractor. In any case, it is very important to ensure that independence y autonomy in the exercise of their duties, protecting them from any possible conflict of interest.
The DPO you do not need to hold a specific qualification to perform this role, although specialized technical knowledge of data protection law and experience in this field are recommended.
One of the obligations of the employer, in the fulfillment of which the DPO can advise, is the implementation of risk analysis. It is the responsibility of the employer, as the data controller or processor, to adopt the necessary technical and organizational measures to ensure the security of the data being processed. However, in order to adopt these measures, it is first necessary to identify the risks arising from the processing, i.e., the impact that potential threats to the integrity, confidentiality, and availability of the data would have if they were to materialize, and the likelihood that they would actually materialize.
All companies, without exception, are required to analyze the risks of the treatments they perform and adopt appropriate safety measures.
There are two types of risk analysis that can be performed. On the one hand, there is the basic risk analysis, more general and simplified, and on the other hand, the impact assessment, which is more in-depth and performed for each treatment. Which analysis is performed will depend on the level of risk involved in the treatment. To determine this, a prior analysis. If the level of risk detected is low, a basic analysis should be carried out; if, on the other hand, it is high, an impact assessment should be carried out.
In the basic risk analysis, The processing activities, grouped by common processes, are described indicating what the processing consists of, what data is processed and by whom, as well as the technology used to carry it out. Each set or category of processing is then assigned a risk level and, depending on its function, certain security measures are adopted. To assist in the risk analysis, the AEPD has made the tool available to data controllers and processors. FACILITATE, intended for companies that process personal data that, a priori, appear to carry a low level of risk (such as the processing of customer or supplier contact details).
However, as noted above, when data processing involves a high level of risk, a basic analysis will not suffice; rather, a data protection impact assessment. An impact assessment is always necessary when personal data is to be processed automatically for profiling (data mining), when special categories of data are processed on a large scale, and when the data comes from large-scale observation of public access areas (video surveillance).
Furthermore, beyond these three cases we have just mentioned, impact assessments will be mandatory whenever the processing involves a high level of risk to the rights and freedoms of those affected. In this regard, the AEPD has published a treatment list that require an impact assessment to be carried out.
The impact assessment must describe the processing activities to be carried out and their purpose. Next, the actual need to carry out these activities in order to achieve the proposed purposes must be assessed, as well as the risks inherent in doing so. Finally, the necessary security measures to prevent these risks must be proposed.
However, even though all appropriate security measures have been taken, a security breach may still occur. In this case, the GDPR requires controllers to notification requirement the security breach to the supervisory authority (the AEPD) within a maximum period of 72 hours. In addition, if the security breach entails a high risk to the data subjects concerned, you must also communicate to these interested parties.
This is one of the many information obligations set forth in data protection legislation in favor of data subjects. Another of these obligations is to inform data subjects of their rights, which will be discussed in the section of this article entitled “Legal texts.”.
In any case, we always recommend that you put yourself in the hands of lawyers specializing in data protection so that they can advise you on any questions you may have.
Information society
The Law on Information Society Services and Electronic Commerce (Law 34/2002 of July 11, LSSICE) contains a broad concept of information society services that encompasses all services provided remotely, electronically, and at the individual request of the recipient, even when they are services not remunerated by their recipient, provided that they constitute a economic activity of the service provider (For example, when a website that is free for users to access is monetized by placing advertisements on it).
In view of this broad concept of information society services, An entrepreneur who carries out their activity (of an economic nature) on the Internet must be considered an information society service provider and, therefore, is subject to the obligations set forth in the LSSICE..
The LSSICE states that service providers are subject to civil, criminal, and administrative liability that may arise in the course of their activities. In other words, the fact that they carry out their activities on the Internet does not serve as an excuse for failing to comply with the obligations imposed on us all by law. However, current legislation also stipulates that when service providers provide brokerage services, and provided that certain conditions are met, they shall be exempt from liability for third-party content that they transmit, host, or provide access to.
