WELCOME TO ATGROUP

ATGroup, consultant specialized in the Law of Information and Communication Technologies.

About us

ATGroup, as a leading consultant in the application of the Law of New Information and Communication Technologies, we are specialized in the application of the Data Protection Regulation (EU) and the Organic Law of Protection of Personal Data and Guarantee of Digital Rights , as well as advice on advanced Electronic Signature solutions and Electronic Commerce and E-Administration projects.

Our objective is to provide quality legal advice and consulting services.

The ATGroup team is composed of qualified first-line specialists: Jurists specialized in ICT, as well as technologists of different profiles. At ATGroup we believe in ongoing research to be able to offer our clients the best and most adjusted solutions.

Our headquarters are in Barcelona. However you can also find us in Malaga, Madrid, Valencia and Murcia.


Latest News

April 8th, 2021

FLoC: THE END OF COOKIES... EXCEPT FOR GOOGLE

Google is preparing the FLoC, an update to its famous Google Chrome browser in which they will not accept any third party cookies
t has recently come out in the media that Google is preparing a major change to its famous CHROME browser that will consist of two key elements:

 First You will only accept Google’s own cookies and not those of third parties.
 Second Google cookies will use FLoC technology to filter users by cohorts or common interest groups.

Without a doubt, it may seem like an advance in privacy with respect to the current system where multiple companies develop their cookies (browser attachments with different functions) and generate their own user profiles in an absolutely decentralized system, Unlike Google, where the future model will be totally controlled by the Internet giant with no option to third-party participation in the segmentation of users.


It is clear that the current system of cookies may involve situations not wanted by the user and to avoid such situations the AEPD ,(we understand that with very good judgment) has required all website owners to allow the user to choose which cookies they accept or not before browsing a website. In this way, it is the user who chooses which level of privacy you want in the navigation within a web.

With the new model proposed by Google will not make sense such cookie settings, since only those that the dominant operator has developed for itself will be accepted, and surely the user when entering a website will only have to answer a binary question, that is whether or not I agree to enter the FLoC system.

The Federated Learning of Cohorts (FLoC) of Google, consists in identifying the user according to their tastes and browsing activity within a certain group or cohort, assigning a differentiated ID according to interests and profiles. In this way you don’t have an individual but a group with common interests with advertising segmentation that can be of interest at any time for advertisers and agencies.

At this point, we see some light and also some shadow, as a positive and interesting element in the improvement of privacy would highlight the lack of identification of the end user, that is, the FLoC system does not allow to identify users one by one as it happens now, would only be allowed to know which cohort ID belongs, without going into absolute anonymity, but blurred within a similar interest group. Undoubtedly, this layer of concealment, if well done can be an improvement with respect to privacy.

As shadows, the truth is that we are concerned that only Google can make Chrome cookies, a dominant operator with more than 90% of the Western market, is certainly a monopoly that goes beyond borders and states, while it is true that the fragmentation of the market made it more difficult to monitor and supervise it, It is no less true that the coercive capacity of the European Supervisory Authorities is much greater in these third party operators than they can in the face of Internet monsters such as Google.

The second shadow, is the alternative that Google gives us with its FLoC system to the personal identification of the user, the operator proposes us to classify by groups (cohorts in Google language) consumers, so that each user according to their behavior would be segmented and classified according to the pattern designed by Google.

It is clear that these patterns of conduct are of maximum interest to Google, and not precisely because of their altruistic spirit, but to market with them advertisers and advertisers with maximum efficiency and without competition, since only Google will have access to such profiles.

In short, it is not unreasonable to think that with the excuse of improving the privacy of your browser, Single-motion Google eliminates the possibility for third parties to extract commercial information from browsing by not accepting third-party cookies and also imposes the exclusive monopolistic system of segmentation of potential customers through its own and only cookies of the FLoC system... the truth is that it seems to us a monopolistic practice that can harm both users and other small developers in the advertising world who will see how they have to change all their patterns and economic investment, as always in favor of monopoly.

It is clear that all the European supervisory authorities are well aware of the ways in which the issue can be taken up, there is concern about the monitoring over time of users, consumption trends, the true anonymisation of the FLoC cohorts, the processing of specially protected data.

