Innovation and Technology

Breaking news regarding accountability

• Technical note: Proof of concept Blockchain and the right to erasure [nov 2024]
• Vital interest and data protection [oct 2024] 
• Technical Note: An Introduction to LIINE4DU 1.0: A New Privacy & Data Protection Threat Modelling Framework [oct 2024]
• Technical note: A safe Internet by default for children and the role of age verification [oct 2024]
• Annual Privacy Forum 2.024: Implications of Age Assurance on Privacy and Data Protection: A Systematic Threat Model [sep 2024]

Basic tools for accountability compliance

The AEPD has developed tools and help material to assist with compliance with general data protection regulation for small businesses, entrepreneurs and developers, and other types of controllers. This section lists those tools that are common to all types of processing. In the section "Guides, reports and technical notes" you can find specific material that extends their scope to specific treatments, technologies or controllers.

In any case, controllers and processors should not forget to verify that they comply with all the requirements and obligations that guarantee compliance with GDPR and national rules on data protection.

• Roadmap to ensure compliance with data protection regulation [jun 2024]

Risk management and Impact Assessment regarding Data Protection

The following resources support the obligation to carry out a risk analysis of personal data processing, and in case that is needed,  the obligation to carry out a data protection impact assessment:

• Risk Management and Impact Assessment in the Processing of Personal Data [jun 2021]
• Tool for managing the RoPA, the generation of the Inventory of Processing Operations and the risk analysis MANAGE RGPD [may 2024]
• User Manual of the Tool for managing the RoPA, the generation of the Inventory of Processing Operations and the risk analysis MANAGE RGPD [may 2024]
• Guidelines for conducting a data protection impact assessment in regulatory development [jun 2023]
• List of tables of the guidelines  Risk Management and Impact Assessment in the Processing of Personal Data [jun 2021]
• Checklist for determining the formal adequacy of a DPIA and the submission of prior consultation [jun 2021]
• List of the types of data processing that require a DPIA (art 35.4) [sep 2019]
• Indicative list of the types of data processing that do not require DPIA (art 35.5) [aug 2019]
• Template For Data Protection Impact Assessment Report (DPIA) For Public Administrations [apr 2022]
• Template For Data Protection Impact Assessment Report (DPIA) For Private Sector [mar 2022]
• Tool for the validation of cryptographic systems VALIDA-CRIPTO RGPD [oct 2023]
• Tool for the analysis of risk factors: EVALUA-RISK v2 [sep 2022]
• Tool to help compliance with GDPR for entities that carry out low risk processing activities: FACILITA GDPR [may 2019]
• Tool to help entrepreneurs and technology start-ups to comply with data protection regulations: FACILITA-EMPRENDE [jun 2020]
• Annual Privacy Forum 2.024: Implications of Age Assurance on Privacy and Data Protection: A Systematic Threat Model [sep 2024]

There are more resources about risk management and DPIA in the main section: Risk management

Data Protection by Design and by Default

The following resources support the obligation to take into account, from the initial stages of definition and analysis of the processing, appropriate technical and organisational measures for ensuring, by design and by default, data protection principles implementation:

• A Guide to Privacy by Design [oct 2019]
• Guidelines for Data Protection by Default [oct 2020]
• Protección de datos por defecto: Listado de medidas (only in Spanish, soon available in English) [sep 2020]

Personal Data Breach Management

The following resources support the obligation to implement incident recording and notification mechanisms in order to properly manage any possible breach.

• Guidelines on Personal Data Breach Notification [may 2021]
• Infographic: Personal Data Breach Communication [oct 2022]
• Tool to assess the personal data breach notification to the Data Protection Authority: ASESORA BRECHA [oct 2022]
• Tool to assess the obligation to communicate a personal data breach to the data subjects: COMUNICA-BRECHA RGPD [oct 2020]
• Personal Data Breach Notification Form [jun 2021]
• Security breach site (only in Spanish, soon available in English)

Application sectors and technologies

In order to respond to sectors of activity or technologies that incorporate singularities in data processing, referenced is made below to resources of interest, both national and international, that can serve as support to comply with the principle of accountability. At this time, published materials and resources cover the following areas:

