ATGroup, consultant specialized in the Law of Information and Communication Technologies.

About us

ATGroup, as a leading consultant in the application of the Law of New Information and Communication Technologies, we are specialized in the application of the Data Protection Regulation (EU) and the Organic Law of Protection of Personal Data and Guarantee of Digital Rights , as well as advice on advanced Electronic Signature solutions and Electronic Commerce and E-Administration projects.

Our objective is to provide quality legal advice and consulting services.

The ATGroup team is composed of qualified first-line specialists: Jurists specialized in ICT, as well as technologists of different profiles. At ATGroup we believe in ongoing research to be able to offer our clients the best and most adjusted solutions.

Our headquarters are in Barcelona. However you can also find us in Malaga, Madrid, Valencia and Murcia.

Latest News

January 26th, 2021


The agency seeks to promote a great agreement for digital coexistence, to promote the commitment to privacy and raise awareness about the dissemination of sensitive content on the networks.

The Agency affirms that it is necessary "that all the actors involved in the digital field, citizens and organizations, are aware of the consequences that the dissemination of particularly sensitive content can have on the life of the person affected and also the responsibilities in which may incur those who disseminate them (civil, criminal and administrative) ".

For this reason, there are already more than 40 business organizations, associations and foundations (among them the Spanish Red Cross, Mediaset, RTVE, Atresmedia…) that have assumed the commitment and will begin to implement the measures that the Agency has dictated.

One of the main measures will be to disseminate the Priority Channel, which will be in charge of the urgent and immediate elimination of sexual and violent content published without consent. It is also among them, supporting transparency so that everyone knows what they are used for. their data, in addition to promoting gender equality and the protection of children, among other situations of people in vulnerable situations.

The Digital Pact is divided into three parts; the letter of adhesion, the commitment to responsibility in the digital field and the Decalogue of good practices.

In the letter of adhesion, the signing entity agrees to implement the principles and recommendations of the Agency in its organization.
In the commitment to responsibility in the digital field, are the obligations that organizations have to fulfill. He is not looking for more to be assumed than there are, but he is looking for a tight commitment. Finally, the Decalogue of good practices, with which the Agency wants to promote all its measures among the media and organizations that have dissemination channels to inform their public.

The Digital Pact for the Protection of People of the Agency will be publicly presented at an event called I Forum on Privacy, Innovation and Sustainability, with the Honorary Presidency of their Majesties the Kings, on January 28, 2021 (the International Data Protection Day).

More Information

January 21st, 2021


Caixabank has received a historic fine from the Spanish Agency for Data Protection. The entity violated three of the articles of the current regulation, including one classified as very serious.

The Caixabank entity will have to face a fine of 6 million euros for having violated three GDPR regulations. The agency imposes a fine of 2 million, considered slight, for failing to comply with the regulations of article 13 and 14, while the remaining 4 million come from skipping article 6, an infraction classified as very serious by the regulations.

It all dates back to 2018, after conducting an investigation into a complaint by an individual and a subsequent one in 2019 led by the FACUA (Consumers Association) against the ‘Framework Agreement’ of privacy that all clients of said bank must sign. The ‘Framework Agreement’ is nothing more than an agreement between one or more buyers or suppliers, which establishes how the contracts will govern, in a certain period of time. The sentence document consists of 177 pages and details how the Caixabank entity infringed the articles and has not corrected what has been requested by the institution.

Among the failures mentioned by the GDPR, referring to the first 2 points, we find that the information offered in the different documents or channels is not uniform. Inaccurate terminology is used to define the privacy policy, we also found a lack of information on the category of personal data.

Regarding point 6, the Spanish Data Protection Agency affirms that La Caixa does not give a good justification of the legal basis for the processing of personal data, it fails to comply with the requirements established for the provision of a valid service. It also talks about some deficiencies in the processes enabled to obtain the consent of its clients and the procedure through which they go to give their consent for the collection and processing of their personal data.

In addition to the sanction imposed, the AEPD obliges the entity to adapt the personal data protection regulations within six months, the personal data processing operations carried out, the information offered to its clients and the procedure through which They must give their consent for the collection and processing of their personal data.

