Report to the GDPR

The duty to report to the GDPR: the first layer of information

It has been a year since the General Data Protection Regulation (“GDPR”) was fully enforced and the low degree of compliance regarding the duty to report when personal data is collected in a web environment remains surprising, particularly the first layer of information required by the regulation, as discussed below. Conversations with clients and web developers often take place in which they show their surprise when you talk about information in “two layers”. “I’ve never heard of it” or “That’s the first I’ve heard” are very commonplace answers.

The duty to report in two layers is an obligation that the Spanish Data Protection Agency (AEPD) left patently clear even before that fateful 25th May 2018, and did so in its Guide on the Duty to Report.

What does information in two layers mean?

In essence, what it means is that the owners of websites or other digital environments where data is collected must provide users with the minimum amount of information in two different formats. As we’ve said here, we’ll discuss the first-layer information or basic information, as this is where a lower degree of compliance is observed.

protecció de dades

Basic information (First Layer):

This is the point where we lawyers have most “scuffles” with web designers, as the guide requires this minimum information be in the “same visual field” ” as the place where the data is collected. Therefore, the information indicated below must be in the same visual location as the place where the data is requested (normally a form). The following should be displayed in this location:

  • The basic data of the website owner. Full company name, if the website owner is a company, or full name if it is an individual.
  • What is the purpose of the data. The purpose of the data must really be correctly analysed. In other words, if you collect data on a form in order to solve any queries that may arise, then that is the purpose. However, if you want to use the data to inform contacts of future sales promotions, then this is a second purpose.
  • What enables us to process the data. The GDPR foresees six cases in which the processing of data is legitimate. Consent is merely one of the six. Consent is normally included here by default, although the following must be considered: if you say that you process the data because you have consent: (1) it must be expressly obtained, and (2) consent can, by definition, be revoked and, therefore, you should ask yourself what would happen if consent is withdrawn once it has been given? Therefore, the six cases should be analysed properly and you should be thorough with the option chosen. The most commonplace used are: compliance with an agreement between the website owner and the data subject, or compliance with a legal obligation.
  • The data recipients. The service providers are not the recipients. Nor are the departments of the same company. A recipient should be considered any third party accessing the data to use it in an independent manner. Also think about whether the data collected is also transferred to the Public Authorities.
  • Data subject rights. This is not overly complicated. The rights remain essentially the same.
  • A link to the full Privacy Policy. Even less complicated. A link to the full text or second layer of information, which will be discussed in the next post.

We’ll end with an example of the penalty proceedings filed by the AEPD against the Royal Spanish Football Federation for not including the minimum amount of information in the data collection process. In this case, the case was filed as the Federation modified the terms and contents of its Privacy Policy while the proceedings were underway.

The legality of your company,
in the best hands


(+34) 692 14 05 71