• Anonymisation and Pseudonymisation
• Artificial Intelligence and automated decisions
• Biometrics
• Blockchain
• Covid-19 Pandemic
• Data protection by design and by default
• Data spaces, Cloud computingand Big data
• Encryption and privacy
• Governance and data protection policies
• Internet and mobile systems
• Internet of Things (IoT) and connected systems
• Neurodata
• Personal data breach and security
• Protection of Minors on the Internet
• Public Administrations
• Risk management
• Telecommuting

Anonymisation and Pseudonymisation

Guidelines and technical surveys

• 10 Misunderstandings related to anonymisation [apr 2021]
• Introduction to the Hash Function as a Personal Data Pseudonymisation Technique [nov 2019]
• K-anonymity as a privacy measure [jun 2019]

Posts

• Anonymization III: The risk of re-identification [feb 2023]
• Anonymisation and pseudonymisation (II): Differential privacy [oct 2021]
• Anonymisation and pseudonymisation [oct 2021]

International recommendations and guidelines

• ART.29 WP 216: Opinion 05/2014 on Anonymisation Techniques [apr 2014]
• ENISA Report - Data Pseudonymisation - Advanced Techniques and Use Cases [jan 2021]
• ENISA: Recommendations on shaping technology according to GDPR provisions - An overview on data pseudonymisation [nov 2018] 

Tools

• PDPC SINGAPURE: Guide to Basic Anonymisation [mar 2022]
• PDPC SINGAPURE: Basic Data Anonymisation Tool [mar 2022]

Artificial Intelligence and automated decisions

Due to the big use of the artificial intelligence in biometrics, in the following link you can find some very interesting information about Biometrics

Guidelines and technical surveys

• Infographic: Recommendations for users in the use of chatbots with artificial intelligence [sep 2023]
• Reference map of personal data processing that embed artificial intelligence [nov 2022]
• 10 Misunderstandings about Machine Learning [sep 2022]
• Audit Requirements for Personal Data Processing Activities involving AI [jan 2021]
• GDPR compliance of processing that embed Artificial Intelligence. An introduction [feb 2020]

Posts

• Probabilistic methods and GDPR compliance [sep 2024]
• Evaluating human intervention in automated decisions [mar 2024]
• AI System: just one algorithm or multiple algorithms? [nov 2023]
• Synthetic data and data protection [nov 2023]
• Artificial Intelligence: Transparency [sep 2023]
• Artificial Intelligence: accuracy principle in the processing activity [may 2023]
• Federated Learning: Artificial Intelligence without compromising privacy [apr 2023]
• AI: System vs Processing, Means vs Purposes [apr 2023]

Legal reports and communiqués

• Legal Report 0059/2023 of the Legal Office of the AEPD ruling on the difference between AI systems and processing of personal data and the assessment of the level of risk of processings [sep 2023]

International recommendations and guidelines

• EDPS: TechDispatch 2/2023 - Explainable Artificial Intelligence [nov 2023]
• EDPB-EDPS Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [jun 2021]
• European Commission - IA HLEG: A definition of AI: Main capabilities and disciplines [apr 2019]
• European Commission - IA HLEG: Ethics guidelines for trustworthy AI [apr 2019]
• Council of Europe: Guidelines on Artificial Intelligence and Data Protection [jan 2019]
• Council of Europe: Artificial Intelligence and Data Protection: Challenges and Possible Remedies [jan 2019]
• ART.29 WP 251: Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 [oct 2017]
• ART.29 WP 202: Opinion 02/2013 on apps on smart devices [feb 2013]
• UNESCO: Recommendation on the Ethics of Artificial Intelligence [2021]

Biometrics

Due to the big use of the artificial intelligence in biometrics, in the following link you can find some very interesting information about Artificial Intelligence and automated decisions

Guidelines and technical surveys

• Guidelines clocking and attendance control processing using biometric systems [nov 2023]
• 14 misunderstandings with regard to biometric identification and authentication [jun 2020]