According to the agency, Caixabank has not had a very collaborative attitude on its part and the corrections that have been made by the company have not really been a true regularization of the irregular situation that we have been able to verify in the sanctioning procedure.

More Information

January 18th, 2021


On December 15, the Irish Data Protection Agency imposed a fine of 450,000 euros onTwitter Europe (located in Ireland), the result of not communicating a personal data security breach to the Irish DPA in time and for not having properly documented it .

This breach affected thousands of people in the different European countries, and as a consequence the DPA had to coordinate and cooperate with the interested control authorities of these affected countries.

This led to the use for the first time of the conflict resolution process through the European Data Protection Committee, which would act as an arbitrator between the Main Control Authority and the rest of the authorities.

The cause of this sanction goes back three years, precisely on December 29, 2018, when a third party noticed the existence of an error in the code of the Twitter system and that it especially affected Android users.

This error assumed that if the Android user changed the email linked in his Twitter account, the protected tweets, that is, those tweets that supposedly only the user's followers have access, would become accessible to everyone.

On January 3, 2019, Twitter USA decided that this error should be treated as a security breach, something that was not notified to Twitter Europe until after four days and later to theIrish DPA.

According to the communication that Twitter Europe sent to the Irish DPA, between September 5, 2017 and January 11, 2019, more than 88,000 people were affected by thiserror.

According to the DPA, Twitter EU should have been aware of the security breach on January3, 2019, the date on which Twitter USA internally classified as a security breach. This lack of communication caused Twitter EU to notify the incident outside the established limit, which is the first 72 hours, as established in article 33.1 of the GDPR.

Ultimately, the Irish DPA concluded that Twitter EU violated Article 33.5 of the GDPR by not properly documenting the security breach and providing this information to the Irish DPA during its investigation.

For all this, Twitter EU has ended up receiving its first fine for violation of the General DataProtection Regulation.

More Information

January 14th, 2021


New year and new changes. WhatsApp, the well-known mobile messaging application, has decided to modify its security policies. These changes, as Facebook has well explained, will take place from February 8 of this year.

Probably, if you are a WhatsApp user, in these first days of the year you will have encountered a warning message when trying to access. This is because the well-known messaging application has decided to change its conditions and privacy policies, as it announced at the end of last year. This change will force users who use it to share their personal data with Facebook (owner of the app).

By accepting the new terms and conditions, the user will allow the application or companies such as Facebook and Twitter to have almost total access to their activities, which include text messages, contacts, purchases and interactions with third parties, among others.

According to the telecommunications company, the changes will take effect on February 8. The user, in order to continue using the application, must accept these conditions. If you reject them, you will not be able to continue using it.

However, this new obligation will only affect users who reside outside the European Union. Both EU and UK citizens will not be affected by the new platform conditions. Instead, this warning message goes out to all users. Why does this happen?. As Facebook has explained, all users must accept them even if it does not apply to European accounts.

Facebook's decision to link more closely with WhatsApp is a response against Apple, as last year it introduced a feature that allowed users to decline to be tracked by Facebook. This fact harmed the advertising business of Mark Zuckerberg's company, which used this tracking to collect personal data from users and thus later sell them to third parties in order to personalize their ads.

After the American company announced this modification in its terms and conditions, thousands of Internet users have chosen to explore other types of platforms to get rid of these measures imposed by WhatsApp on its users. A decrease in downloads of approximately 11% has even been observed in these first days of January.

More Information

January 4th, 2021


The Supreme Court recognized the right to be able to remove localized content from an Internet search engine by putting the two surnames of a person and not only with the full name as was previously established.

The Administrative-Containment Chamber has issued a ruling that decrees that the exercise of the right to be forgotten allows any affected person to demand that a search engine (such as Google) remove any information found from the name from its results lists complete or only including both surnames.

The Supreme Court establishes as regulations the exercise of the right of opposition, rectification or cancellation of data processing, and, where appropriate, the right to be forgotten, recognized in article 6.4 of the Organic Law on Protection of Personal Data, which empowers the interested person to demand that the manager of a search engine eliminate all the results obtained from the full name or the two surnames, such as links to web pages, legally published to third parties, that contain truthful data and information, related to person.

