VIII IAB Spain Digital Advertising Regulation Summit Overview

The VIII IAB Spain Digital Advertising Regulation Summit was hosted online on Wednesday 2nd February.


The VIII edition of the IAB Spain Digital Advertising Regulation Summit took place last Wednesday 2nd February in an online half-day event which was sponsored by Google, OneTrust and PrimCity. 


The event

The IAB Spain Digital Advertising Regulation Summit is a forum for debate on the latest regulation initiatives that may impact the digital sector, bringing together the most influential industry leaders, professionals, organisations, public bodies and other stakeholders to share and discuss their views and experiences on the matter.

The following topics were addressed in this year’s edition: 

  • Digital Markets Act and Digital Services Act;
  • Spain’s Audiovisual Act; 
  • GDPR and ePrivacy;
  • Metaverse; 
  • Trustworthy AI; 
  • Augmented reality and virtual reality; 
  • Spain’s Digital Services Tax Act; 
  • Cookies and targeted advertising and
  • Application of existing liability regimes to emerging digital technologies.

As a member of the ethics committee of EU-funded research and innovation projects, Aphaia was invited to talk about trustworthy AI and its regulation. 


AI: Does it need to be regulated in order to be trustworthy?

Aphaia participated as an AI expert as part of the “7 minutes, 7 legal topics” sessions. We were given the opportunity to go through the existing AI regulation framework and initiatives and elaborate on how the current approach may impact the use of this technology by the wider society.

Our speech was focused on the following points:

  • AI HLEG Ethics Guidelines and Assessment List for Trustworthy AI;
  • AI civil liability regime and
  • EU Artificial Intelligence Act.

While it is important to make sure that there are rules in place that govern the use of AI systems and the impact of this technology on society, we should not forget that the existing legal framework is still applicable, meaning that whereas there might not be specific rules that an AI system is subject to, there are other legal requirements that should be complied with, such as data protection and intellectual property laws.

Did you miss it?

The VIII IAB Spain Digital Advertising Regulation Summit was recorded and it will be available on IAB Spain’s Youtube channel in the next following days. 

If you want to learn more about AI regulation and ethics, you can visit our vlog.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.



The data protection industry is constantly evolving as the GDPR is implemented by organisations and enforced by the Data Protection Authorities. 


New year, new beginnings? That is not always the case, at least definitively not when the previous year has provided valuable insights for the upcoming one. Considering that the GDPR has been in application since 2018, it is still a relatively new piece of legislation about which stakeholders are still learning, including organisations, Data Protection Authorities (DPAs) and the broader society. This is the reason why we need to take a close look to any development in the industry, as it may be determining for the future of data protection. In this post we go through the main takeaways of 2021.

Schrems II and new SCCs

After Schrems II and the caveats that the CJEU added to the use of SCCs, the EU Commission adopted a new set of SCCs for the transfer of personal data to third countries in June 2021 as we informed in Aphaia’s blog. These new SCCs brought practicality and flexibility through a modular approach which makes them suitable for any type of data transfer, regardless of the role taken by the controller or the processor as the data exporter or the data importer. The new SCCs also include a toolbox and some supplementary measures aimed at helping controllers and processors to make safe international data transfers, built on the need for performing a Data Transfer Impact Assessment which the parties can use to identify the risks of the transfer and their ability to comply with the clauses. 

It should be noted that the ICO has not pronounced about the new SCCs yet. The ICO is planning to produce its own SCCs for restricted transfers made from the UK.

Other updates

Together with the new SCCs for international data transfers, the EU Commission also published a set of SCCs covering Article 28 GDPR requirements. However, unlike SCCs for international data transfers, these are not mandatory and controllers and processors can still use their own terms in data processing agreements.  

Not new in 2021 but still work in progress over the year, we find the rules on cookies and the concept of joint controllership. Many organisations are still updating their cookie banners to include toggles or checkboxes for each not strictly necessary cookie. Cookies are also relevant in terms of data protection roles as, as any other joint personal data processing, if there are two or more parties involved, they may trigger joint controllership as a result of converging decisions.

GDPR enforcement

The impact of the work carried out by the DPAs is not clear at this stage. First because the GDPR has only been around since 2018 and we all are still learning, secondly because GDPR investigations are lengthy and consume a lot of time, running into several months, and thirdly because each DPA has its own criteria beyond Article 83 GDPR. For example, Portugal’s GDPR national implementation legislation places a 3 year moratorium on administrative fines to public bodies. On the other hand, in Spain no fines can be imposed on the public sector. Aligned actions and criteria would help to enhance the consistency mechanism, contributing to the consistent application of the GDPR throughout the EU.  