Post

• Use of biometric data: Assessment from a data protection perspective [jul 2022]

International recommendations and guidelines

• EDPB: Opinion 11/2024 on the use of facial recognition to streamline airport passengers’ flow (compatibility with Articles 5(1)(e) and(f), 25 and 32 GDPR [may 2024]
• EDPS: Facial Emotion Recognition [may 2021]
• Council of Europe - Convention 108: Guidelines on Facial Recognition [jan 2021]
• ART.29 WP 193: Opinion 3/2012 on developments in biometric technologies [apr 2012]

Blockchain

Guidelines and technical surveys

• Technical note: Proof of concept Blockchain and the right to erasure [nov 2024]
• Annex Technical description Proof of Concept Blockchain and the right to suppression [nov 2024]

Posts 

• Digital Currencies [sep 2023]
• Blockchain (III): Smart Contracts and personal data  [mar 2022]
• Blockchain (II): Basic concepts [nov 2020]

Video

• Video: Right to erasure in Blockchain Proof of Concept [nov 2024]

International recommendations and guidelines

• EDPS: TechDispatch on Central Bank Digital Currency [mar 2023]

Covid-19 Pandemic

Guidelines and technical surveys

• Guidelines for social distance and access control apps due to COVID-19 [jun 2020]
• Technologies in the fight against COVID19 [may 2020]

Posts

• Personal data and emergencies [apr 2020]
• Phishing Campaigns Regarding The Coronavirus [mar 2020]

International recommendations and guidelines

• EDPB: Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak [april 2020]
• EDPB: Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak [april 2020]
• EDPS: Contact Tracing with Mobile Applications [may 2020]

Data protection by design and by default

Guidelines and technical surveys

• Differential Privacy for Complex Data: Answering Queries Across Multiple Data Tables [mar 2021]
• Guidelines for Data Protection by Default [oct 2020]
• A Guide to Privacy by Design [oct 2019]
• Addictive patterns in the processing of personal data [jul 2024]

Posts

• Synthetic data and data protection [nov 2023]
• Data Spaces, sovereignty and privacy by design [sep 2023]
• Privacy by Design: Secure Multi-Part Computation: Additive Sharing of Secrets [may 2022]
• Privacy Engineering [sep 2019]

International recommendations and guidelines

• EDPB: Guidelines 4/2019 on Article 25 Data Protection by Design and by Default [oct 2020]
• EDBP: Response to the proposal of a member of the European Parliament regarding the possibility of requiring that all new laptops entering the European Union market be equipped with a camera cover [jun 2020]
• ENISA – Engineering Personal Data Sharing [jan 2023]
• ENISA Report - Data Protection Engineering [jan 2022]
• ENISA: Recommendations on shaping technology according to GDPR provisions - Exploring the notion of data protection by default [dec 2018]
• NIST (National Institute of Standards and Technology): Privacy-Enhancing Cryptography to Complement Differential Privacy [nov 2021]
• NIST (National Institute of Standards and Technology): Automatic Proofs of Differential Privacy [jul 2021]
• NIST (National Institute of Standards and Technology): Testing for Differential Privacy Bugs [jun 2021]
• NIST (National Institute of Standards and Technology): Differential Privacy Bugs and Why They’re Hard to Find [may 2021]
• NIST (National Institute of Standards and Technology): Differentially Private Synthetic Data [may 2021]
• NIST (National Institute of Standards and Technology): Differential Privacy for Complex Data: Answering Queries Across Multiple Data Tables [mar 2021]
• NIST (National Institute of Standards and Technology): Workloads of Counting Queries: Enabling Rich Statistical Analyses with Differential Privacy [feb 2021]
• NIST (National Institute of Standards and Technology): Summation and Average Queries: Detecting Trends in Your Data [dec 2020]
• NIST (National Institute of Standards and Technology): Counting Queries: Extracting Key Business Metrics from Datasets [oct 2020]
• NIST (National Institute of Standards and Technology): Threat Models for Differential Privacy [sep 2020]
• NIST (National Institute of Standards and Technology): Differential Privacy for Privacy-preserving Data Analysis: An Introduction to our Blog Series [ jul 2020]
• NIST: Privacy Framework
• NIST: Privacy Engineering Program
• Harvard University: Privacy Tools Project