In any case, users feel the fight of David against Goliath, try to control through administrative procedures the giants of the Internet, It is not an easy task for any European supervisory authority, nor can it have an optimal outcome if there are no other complementary measures to promote competition and stimulate compliance.

In conclusion, we would like to restate a wish, now with more sense than ever, that the European Union must take a step forward in its Digital policy, it is clear that there is a common border, financial, goods and even external relations policy, but we miss the promotion of policies of digital independence similar to those undertaken by China in its day with BAIDO, ALIBABA, TACENT and XAOMI, and even Russia with YANDEX, certainly necessary alternatives and examples to follow if we are to have some European digital independence.

We will see in a few months where the FLoC evolves, we will be waiting and we will keep you informed.

A greeting.

More Information

March 11th, 2021

SPANISH DATA PROTECTION AGENCY OPENS AN INVESTIGATION TO EMT ON SECURITY GAP IN FRAUD OF 4 MILLION EUROS

The AEPD has opened an investigation for possible security breach in the Municipal Transport Company of Valencia

The Spanish Data Protection Agency has estimated the appeal filed on June 1 by PP Councillor Carlos Mundina. This appeal will also investigate non-compliance with the EMT's data protection regulations.

From the political party they claim to appreciate very positively the opening of this investigation of the security breach in the EMT to avoid scams like the one that occurred a month ago and that it involved the theft of 4 million euros. The 'popular' warn in their claim a very low level of cybersecurity in the EMT as well as the lack of protocols in management. Consultancy Ernst and Young mentions that "EMT is not yet adapted to the legal obligations of the General Data Protection Regulation".

A statement is also collected by the EMT Data Protection Delegate about a possible security breach in Caixabank's e-banking in relation to possible phishing when accessing EMT's bank accounts in that entity.

Members of other political parties mentioned the major cybersecurity problems when the fraud of the 4 million euros occurred and which was certified by several important states. In addition, they claimed that the fact that there were cybersecurity problems in the EMT was cleared very prematurely, as there were notifications from the AEPD when the commission was closed.

More Information

March 4th, 2021

EU SANCTIONS SPAIN WITH 15 MILLION EURO FOR FAILING TO INCORPORATE A STANDARD FOR THE PROTECTION OF PERSONAL DATA IN TIME

The Court of Justice of the European Union (CJEU) on Thursday ordered Spain to pay a fine of €15 million for failing to transpose the directive on data protection in criminal matters into national law.

In July 2018, the European Commission opened infringement proceedings against Spain for failing to adopt the directive on the protection of personal data in the framework of the prevention and detection of criminal offences. This directive should have been adopted by member states before 6 May 2018, after a year of disputes, the European Commission asked the European Court of Justice to impose a sanction on Spain in July 2019.

The judgment given on February 25, 2021, has ruled in favor of the European commission and Spain will have to pay 15 million euros in addition to paying a daily amount of 89,000 euros if the non-compliance still persists.

The aforementioned directive introduces rules for the processing of personal data by law enforcement authorities in order to facilitate the exchange of information for the purposes of prevention, investigation, detection and enforcement of criminal penalties. The measure ensures that case-related data such as victims, witnesses, suspects and the perpetrators themselves are adequately protected in the criminal investigation.

The purpose of the measure is to facilitate cooperation between Member States in order to combat crime and terrorism more effectively on European territory. These EU rules contribute to the full realisation of an area of freedom, security and justice.

Arguments of Spain before the prosecution

Spain did not deny that it had failed to comply with its obligations to adopt and communicate the measures transposing the Directive, but argued that due to the very exceptional institutional circumstances, the activities of the government and parliament had been delayed. Let us remember that there was a functioning government and elections just around the corner.

Result of the judgment

In this Thursday’s judgment, the CJEU dismisses Spain’s arguments and declares its failure to comply with its obligations. In fact, on the date of completion of the written procedure in Luxembourg on 6 May 2020, the Sanchez government had not yet adopted or communicated the measures transposing the directive.
European judges therefore consider the fine to be an appropriate means of ensuring that Spain puts an end to it, as soon as possible, to the breach of the rule and considers that the fine is a deterrent to the future recurrence of similar infringements affecting the full effectiveness of EU law.