Intermediation activities are those related to the transmission, copying, hosting, and location of third-party data on the Internet. The service provider shall be exempt from liability for the content it intermediates, provided that a series of conditions are met, which, broadly speaking, consist of: (1) that it is unaware that the information it intermediates is unlawful, and (2) that, as soon as it becomes aware of the illegality of the information or content it is intermediating, it acts quickly to remove it or make it inaccessible.
However, if the service provider's activity consists of storing protected works of all kinds (films, photographs, songs, plastic arts, etc.) uploaded to its website by third parties and providing access to them (a YouTube-type business model, for example), then the following must be borne in mind: Directive 2019/790 of April 17.
The aforementioned Directive stipulates that entrepreneurs who carry out this type of activity (known as online content-sharing service providers) must inform the public of the works to which they provide access on their website, even if these have been uploaded by third parties. This means that if such works have been uploaded to the platform without the consent of their authors or the holders of the rights to them, the service provider will be liable, without the exemption from liability provided for in the LSSICE (Law on Information Society Services and Electronic Commerce) that we have just seen being applicable.
The only way to avoid liability in this case is to have authorization from the rights holders or, failing that, to meet three conditions: (1) demonstrate that serious efforts have been made to obtain such authorization, (2) demonstrate that diligence has been exercised to prevent access to the protected works, provided that the rights holders have identified them, and (3) immediately remove the protected works when the rights holders notify you that they have been uploaded to the web platform without their consent.
As of the date of publication of this post, Directive 2019/790 is pending transposition (a period of two years is expected for this) and, therefore, its provisions are not yet applicable. But they soon will be. Therefore, entrepreneurs who aspire to develop an Internet business must keep them in mind when planning their business. For more information on Directive 2019/790, please consult this post.
In addition to the above, if in the course of our business we plan to send a newsletter, of the LSSICE, we must particularly bear in mind that the Sending advertising or promotional communications by electronic means is prohibited. unless: 1) it has been previously requested or authorized by the recipient (i.e., there is a list of newsletter subscribers whose data has been validly obtained for that purpose); or 2) there is a prior contractual relationship with the recipient and the newsletter is related to the products or services contracted. In any case, the business owner must provide the recipient with the option to unsubscribe from the newsletter in each mailing, and to object to the processing of their data for this purpose at the time of data collection (which normally translates into a box on the contact form indicating that they do not wish to receive commercial communications).
This provision of the LSSICE aims to prevent the annoying spam, as this is conduct that is not permitted by law. Therefore, our recommendation is that you do not promote your products and services by sending emails to individuals or companies that you do not know and who have not authorized the receipt of such emails; instead, call them by phone and ask, for example, to schedule a meeting.
Legal texts
Business owners are subject to multiple reporting obligations imposed by both the LSSICE and data protection regulations. The way for online entrepreneurs to comply with these obligations is to draft various legal texts that will be readily available for consultation on their website.
One of these texts is the legal notice, through which the information obligations imposed by the LSSICE are fulfilled. First, it must include the identification and contact details of the service provider responsible for the website. This includes the name or company name, email address, telephone number, and tax identification number. If a legal entity, such as a limited liability company, was chosen, its registration details in the Commercial Registry must also be included.
Furthermore, if the activity carried out on the website is subject to prior administrative authorization (energy, transportation, metal production and processing, chemicals, food and tobacco industry, waste management, private security, bars and restaurants, gambling and betting, etc.), the details of such authorization and the competent supervisory body must be indicated.
On the other hand, if the service provider exercises a regulated profession, they must state their membership number, academic or professional title and country of issue, and the code of ethics governing the exercise of that profession. Regulated professions are those whose access is conditional on obtaining a specific qualification, passing special exams (e.g., state exams), and/or registering with a professional body (such as a professional association) in order to practice. Examples of this type of professional include lawyers, solicitors, doctors, architects, auditors, private investigators, nurses, sports coaches, pharmacists, and engineers, among others.
If the service provider adheres to a code of conduct, this circumstance must be indicated, specifying how it can be consulted online.
The LSSICE requires that all this information be clearly visible and identifiable. However, provided that website users can always find it easily, it can be placed wherever you prefer (in the footer, on a page reserved for this purpose).