Data spaces, Cloud computing and Big data

Guidelines and technical surveys

• Approach to data spaces from GDPR perspective [may 2023]

Post

• Data Spaces, sovereignty and privacy by design [sep 2023]

International recommendations and guidelines

• EDPB: 2022 Coordinated Enforcement Action - use of cloud-based services by the public sector [jan 2023]
• EDPB: Annex: National Reports on the CEF cloud action [jan 2023]
• ENISA: Engineering Personal Data Protection in EU Data Spaces [jan 2024]
• ENISA: Engineering Personal Data Sharing [jan 2023]
• EDPS: Meeting the challenges of big data [nov 2015]
• ART.29 WP 196: Opinion 05/2012 on Cloud Computing [jul 2012]

Event

• AEPD-ENISA event “Data Spaces in EU: Synergies between data protection and data spaces, EU challenges and the experiences of Spain” [oct 2023]
• Report of conclusions of AEPD-ENISA’s event on data spaces [apr 2024]

Encryption and privacy 

Guidelines and technical surveys

• Guidelines for the validation of cryptographic systems in data protection processing [may 2023]

Tools

• Tool for the validation of cryptographic systems VALIDA-CRIPTO RGPD [oct 2023]

Posts

• Encryption and Privacy V: The key as personal data [dec 2021]
• Encryption and Privacy IV: Zero Knowledge Proofs [nov 2020]
• Encryption and Privacy III: Homomorphic encryption [jun 2020]
• Encryption and Privacy II: Lifespan of personal data [jan 2020]
• Encryption and Privacy: Encryption in the GDPR [nov 2019]

International recommendations and guidelines

• EDPB: Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data [jun 2021]
• EDPS: Quantum Computing and Cryptography [aug 2020]
• ART.29 WP: Statement of the WP29 on encryption and their impact on the protection of individuals with regard to the processing of their personal data in the EU [apr 2018]

Governance and data protection policies

Guidelines and technical surveys

• Roadmap to ensure compliance with data protection regulation [jun 2024]

Posts

• Vital interest and data protection [oct 2024] 
• Identity as a right [jun 2024]
• When to review data protection measures [feb 2023]
• Group Privacy [oct 2020]
• Data Governance and Data Protection Policy [sep 2020]
• Consent receipt: A tool for transparency and proactive accountability [feb 2020]

International recommendations and guidelines

• EDPB: Guidelines 07/2020 on the concepts of controller and processor in the GDPR [jul 2021]
• EDPB: Guidelines 05/2020 on consent under Regulation 2016/679 [may 2020]
• EDPS: Personal Information Management Systems [jan 2020]
• EDPS: EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data [dec 2019]
• ART.29 WP 243: Guidelines on the right to data portability [apr 2017]
• EPDS: Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit [apr 2017]
• ART.29 WP 243: Guidelines on Data Protection Officers (DPO) and "large-scale" notion [dec 2016]

Internet and mobile systems

Guidelines and technical surveys

• Wifi Tracking Technologies: Guidance for data controllers [may 2024]
• Guide on use of cookies [jan 2021]
• Measures to minimise internet tracking [sep 2020]
• Infographic: Measures to minimise internet tracking [sep 2020]
• Introduction to 5G technologies and their risks in terms of privacy [may 2020]
• DNS Privacy [nov 2019]
• The duty to inform and other accountability measures for mobile devices [may 2019]
• Access to applications on the screen for Android devices [may 2019]
• User controls for ad personalisation on Android [may 2019]
• Analysis of information flows in Android. Tools for compliance with accountability [mar 2019]
• Survey about preinstalled apps in Android and privacy risks [mar 2019]
• Survey on Device Fingerprinting [feb 2019]