More Information

February 25th, 2021

BEUC DENOUNCES TIKTOK FOR MISLEADING MINORS AND VIOLATING EU DATA PROTECTION LAWS

The European Consumer Organisation (BEUC in French) together with 17 other organisations from 15 European countries are asking the European Union to initiate an investigation into the TikTok social network for multiple infringements of EU consumer law.

The trendy social network, TIKTOK, created by Chinese developer ByteDance has 800 million active users worldwide and is very popular among children and teenagers. In a 4-point press release, BEUC accuses tiktok of violating consumer rights in the EU.

BEUC’s claim that TikTok commits multiple rights violations and does not protect children from hidden advertising and inappropriate content. In the statement he details that TikTok’s "Terms of Service" points are not clear, but are ambiguous and disadvantageous to the user such as giving TikTok the irrevocable right to use, distribute and play videos created by users without pay and freely.

Regarding advertising within the application, according to BEUC, advertising is hidden. Through trends, hashtags or challenges created by advertising brands, users are motivated to participate by encouraging them to buy certain products without any filtering, contributing to hidden marketing and receiving subliminal advertising.

He also points out that TikTok is not protecting minors from inappropriate content, for example videos with suggestive content, from mistreatment, dangerous challenges, such as the Italian minor who died for imitating a challenge that consisted of self-drowning until losing consciousness.

Finally, they state that TikTok’s practices for the processing of personal data are misleading, as they do not inform their users about what personal data is collected, its purpose and the legal reason.

The CEO of BEUC says: "With this action, BEUC and its members want the authorities to launch a comprehensive investigation into Tik Tok’s policies and practices and to ensure that TikTok respects the rights of EU consumers."

More Information

February 19th, 2021

INVESTIGATION OPENED INTO MERCADONA FOR THE USE OF FACIAL SURVEILLANCE CAMERAS IN ITS SUPERMARKET

The AEPD opens an investigation into Mercadona for using facial recognition technology to detect possible individuals with restraining orders on the premises or workers.

The Spanish Data Protection Agency has initiated proceedings to carry out an investigation into Mercadona for the implementation of surveillance cameras that detect facial recognition of customers. This has occurred in more than 40 supermarkets that the company has in cities such as Zaragoza, Mallorca and Valencia. This investigation has been initiated as a result of different information published in the media in our country in which the special protection that exists for biometric data was mentioned. This procedure is still at an early stage, so many details of the case are not yet known.

Mercadona faces a rather high financial penalty in case the AEPD finally decides that an infringement has been committed. These data, being biometric, cannot be processed in the normal way, so article 83.5 of the General Data Protection Regulation would apply and lead to fines of up to 20 million euros.

Mercadona reports that it has complied with all the requirements previously specified by the AEPD and that it has acted with total transparency. This recently implemented system makes it possible to detect individuals who have been ordered to stay away from Mercadona or any of its employees. The aim is to prevent access to its supermarkets to anyone in this situation. Other large companies such as IBM or Amazon have already used this access control system but without success, as it was recently withdrawn by both companies due to the dubious ethics of its use.

The Valencian company insists that the system used is totally legal and that it does not store images for later use. They further reiterate that the customer at the entrance of the supermarket is informed with a sign containing the following message: "We inform ou that Mercadona S.A., in order to improve your security, has implemented a facial recognition system to detect only those people with a restraining order or analogous judicial measure in force that may pose a risk to your safety".

More Information

February 5th, 2021

HOW PLATFORMS USE YOUR DATA TO PREDICT YOUR BEHAVIOR

Intelligent algorithms are responsible for predicting what we will do. This is how the economic model of large technology works.
Marketing with our privacy is the order of the day to better sell us products or services and also condition our decisions. But, what is the business model and to what extent is our privacy at risk?


Social networks extract many of our personal data, such as the information you put in your profile, the photos you hang, the geolocation of your mobile, the purchases you make, the words you look for, messages you send and even those you end up deleting serve to fatten up personal reports that platforms keep from you to analyze your behavior.

The algorithms are computational codes that help the Artificial Intelligence process the millions of data to create statistics and patterns about your behavior and thus predict our movements. The amount of data is so large that even programmers don’t understand exactly how they operate anymore.