The Chamber studied the case raised by a person who asked Microsoft Corporation, manager of the Bing search engine, to de-index the URLs for searches made not only by his full name, but also by his last name. Microsoft agreed to the first request but rejected the second on the basis that the two surnames are not an irrefutable identifier of a person.

Likewise, the AEPD and the National Court did not agree to said claim in relation to the two surnames, considering that, according to the Civil Registry regulations, people are designated by their name and surname.

On the other hand, the Supreme Court annulled this judgment by upholding the appeal of the interested party. The court argued that it was not coherent to recognize the right to be forgotten when the search is carried out from the full name of a person and deny it when it was carried out only from the two surnames of the person, this implied not taking into account the general principles of the Law of the European Union.

Therefore, the Chamber considered that the criterion maintained in the contested judgment lacked support and would imply restricting, unjustifiably, the right to require the manager of a search engine to remove it from the list of results, owned by the person affected.

More Information

December 28th, 2020


The US regulatory authority has sanctioned the entity's subsidiary with 123,000 euros for a computer failure that left 6 million emails from three-quarters of its staff out of supervision.

This event occurred between January 2014 and January 2019 when the subsidiary became aware of the existence of said computer failure and reported it to the authorities in February 2019.

As indicated in article 2110, the members of the regulator to which Santander belongs since 1994, have the obligation to supervise all mail that enters and leaves their employees related to the company's business.

Ana Botín's entity did not realize the problem until five years later when they started looking for an old email and could not find it.

According to Santander, this problem is already solved. They have implemented changes in the policies and processes they use in order to prevent this event from happening again in the future.

At the beginning of November, the subsidiary signed the document agreeing to pay the imposed penalty of 123,000 euros.

More Information

December 24th, 2020


The Spanish Data Protection Agency sanctions the BANCO BILBAO BISCAIA ARGENTARIA, S.A. entity.

The reasons that led to this event were:

 • Failure to comply with the personal data protection regulations by the personal data processing operations carried out.
 • Failure to properly inform the customer of the circumstances regulated in Articles 13 and 14 of the General Data Protection Regulation (GDPR) or the latter would not have validly given consent.

For all this a fine of 5,000,000 euros is imposed on it for the infraction of the articles 6, 13 and 14 of the GDPR, and that within six months it becomes suitable for the personal data protection regulations processing operations that performs, the information offered to its customers, the procedure by which they must give their consent for collection and treatment of their personal data.

More Information

December 21st, 2020

AT Group wishes you a Merry Christmas and a Happy New Year 2021

We know this year has been a tough year for everyone and, therefore, we have made great efforts to overcome all the adversities we have found. We are still here without giving up, managing to adapt to this new normality as a team, with patience and care.

Now more than ever, we must show what we are capable of and stick together, always taking security measures into account.

On behalf of the entire AT Group team, we wish you a Happy Christmas Holidays and a New Year full of health, prosperity and opportunities.

Thanks to all of you, who are still by our side and also thanks to all of you who have been and the circumstances have not allowed you to stay.

More Information

November 25th, 2020


ATGroup, after a strict selection process in the search for the appropriate strategic partner in technical insurance, has selected the accredited insurer Mafre, signing the corresponding agreement on yesterday's date at ATGroup's Barcelona facilities.

As a result of ATGROUP's interest in solving the numerous requests from its clients regarding the assurance of TECHNOLOGICAL and CORPORATE risks, an arduous process of selecting the appropriate strategic collaborator began to respond to our clients' needs regarding the assurance of technical and commercial risks.

From the strict selection process, ATGROUP has selected the well-known and highly accredited MAPFRE company, with implementation throughout the entire geographic scope of ATGROUP's activity and with the capacity to meet both the assurance requirements in PRIVACY services and other types of services, such as those of COMPLIANCE or ENVIRONMENTAL.

With this agreement ATGROUP will advise its clients and collaborators on risk assurance products in terms of CYBERSECURITY and all kinds of technological risks with the strategic support of the leading company in the sector.

More Information

May 11th, 2020


MEGADOR in collaboration with AJSE and ATGROUP, has opened the enrollment process for its Director of Security and Head of Security course.