Posts

• Protecting Our Children in the Digital World: The Home Internet (Wifi Router) [feb 2024]
• Digitalization without alternatives: The risk of discriminating against elderly people [feb 2024]
• UEBA and data protection [mar 2023]
• Metaverse and Privacy [jun 2022]
• Dark patterns: Manipulation in internet services [may 2022]
• HTTPS: Encryption on the Web [apr 2021]
• Identification in online payment services [dec 2020]
• Privacy risks when logging in other applications with social media accounts [oct 2020]
• URL shorteners [jul 2020]
• Recommendations to Prevent Digital Harassment [may 2020]

International recommendations and guidelines

• EDPB: Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces [feb 2023]
• EDPS: TechDispatch 1/2022 Federated Social Media Platforms [jul 2022]
• EDPB: Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them [mar 2022]
• EDPB: Guidelines 8/2020 on the targeting of social media users [apr 2021]

Internet of Things (IoT) and Connected Systems

Guidelines and technical surveys

• Infographic: Privacy Risks of Internet of Things at Home [mar 2021]
• Guide on drones and data protection [may 2019]

Posts

• IoT (III): IoT Home Automation [may 2021]
• IoT (II): from the internet of things to the internet of bodies [jan 2021]
• Connected Cars [apr 2020]
• IoT (I): What is IoT and which risks does it entail [dec 2020]

International recommendations and guidelines

• EDPB: Guidelines 02/2021 on Virtual Voice Assistants [jul 2021]
• EDPB: Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications [mar 2021]
• EDPB: Guidelines 3/2019 on processing of personal data through video devices [jul 2019]
• EDPS: Connected Cars [dec 2019]
• EDPS: Smart Meters in Smart Homes [oct 2019]
• EDPS: Smart Speakers and Virtual Assistants [jul 2019]
• ART.29 WP 231: Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones [jun 2015]

Neurodata

Guidelines and technical surveys

• Techdispatch: Neurodata [jun 2024]

Posts

• Podcast AEPD-EDPS: TechDispatch Talks #3 – Neurodata [jul 2024]
• Neurodata: privacy and protection of personal data (II) [jan 2023]
• Neurodata and neurotechnology: privacy and protection of personal data [nov 2022]

Personal data breach and security

Guidelines and technical surveys

• Guidelines on Personal Data Breach Notification [may 2021]
• Infographic: Personal Data Breach Communication [oct 2022]

Tools

• Tool to assess the personal data breach notification to the Data Protection Authority: ASESORA BRECHA [oct 2022]
• Tool to assess the obligation to communicate a personal data breach to the data subjects: COMUNICA-BRECHA RGPD [oct 2020]

Templates and forms

• Personal Data Breach Notification Form

Posts

• Personal Data Breach: Security Focused on Processing [mar 2024]
• Personal Data Breaches: Development and Pre-Production Environments [apr 2022]
• Without privacy there is no cybersecurity [feb 2022]
• Personal data breaches: Ransomware and risk management [dec 2020]
• Personal data breaches: online productivity platforms [jun 2020]
• Data protection and security [apr 2020]
• Personal data security breaches: Top 5 technical measures to be taken into account [apr 2020]
• Notification of personal data security breaches during the state of alarm [apr 2020]
• Phishing Campaigns Regarding The Coronavirus [mar 2020]
• Data breach: communication to the to the data subject [feb 2020]
• Data breaches: protect yourself against the loss or theft of a portable device [oct 2019]
• Personal data breaches: what they are and how to respond [jun 2019]
• Personal data breaches: protect yourself against ransomware [may 2019]

International recommendations and guidelines

• EDPB: Guidelines 9/2022 on personal data breach notification under the GDPR [mar 2023]
• EDPB: Guidelines 01/2021 on Examples regarding Data Breach Notification [dec 2021]
• ENISA: Handbook on Security of Personal Data Processing [dec 2017]
• ENISA: Guidelines for SMEs on the security of personal data processing [dec 2016]