Last year the company Google faced a $5 million demand for tracking its users even when they were surfing in incognito mode. It is no longer just the data you consciously give out, but what is inferred from it. The greater the number of users, the more accurate their knowledge and calculations are to predict our behavior. It is true that their accuracy is our behavior. It is true that its accuracy to know us seduces us, but we must also emphasize that it retains us.

We cannot deny that the entry of the algorithms has meant an entire commercial revolution. Thanks to their intelligent mechanisms they manage to reach where we do not and locate potential customers. That can help a supermarket recommend, for example, gluten-free products to people suffering from intolerance, but also to personalize political ads.

More Information

February 1st, 2021

Take care of your health data, they are the most demanded by cybercriminals.

It is stated that health data is the most desirable for a cyber attack, due to the value that can be obtained from it.

According to Iván Mateos, a sales engineer at Sophos (a company specialized in next-generation cybersecurity), the relationship between cybersecurity and the pandemic is greater than we think.

A cybercriminal who steals data from us or from a company or organization can destroy it, or steal and use it. From impersonating us, to selling them for money or even kidnapping them and asking for a ransom for them.

The main problem is that we are not aware of what it may mean that personal data is stolen, and that is that a crime is committed by impersonating another person.

For all this, Mateos gives us safety advice. The most basic solution is "to distrust any mail from which we do not know its origin, the links that ask us for our data ..." In addition, it is essential to use secure passwords and change them in regular periods of time. Iván Mateos recommends using long passwords, which include lowercase, uppercase and different characters.

As obvious as the matter may seem, a large number of people do not follow this advice and, now that the pandemic has increased teleworking and therefore computing, it is essential to be aware of and value our personal data, rights and obligations as Internet users.

More Information

January 28th, 2021

PROHIBITION OF THE BANK OF SPAIN TO REQUIRE THE DECLARATION OF THE IRPF OF ITS EMPLOYEES

The High Court has ruled that this requirement infringes the protection of personal data.
The Social Chamber has annulled a paragraph of Article 8.2 of the Ordinance of the Bank of Spain. This paragraph obliged its employees to deliver the IRPF declaration in the process of verifying private financial operations.

The IRPF not only allows to know the economic data of the affected, but a whole range of data that appear in the same, as for example, their religion, ideas... data which, according to LOPDP 15/199 of 13 December, are particularly protected.

The court dismissed the appeals for cancellation by BANK OF SPAIN and FEDERATION OF WORKERS COMMISSIONS, against the sentence imposed by the National High Court that declared the nullity of a paragraph of article 8.2 of Ordinance 9/2017, which develops the Code of Conduct for the staff of the Bank of Spain.

The Chamber rejected the Bank of Spain argument that the worker’s consent was not necessary when exercising an entrepreneurial power, adding that the employer’s powers to control the activity of his employees are not omnibus, have the limit that the exercise of this right must respect the dignity of the worker.

It also ensures that the ECB Guidelines 2015/855 and 2015/856, Articles 5 and 3.3 impose on the Eurosystem central banks obligations to monitor compliance with the rules contained in the Guideline and compliance checks, either on a regular or ad hoc basis, but do not generally provide for the Bank to be able to claim from any of its employees their personal income tax returns or tax data.

Thus, it states that what is required is an obligation of supervision but not the way in which it is to be carried out, leaving to the decision of the Bank of Spain the way to carry out the supervision and verification of compliance with the rules of the Guideline. Finally, it considers that the measure required by the Bank of Spain does not exceed the three-fold constitutional requirement of being adequate, necessary and proportionate.

Finally, the Chamber concluded that there is no legal authorization for the Bank of Spain to request from its employees the IRPF declarations for up to four years, nor with the consent of the interested parties, because it infringes the right to the protection of personal data.

More Information

January 26th, 2021

THE DATA PROTECTION SPANISH AGENCY CREATES THE DIGITAL PACT FOR THE PROTECTION OF PEOPLE.

The agency seeks to promote a great agreement for digital coexistence, to promote the commitment to privacy and raise awareness about the dissemination of sensitive content on the networks.

The Agency affirms that it is necessary "that all the actors involved in the digital field, citizens and organizations, are aware of the consequences that the dissemination of particularly sensitive content can have on the life of the person affected and also the responsibilities in which may incur those who disseminate them (civil, criminal and administrative) ".