However, if personal data is going to be collected in the course of the activity (which is very common), it will also be necessary for the website to provide the information required by Article 13 of the GDPR, through another legal text, the privacy policy.
This information may be offered to interested parties in two “layers”, i.e., basic information must appear directly on the website (at the bottom or on a page designated for that purpose), while the rest of the information may be consulted by means of a link or other method that allows easy and immediate access.
The basic information that must be provided in the first layer includes (at a minimum): the identity of the data controller, the purpose of the data processing (marketing activities, order management, etc.), the legitimacy of the processing (i.e., the legal basis, as provided for in Article 6 of the GDPR, which justifies it), the recipients to whom the data will be communicated, and the possibility of exercising the rights recognized in Articles 15 to 22 of the Regulation (access, rectification, erasure, restriction of processing, portability, objection, and the right not to be subject to automated individual decision-making). In addition, a link to the second-layer information must be included.
The second layer must provide the contact details of the data controller, the identification details of the data protection officer, if any, the purpose of the processing (in greater detail), the data retention period, whether or not international data transfers will be carried out, how the rights of data subjects can be exercised in practice, the right of data subjects to lodge a complaint with the Spanish Data Protection Agency (AEPD) if they consider that their rights have been violated, and, finally, information must also be provided on whether the data collected will be processed automatically for profiling purposes.
On the other hand, it is most common for digital entrepreneurs to install on their websites cookies for various purposes (technical, personalization, analysis, advertising). Cookies collect information about users' browsing habits on the website, including personal data, and therefore must also comply with data protection legislation requirements.
To this end, the website must include another legal text, the cookie policy, informing users of the cookies installed on the website, the data they collect and why they collect it, the data retention period, the legal basis for processing personal data, any data transfers that may be made, and users' rights regarding their data. In other words, all the information that, according to the GDPR, must be communicated to data subjects regarding the processing of their data, but this time specifically referring to personal data collected through cookies.
In addition, the cookie policy must explain how to disable or block cookies. This is particularly important when the legal basis for processing is the consent of the data subject (a very common scenario), as Article 7.3 of the GDPR states that “the data subject shall have the right to withdraw consent at any time.”.
Finally, if the purchase of products or services is permitted through the website, the following must also be drafted: general terms and conditions of purchase, which will govern the relationship between the company and its customers for the products or services contracted. This contract must be drafted taking into account the provisions of the Law 7/1998, of April 13, on general contracting conditions (LCGC). Likewise, as required by the LSSICE, the prices of products and services must be clearly and accurately stated, indicating whether taxes and shipping costs are included or not.
In addition to the above, if the digital company is going to sell its products or provide its services to consumers (and not to other companies), the following must also be taken into consideration: General Law for the Protection of Consumers and Users (1/2007, dated November 16, TRLGDCU), which establishes a series of consumer rights and business obligations. In particular, with regard to the drafting of terms and conditions, Article 102 of the aforementioned law must be taken into account. This article establishes the right of consumers to withdraw from the contract entered into, within 14 days from the date of conclusion, without having to give any reason for doing so. The terms and conditions must state the existence of this right, how it can be exercised, and also the exceptions in which the consumer may not exercise it.
At this point, after the company has adopted the most appropriate legal form, obtained and registered the trademark or trademarks necessary to distinguish its products in commercial traffic, registered its domain name, prepared to comply with legal requirements regarding data protection and the information society, and having drafted the necessary legal texts taking into account all the legal requirements imposed by the applicable regulations (GDPR, LSSICE, LCGC, TRLGDCU), we can say that the new digital company meets the basic legal requirements to carry out its activity with peace of mind and security. However, it should be noted that if the activity to be started is subject to administrative authorization (such as gaming, healthcare, private security, etc.), there are specific legal requirements that must be met.
Compliance with the legal obligations outlined in these two articles is an essential condition for the peaceful and satisfactory development of the business activities to be undertaken. It is therefore of the utmost importance to seek appropriate expert advice in order to avoid risks and ensure that digital businesses can continue to thrive without disruption.
[Article written by Luis Mª Benito Cerezo]