Protection of Minors on the Internet

Guidelines and technical surveys

• Addictive patterns in the processing of personal data [jul 2024]
• Technical note: A safe Internet by default for children and the role of age verification [oct 2024]
• Decalogue of principles. Age verification and protection of minors from inappropriate content [dec 2023]
• Infographic with risks associated with age verification systems and summary of the Decalogue of principles [dec 2023]
• Technical note with the description of the Proofs of Concept [dec 2023]
• Frequently Asked Questions (FAQ) about the Proofs of Concept [dec 2023]
• Annual Privacy Forum 2.024: Implications of Age Assurance on Privacy and Data Protection: A Systematic Threat Model [sep 2024]

Post

• Probabilistic methods and GDPR compliance [sep 2024]
• Protecting Our Children in the Digital World: The Home Internet (Wifi Router) [feb 2024]

Videos

• Proof of Concept video for PCs and consoles (Windows) [dec 2023]
• Proof of Concept video for smartphones (Android) [dec 2023]
• Proof of Concept video for smartphones (iOS) [dec 2023] 

International recommendations and guidelines

• European Commission: The Digital Services Act (DSA) – Explained. Measures to protect children and young people online [dic 2023]

Public Administrations

Guidelines and technical surveys

• Guidelines for conducting a data protection impact assessment in regulatory development [jun 2023]
• Guidelines to manage data breach risk in public sector bodies massive data communications [mar 2023]
• Guidelines on Cookies and Web Analytics in Public Administration Websites [feb 2023]
• Technologies and Data Protection in Public Administrations [dec 2020]
• Guidelines for Implementation of the Eighth Additional Provision and Twelfth Final Provision of the LOPDGDD [feb 2020]

Templates and forms

• Template For Data Protection Impact Assessment Report (DPIA) For Public Administrations [apr 2022]

Posts

• Digital Citizen's Folder (Carpeta Ciudadana): transparency of public administrations towards the data subject and the exercise of citizens' right of access [jul 2023]

International recommendations and guidelines

• EDPS: Outcome of own-initiative investigation into EU institutions’ use of Microsoft products and services [jul 2020]

Risk management 

Guidelines and technical surveys

• Technical Note: An Introduction to LIINE4DU 1.0: A New Privacy & Data Protection Threat Modelling Framework [oct 2024]
• Risk Management and Impact Assessment in the Processing of Personal Data [jun 2021]
• List of tables of the guidelines  Risk Management and Impact Assessment in the Processing of Personal Data [jun 2021]
• List of the types of data processing that require a DPIA (art 35.4) [sep 2019]
• Indicative list of the types of data processing that do not require DPIA (art 35.5) [aug 2019]

Tools

• Tool for managing the RoPA, the generation of the Inventory of Processing Operations and the risk analysis MANAGE RGPD [may 2024]
• User Manual of the Tool for managing the RoPA, the generation of the Inventory of Processing Operations and the risk analysis MANAGE RGPD [may 2024]
• Tool for the analysis of risk factors: EVALUA-RISK v2 [sep 2022]
• Tool to help compliance with GDPR for entities that carry out low risk processing activities: FACILITA GDPR [may 2019]
• Tool to help entrepreneurs and technology start-ups to comply with data protection regulations: FACILITA-EMPRENDE [jun 2020]

Templates and forms

• Template For Data Protection Impact Assessment Report (DPIA) For Public Administrations [apr 2022]
• Template For Data Protection Impact Assessment Report (DPIA) For Private Sector [mar 2022]
• Checklist for determining the formal adequacy of a DPIA and the submission of prior consultation [feb 2022]

International recommendations and guidelines

• ART.29 WP 248: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 [oct 2017]
• ART.29 WP 218: Statement on the role of a risk-based approach in data protection legal frameworks [mayo 2014]
• NIST (National Institute of Standards and Technology): SP 800-53B Security and Privacy Controls for Information Systems and Organizations [sep 2020]
• NIST: Spreadsheet (.xlsx) version of SP 800-53B controls [sep 2020]

Telecommuting

Guidelines and technical surveys

• Recommendations to protect personal data in situations of mobility and telecommuting [apr 2020]

Posts

• Telecommuting and data protection in the digital sphere [jul 2021]
• Privacy in Online Meetings [feb 2021]

International recommendations and guidelines

• ART.29 WP 249:  Opinion 2/2017 on data processing at work [jun 2017]