For this reason, there are already more than 40 business organizations, associations and foundations (among them the Spanish Red Cross, Mediaset, RTVE, Atresmedia…) that have assumed the commitment and will begin to implement the measures that the Agency has dictated.

One of the main measures will be to disseminate the Priority Channel, which will be in charge of the urgent and immediate elimination of sexual and violent content published without consent. It is also among them, supporting transparency so that everyone knows what they are used for. their data, in addition to promoting gender equality and the protection of children, among other situations of people in vulnerable situations.

The Digital Pact is divided into three parts; the letter of adhesion, the commitment to responsibility in the digital field and the Decalogue of good practices.

In the letter of adhesion, the signing entity agrees to implement the principles and recommendations of the Agency in its organization.
In the commitment to responsibility in the digital field, are the obligations that organizations have to fulfill. He is not looking for more to be assumed than there are, but he is looking for a tight commitment. Finally, the Decalogue of good practices, with which the Agency wants to promote all its measures among the media and organizations that have dissemination channels to inform their public.

The Digital Pact for the Protection of People of the Agency will be publicly presented at an event called I Forum on Privacy, Innovation and Sustainability, with the Honorary Presidency of their Majesties the Kings, on January 28, 2021 (the International Data Protection Day).

More Information

January 21st, 2021

FINE RECORD A CAIXABANK S.A WITH 6,000,000 EUROS

Caixabank has received a historic fine from the Spanish Agency for Data Protection. The entity violated three of the articles of the current regulation, including one classified as very serious.

The Caixabank entity will have to face a fine of 6 million euros for having violated three GDPR regulations. The agency imposes a fine of 2 million, considered slight, for failing to comply with the regulations of article 13 and 14, while the remaining 4 million come from skipping article 6, an infraction classified as very serious by the regulations.

It all dates back to 2018, after conducting an investigation into a complaint by an individual and a subsequent one in 2019 led by the FACUA (Consumers Association) against the ‘Framework Agreement’ of privacy that all clients of said bank must sign. The ‘Framework Agreement’ is nothing more than an agreement between one or more buyers or suppliers, which establishes how the contracts will govern, in a certain period of time. The sentence document consists of 177 pages and details how the Caixabank entity infringed the articles and has not corrected what has been requested by the institution.

Among the failures mentioned by the GDPR, referring to the first 2 points, we find that the information offered in the different documents or channels is not uniform. Inaccurate terminology is used to define the privacy policy, we also found a lack of information on the category of personal data.

Regarding point 6, the Spanish Data Protection Agency affirms that La Caixa does not give a good justification of the legal basis for the processing of personal data, it fails to comply with the requirements established for the provision of a valid service. It also talks about some deficiencies in the processes enabled to obtain the consent of its clients and the procedure through which they go to give their consent for the collection and processing of their personal data.

In addition to the sanction imposed, the AEPD obliges the entity to adapt the personal data protection regulations within six months, the personal data processing operations carried out, the information offered to its clients and the procedure through which They must give their consent for the collection and processing of their personal data.

According to the agency, Caixabank has not had a very collaborative attitude on its part and the corrections that have been made by the company have not really been a true regularization of the irregular situation that we have been able to verify in the sanctioning procedure.

More Information

January 18th, 2021

FINE TO TWITTER EUROPE FOR INFRINGEMENT OF THE GDPR.

On December 15, the Irish Data Protection Agency imposed a fine of 450,000 euros onTwitter Europe (located in Ireland), the result of not communicating a personal data security breach to the Irish DPA in time and for not having properly documented it .

This breach affected thousands of people in the different European countries, and as a consequence the DPA had to coordinate and cooperate with the interested control authorities of these affected countries.

This led to the use for the first time of the conflict resolution process through the European Data Protection Committee, which would act as an arbitrator between the Main Control Authority and the rest of the authorities.

The cause of this sanction goes back three years, precisely on December 29, 2018, when a third party noticed the existence of an error in the code of the Twitter system and that it especially affected Android users.

This error assumed that if the Android user changed the email linked in his Twitter account, the protected tweets, that is, those tweets that supposedly only the user's followers have access, would become accessible to everyone.

On January 3, 2019, Twitter USA decided that this error should be treated as a security breach, something that was not notified to Twitter Europe until after four days and later to theIrish DPA.

