Regulatory compliance
If your organisation handles people's data, and almost all of them do, the GDPR requires you to comply. We help you do it properly and without the stress: the records of your processing activities, the response to breaches, the rights of your customers and the data protection officer if you need one.
A team specialised in data protection and information security, with industry certifications.
What it is
The GDPR, also known by its English acronym, is the European data protection regulation, and in Spain it applies alongside the LOPDGDD. It requires any organisation that processes personal data, whatever its size, to do so with respect for people: with a basis that justifies it, with security and with transparency. The authority that oversees compliance is the AEPD (Spanish Data Protection Agency).
This is not just a matter for large companies. If you have customers, employees or a website with forms, you process personal data, and the GDPR applies to you from day one.
Complying properly is not about keeping a couple of documents on file. It is knowing what data you process, why, where it is and how you protect it, and being able to prove it if the AEPD asks.
Oversight now centres on video surveillance, marketing without consent, breaches and the use of AI and biometrics with personal data. It pays to stay up to date.
The obligations
The regulation translates into a handful of concrete obligations. Not all of them apply to everyone in the same way, but these are the ones that carry the most weight in an organisation's day to day.
Knowing and documenting what data you process, for what purpose, for how long and with whom you share it.
If there is a data leak, notifying the AEPD within seventy-two hours, and those affected if the risk is high.
Attending to anyone who wants to access, rectify or delete their data, normally within one month.
Appointing a DPO when the law requires it: large-scale processing, sensitive data or the public sector.
To this you add security measures proportionate to the risk, the contracts with the suppliers who process data on your behalf, and impact assessments when a processing activity is particularly sensitive.
Who it applies to
The GDPR does not care about size. It affects companies, sole traders and public authorities alike, as soon as they process people's data. The question is usually not whether it applies to you, but how much and how.
What changes is the intensity: a clinic that processes health data or a company that does profiling with AI has more demanding obligations than a shop with a customer list. The analysis clarifies what falls to you.
Service
Analysis of your processing: what data you handle, whose it is, for what purpose and where it is, your own and third parties'.
Records of processing activities complete and up to date, the backbone of your compliance.
Legal bases and consent: making sure each processing activity has a legal justification and, where needed, valid consent.
Breach and rights protocol: procedures to respond to a leak on time and to attend to data subjects.
Contracts and legal texts: data processing agreements with suppliers, information clauses and the privacy policy for your website.
Data protection officer: we take on the DPO role or support you so that you meet it, if it falls to you.
Method
We look at what data you process and where you stand on the GDPR and the LOPDGDD, without taking anything for granted.
We prioritise what carries the most risk: records, legal bases, breaches and any texts that are missing.
We set up the records, the procedures, the contracts and the security measures that apply.
Data protection never ends: we support you so it stays alive and up to date, with a DPO if you need one.
Synergies
The GDPR is not met with documents alone: it requires data to be genuinely secure. That is why data protection and information security go hand in hand. If we also work on your ISO 27001, the technical measures the GDPR asks for are already covered by an orderly management system, and the records of processing fit with the asset inventory.
And there are two more bridges. Data breaches are security incidents, so the response the GDPR sets up is the same one a SOC like Sondriva monitors. And if you use AI with personal data, the GDPR and the AI Act intersect: we help you make them fit together instead of treating them separately.
Questions
Yes. The GDPR does not care about size: it affects any organisation that processes personal data, from a sole trader to a multinational. If you have customers, employees, suppliers or a website with a contact form, you process personal data and the regulation requires you to comply. What changes with size and the type of data is the intensity of the obligations, not the fact that you have to comply.
The GDPR is the European regulation, common to the whole Union. The LOPDGDD is the Spanish law that develops and completes it with its own aspects, such as digital rights or certain particularities of the public sector. In Spain they apply together, and the authority that oversees compliance is the AEPD (Spanish Data Protection Agency). We work with both at the same time, because complying with one without the other leaves gaps.
It depends. A DPO is mandatory when you process data on a large scale, handle special categories such as health data, carry out systematic monitoring of people or you are a public authority. Many SMEs are not required to, but appointing one voluntarily is good practice. We analyse your case and, if it applies to you or interests you, we can take on that role ourselves.
If there is a data leak with a risk to people, you have to notify the AEPD (Spanish Data Protection Agency) within seventy-two hours, and inform those affected if the risk is high. The problem is that the clock starts running from the moment you detect it, so without a procedure prepared in advance it is very hard to meet the deadline under pressure. That is why we set up the breach protocol before anything happens.
GDPR fines are high, up to several million euros or a percentage of turnover, depending on the severity. In Spain the LOPDGDD adds a band of minor infringements that for SMEs usually ends in a warning. But beyond the fine, a penalty or a poorly handled breach has a reputational and trust cost that usually hurts more than the amount.
Very much so. The GDPR requires security measures to protect data, so complying properly means having the information genuinely protected, not just documented. That is why it fits with ISO 27001 and with the monitoring of a SOC: data breaches are security incidents. Working on both things together avoids duplicating effort and closes the loop.
Throughout Spain. Much of GDPR compliance is documentary and analytical, so we work with you wherever you are. If you prefer to be close by, we are in Tudela, Navarra.
Shall we talk?
Tell us what data your organisation handles and where you stand. In a first conversation we will tell you what you are missing to comply with the GDPR and where to begin.
Get in touch