Following the most advanced training programs, MEGAFOR has started registering for the course that allows access to the Double Degree of Director of Security and Head of Security , following the collaboration agreement signed with the prestigious University European Miguel de Cervantes , the degree obtained will allow the student to access a prestigious professional career as responsible within the Private Security sector. The course will start in September of this year 2020 , if the social and health circumstances allow it. Attached is the enrollment document for Megafor .

We remain at the disposal of our students and interested in the usual telephones and directly in MEGAFOR:
tel. 688.854.840

A cordial greeting.

More Information

May 11th, 2020


Starting on May 18, the online classes of the AJSE Data Protection Delegate Course are restarted, taught by qualified ATGROUP personnel, valid for the presentation of the examination of DPO of ANF-AC, entity approved to carry out these tests by ENAC according to the AEPD Certification Scheme.

Expecting to have passed the hardest phases of the COVID 19 pandemic and following the processes of adaptation to the new general situation in the Private Security sector and training, the course continues with the program developed by ATGROUP for AJSE, the which is recognized by ANF-AC as valid to teach the 180 course that enables the presentation to the DPO Certification Exam.

The aforementioned course addresses the needs of a DPO, adding the specific knowledge that a Head of Security or a Director of Security may need in terms of data protection in the exercise of their profession.

The figure of the Data Protection Officer is mandatory under current legislation for Private Security companies.

In this part of the course, and until the sanitary circumstances allow it, only the personalized tutorials and the master classes will be carried out electronically, with the tools made available to the student and the teaching staff.

We also take the opportunity to communicate that registration for the new editions of the Course is already open.

More Information

May 5th, 2020


Dear clients, friends and collaborators.

We inform you that due to the pandemic situation created by COVID 19, and following the instructions of the competent authorities, we inform you that visits to our facilities may only be made by previously arranged visits.
If you belong to some of the risk groups or are over 65 years of age, please let us know to grant you a special maximum protection time slot.

To arrange visits or to request any type of information, we are at your disposal at:
93. 345 96 82/902 090 162
Email: info@atgroup.es

More Information

March 31st, 2020


The development of the Megafor.-AJSE-ATgroup Safety Director semi-face-to-face course has been postponed until the autumn-winter of this year.

Due to the extraordinary situation that the CONVID 19 crisis has generated, Megafor has decided to postpone the Security Management course that was going to be developed in collaboration with AULA TECNOMEDIA, at its facilities on Avenida Meridiana.
The new dates and the registration opening period will be announced shortly, so that anyone interested can attend it.
For the present edition that has been moved from dates, it also has the most qualified teachers, as in previous editions of previous years.
The documentation attached to the course is attached.
We remain at the disposal of our students and those interested in the usual telephones and in the mail formacion@atgroup.es .
A cordial greeting.

More Information

March 20th, 2020


We want to share with you the informative bulletin that our team has elaborated based on the current situation that crosses the Country in relation to the COVID-19.
We want to keep all our clients, collaborators or interested parties informed about the measures implemented and how they may affect the Data Protection area.

Download PDF View Online

More Information

The Group

Our project is to bring closer the Law to the Information and Communication Technologies.

ATGroup is a leading consultant in the application of New Information and Communication Technologies Law.

Our mission is focused on providing a quality legal-technological advisory and consultancy service specialized in the application of Information and Communication Technologies Law.

ATGroup is a pioneer consultant in providing innovative and creative solutions to the problems posed by the application of Information and Communication Technologies Law in companies.

We are specialized in the Data Protection Regulation, advice on advanced Electronic Signature solutions and Electronic Commerce projects and E -Administration.

Their consultants, all with a bachelor's degree and/or doctorate, combine their professional activity with university studies.

As an element connected to the ATGroup project, is found BUFETE ORTEGA, rofessional Law Firm founded in Barcelona in 1977, being, in actually, the second generation that have the management of the firm.

The profession of BUFETE ORTEGA is offer specialized legal support in those matters or functions that cover other branches of legal knowledge, different from the previous ones (Administrative, Commercial, Criminal Law, etc.)

Finally, EVIDENTIA, directed by Doctor José Navarro, which is an independent brand, but with close ties of collaboration and synergies with the rest of ATGroup, since its purpose is digital investigation and forensic examination of the IT element.

The Team


Founding Lawyer














Law Degree

Our services

  1. General Catalogue

  2. Privacy Services Catalogue