According to the communication that Twitter Europe sent to the Irish DPA, between September 5, 2017 and January 11, 2019, more than 88,000 people were affected by thiserror.

According to the DPA, Twitter EU should have been aware of the security breach on January3, 2019, the date on which Twitter USA internally classified as a security breach. This lack of communication caused Twitter EU to notify the incident outside the established limit, which is the first 72 hours, as established in article 33.1 of the GDPR.

Ultimately, the Irish DPA concluded that Twitter EU violated Article 33.5 of the GDPR by not properly documenting the security breach and providing this information to the Irish DPA during its investigation.

For all this, Twitter EU has ended up receiving its first fine for violation of the General DataProtection Regulation.

More Information

January 14th, 2021

THE NEW AND CONTROVERSIAL CONDITIONS OF WHATSAPP

New year and new changes. WhatsApp, the well-known mobile messaging application, has decided to modify its security policies. These changes, as Facebook has well explained, will take place from February 8 of this year.

Probably, if you are a WhatsApp user, in these first days of the year you will have encountered a warning message when trying to access. This is because the well-known messaging application has decided to change its conditions and privacy policies, as it announced at the end of last year. This change will force users who use it to share their personal data with Facebook (owner of the app).

By accepting the new terms and conditions, the user will allow the application or companies such as Facebook and Twitter to have almost total access to their activities, which include text messages, contacts, purchases and interactions with third parties, among others.

According to the telecommunications company, the changes will take effect on February 8. The user, in order to continue using the application, must accept these conditions. If you reject them, you will not be able to continue using it.

However, this new obligation will only affect users who reside outside the European Union. Both EU and UK citizens will not be affected by the new platform conditions. Instead, this warning message goes out to all users. Why does this happen?. As Facebook has explained, all users must accept them even if it does not apply to European accounts.

Facebook's decision to link more closely with WhatsApp is a response against Apple, as last year it introduced a feature that allowed users to decline to be tracked by Facebook. This fact harmed the advertising business of Mark Zuckerberg's company, which used this tracking to collect personal data from users and thus later sell them to third parties in order to personalize their ads.

After the American company announced this modification in its terms and conditions, thousands of Internet users have chosen to explore other types of platforms to get rid of these measures imposed by WhatsApp on its users. A decrease in downloads of approximately 11% has even been observed in these first days of January.

More Information

January 4th, 2021

THE SUPREME COURT RECOGNIZES A NEW RIGHT

The Supreme Court recognized the right to be able to remove localized content from an Internet search engine by putting the two surnames of a person and not only with the full name as was previously established.

The Administrative-Containment Chamber has issued a ruling that decrees that the exercise of the right to be forgotten allows any affected person to demand that a search engine (such as Google) remove any information found from the name from its results lists complete or only including both surnames.

The Supreme Court establishes as regulations the exercise of the right of opposition, rectification or cancellation of data processing, and, where appropriate, the right to be forgotten, recognized in article 6.4 of the Organic Law on Protection of Personal Data, which empowers the interested person to demand that the manager of a search engine eliminate all the results obtained from the full name or the two surnames, such as links to web pages, legally published to third parties, that contain truthful data and information, related to person.

The Chamber studied the case raised by a person who asked Microsoft Corporation, manager of the Bing search engine, to de-index the URLs for searches made not only by his full name, but also by his last name. Microsoft agreed to the first request but rejected the second on the basis that the two surnames are not an irrefutable identifier of a person.

Likewise, the AEPD and the National Court did not agree to said claim in relation to the two surnames, considering that, according to the Civil Registry regulations, people are designated by their name and surname.

On the other hand, the Supreme Court annulled this judgment by upholding the appeal of the interested party. The court argued that it was not coherent to recognize the right to be forgotten when the search is carried out from the full name of a person and deny it when it was carried out only from the two surnames of the person, this implied not taking into account the general principles of the Law of the European Union.

Therefore, the Chamber considered that the criterion maintained in the contested judgment lacked support and would imply restricting, unjustifiably, the right to require the manager of a search engine to remove it from the list of results, owned by the person affected.

More Information

December 28th, 2020

US SANCTIONS SANTANDER FOR NOT REVIEWING MILLIONS OF EMAILS FROM ITS WORKFORCE

The US regulatory authority has sanctioned the entity's subsidiary with 123,000 euros for a computer failure that left 6 million emails from three-quarters of its staff out of supervision.

This event occurred between January 2014 and January 2019 when the subsidiary became aware of the existence of said computer failure and reported it to the authorities in February 2019.

As indicated in article 2110, the members of the regulator to which Santander belongs since 1994, have the obligation to supervise all mail that enters and leaves their employees related to the company's business.

Ana Botín's entity did not realize the problem until five years later when they started looking for an old email and could not find it.

According to Santander, this problem is already solved. They have implemented changes in the policies and processes they use in order to prevent this event from happening again in the future.

At the beginning of November, the subsidiary signed the document agreeing to pay the imposed penalty of 123,000 euros.

More Information

December 24th, 2020

BBVA'S PENALTY PROCEDURE

The Spanish Data Protection Agency sanctions the BANCO BILBAO BISCAIA ARGENTARIA, S.A. entity.

The reasons that led to this event were:

 • Failure to comply with the personal data protection regulations by the personal data processing operations carried out.
 • Failure to properly inform the customer of the circumstances regulated in Articles 13 and 14 of the General Data Protection Regulation (GDPR) or the latter would not have validly given consent.

For all this a fine of 5,000,000 euros is imposed on it for the infraction of the articles 6, 13 and 14 of the GDPR, and that within six months it becomes suitable for the personal data protection regulations processing operations that performs, the information offered to its customers, the procedure by which they must give their consent for collection and treatment of their personal data.

More Information

December 21st, 2020

AT Group wishes you a Merry Christmas and a Happy New Year 2021

We know this year has been a tough year for everyone and, therefore, we have made great efforts to overcome all the adversities we have found. We are still here without giving up, managing to adapt to this new normality as a team, with patience and care.

Now more than ever, we must show what we are capable of and stick together, always taking security measures into account.

On behalf of the entire AT Group team, we wish you a Happy Christmas Holidays and a New Year full of health, prosperity and opportunities.

Thanks to all of you, who are still by our side and also thanks to all of you who have been and the circumstances have not allowed you to stay.

More Information

November 25th, 2020

SIGNED THE COLLABORATION AGREEMENT BETWEEN ATGROUP AND MAPFRE

ATGroup, after a strict selection process in the search for the appropriate strategic partner in technical insurance, has selected the accredited insurer Mafre, signing the corresponding agreement on yesterday's date at ATGroup's Barcelona facilities.

As a result of ATGROUP's interest in solving the numerous requests from its clients regarding the assurance of TECHNOLOGICAL and CORPORATE risks, an arduous process of selecting the appropriate strategic collaborator began to respond to our clients' needs regarding the assurance of technical and commercial risks.

From the strict selection process, ATGROUP has selected the well-known and highly accredited MAPFRE company, with implementation throughout the entire geographic scope of ATGROUP's activity and with the capacity to meet both the assurance requirements in PRIVACY services and other types of services, such as those of COMPLIANCE or ENVIRONMENTAL.

With this agreement ATGROUP will advise its clients and collaborators on risk assurance products in terms of CYBERSECURITY and all kinds of technological risks with the strategic support of the leading company in the sector.

More Information

May 11th, 2020

MEGAFOR STARTS THE REGISTRATION OF ITS COURSE OF DIRECTOR OF SECURITY AND HEAD OF SECURITY

MEGADOR in collaboration with AJSE and ATGROUP, has opened the enrollment process for its Director of Security and Head of Security course.

Following the most advanced training programs, MEGAFOR has started registering for the course that allows access to the Double Degree of Director of Security and Head of Security , following the collaboration agreement signed with the prestigious University European Miguel de Cervantes , the degree obtained will allow the student to access a prestigious professional career as responsible within the Private Security sector. The course will start in September of this year 2020 , if the social and health circumstances allow it. Attached is the enrollment document for Megafor .

We remain at the disposal of our students and interested in the usual telephones and directly in MEGAFOR:
info@megafor.es
tel. 688.854.840
www.megafor.es

A cordial greeting.
ATGROUP

More Information

May 11th, 2020

DATA PROTECTION DELEGATE COURSE AJSE PROGRAM RECOGNIZED BY ANF-AC

Starting on May 18, the online classes of the AJSE Data Protection Delegate Course are restarted, taught by qualified ATGROUP personnel, valid for the presentation of the examination of DPO of ANF-AC, entity approved to carry out these tests by ENAC according to the AEPD Certification Scheme.

Expecting to have passed the hardest phases of the COVID 19 pandemic and following the processes of adaptation to the new general situation in the Private Security sector and training, the course continues with the program developed by ATGROUP for AJSE, the which is recognized by ANF-AC as valid to teach the 180 course that enables the presentation to the DPO Certification Exam.

The aforementioned course addresses the needs of a DPO, adding the specific knowledge that a Head of Security or a Director of Security may need in terms of data protection in the exercise of their profession.

The figure of the Data Protection Officer is mandatory under current legislation for Private Security companies.

In this part of the course, and until the sanitary circumstances allow it, only the personalized tutorials and the master classes will be carried out electronically, with the tools made available to the student and the teaching staff.

We also take the opportunity to communicate that registration for the new editions of the Course is already open.

More Information

May 5th, 2020

NEW SCHEDULE COVID 19

Dear clients, friends and collaborators.

We inform you that due to the pandemic situation created by COVID 19, and following the instructions of the competent authorities, we inform you that visits to our facilities may only be made by previously arranged visits.
If you belong to some of the risk groups or are over 65 years of age, please let us know to grant you a special maximum protection time slot.

To arrange visits or to request any type of information, we are at your disposal at:
93. 345 96 82/902 090 162
Email: info@atgroup.es

More Information

March 31st, 2020

POSTPONEMENT OF THE SEMI-PRESENTIAL COURSE OF DIRECTOR OF SECURITY MEGAFOR-AJSE-ATGROUP due to the COVID crisis 19

The development of the Megafor.-AJSE-ATgroup Safety Director semi-face-to-face course has been postponed until the autumn-winter of this year.

Due to the extraordinary situation that the CONVID 19 crisis has generated, Megafor has decided to postpone the Security Management course that was going to be developed in collaboration with AULA TECNOMEDIA, at its facilities on Avenida Meridiana.
The new dates and the registration opening period will be announced shortly, so that anyone interested can attend it.
For the present edition that has been moved from dates, it also has the most qualified teachers, as in previous editions of previous years.
The documentation attached to the course is attached.
We remain at the disposal of our students and those interested in the usual telephones and in the mail formacion@atgroup.es .
A cordial greeting.

More Information

March 20th, 2020

DATA PROTECTION AND COVID-19

We want to share with you the informative bulletin that our team has elaborated based on the current situation that crosses the Country in relation to the COVID-19.
We want to keep all our clients, collaborators or interested parties informed about the measures implemented and how they may affect the Data Protection area.

Download PDF View Online

More Information

The Group

Our project is to bring closer the Law to the Information and Communication Technologies.

ATGroup is a leading consultant in the application of New Information and Communication Technologies Law.

Our mission is focused on providing a quality legal-technological advisory and consultancy service specialized in the application of Information and Communication Technologies Law.

ATGroup is a pioneer consultant in providing innovative and creative solutions to the problems posed by the application of Information and Communication Technologies Law in companies.

We are specialized in the Data Protection Regulation, advice on advanced Electronic Signature solutions and Electronic Commerce projects and E -Administration.

Their consultants, all with a bachelor's degree and/or doctorate, combine their professional activity with university studies.

As an element connected to the ATGroup project, is found BUFETE ORTEGA, rofessional Law Firm founded in Barcelona in 1977, being, in actually, the second generation that have the management of the firm.

The profession of BUFETE ORTEGA is offer specialized legal support in those matters or functions that cover other branches of legal knowledge, different from the previous ones (Administrative, Commercial, Criminal Law, etc.)

Finally, EVIDENTIA, directed by Doctor José Navarro, which is an independent brand, but with close ties of collaboration and synergies with the rest of ATGroup, since its purpose is digital investigation and forensic examination of the IT element.


The Team

Jorge

Founding Lawyer

Carolina

Administrativa

Laura

Lawyer

David

Lawyer

Clara

Lawyer

Ricard

Lawyer

Imad

Consultant

Eira

Law Degree


Our services

  1. General Catalogue

  2. Privacy Services Catalogue