The role of the DPAs may also change in the upcoming years as new pieces of legislation enter into force, such as the EU AI Regulation Proposal.

The regulatory fines

Regarding fines, it should be noted that the GDPR fines have ramped up significantly in recent months, although it should be taken into account that not only the amount of the fine is important when it comes to infringements, but also the cost that the process implies for the organisations involved and the damage to the corporate reputation. 


I had the chance to discuss this with JC Gaillard from Corix Partners in their Cyber Security Transformation Podcast. You can access it [here].


Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today


Telephone marketing rules post-Brexit

Many UK businesses are planning to shift to telephone marketing. In this blog we go through the requirements that should be met in order to do it in compliance with the ePrivacy rules.

UK businesses are no longer clearly protected by ePrivacy country of origin rule when marketing directly in EU countries, so many of them are now looking for alternatives. Are the rules on telephone marketing less strict than the ones on electronic mail marketing?

What does the ePrivacy Directive say about unsolicited communications?

Pursuant to the ePrivacy Directive “Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing […] are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation”.

Accordingly, national implementation of the ePrivacy Directive in each Member State regulates the rules that apply in each country.

ePrivacy country of origin rule principle allows the sender to rely on the benefit of the own country less strict rules as long as there is single market. However, this does not apply to UK businesses anymore after Brexit, therefore the rules of the destination country should be considered before marketing directly in EU countries.

Automated calls

Automated calls are subject to stricter requirements. Pursuant to the ePrivacy Directive, the use of automated calling systems without human intervention (automatic calling machines) and facsimile machines (fax) for the purposes of direct marketing is only allowed in respect of subscribers who have given their prior consent.

General consent for marketing, or even consent for live calls, is not enough and it needs to cover automated calls specifically.

Telephone marketing from the UK through live calls

In EU countries

UK businesses that wish to market other businesses or individuals in EU countries should check national laws in order to confirm the following elements: 

  1. Whether consent is required;
  2. Where consent is not required, whether the number is listed in the national opt-out register or whether the data subject has explicitly objected to receiving calls from that particular business.

Most EU countries have implemented opt-out registers rather than the consent requirement, but this must be assessed on a case by case basis in order to ensure full compliance.

In the UK

UK businesses that wish to market other businesses or individuals in the UK should take the following steps:

  1. Check whether the number is registered with the TPS or CTPS.
  2. Check whether the data subject has objected to receiving calls from them.

In a nutshell, marketing calls can be freely made unless the person has opted-out from them or is registered with the TPS or CTPS. No marketing calls should be made to any number listed on TPS or CTPS unless that person has specifically consented to calls from the particular business. Telephone marketing is also prohibited when it is for the purpose of claims management services, unless the person has specifically consented to them.

Calls in relation to pension schemes are subject to special rules.

Additional requirements

Once determined that the call can be made in compliance with the relevant rules, a set of additional requirements should be applied, namely: 

  • Say who is calling;
  • Allow the number (or an alternative contact number) to be displayed to the person receiving the call;
  • Explain where the controller’s privacy policy can be found and 
  • Provide a contact address or freephone number if asked.

EU ePrivacy rules update

As reported in one of our latest blogs, earlier this month EU Member States agreed upon a negotiating mandate for revised ePrivacy rules, which would repeal the current ePrivacy Directive, starting to apply two years after its publication in the EU Official Journal. The ePrivacy Regulation may introduce new rules on telephone marketing, such as the obligation to present the calling line identification assigned to them or use a specific code or prefix identifying the fact that the call is a direct marketing call. 


Do you make telephone marketing? Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy rules, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Spanish DPA AEPD

Spanish DPA AEPD publishes Guidelines on AI audits

AEPD, the Spanish data protection authority, has published Guidelines on the requirements that should be implemented for conducting audits of data processing activities that embed AI.

Early this month, the Spanish DPA, AEPD, published Guidelines on the requirements that should be considered when undertaking audits of personal data processing activities which involve AI elements. The document addresses the special controls to which the audits of personal data processing activities comprising AI components should be subject.

Audits are part of the technical and security measures regulated in the GDPR and they are deemed essential for a proper protection of personal data. The AEPD Guidelines contain a list of audit controls among which the auditor can select the most suitable ones, on a case by case basis, depending on several factors such as the way the processing may affect GDPR compliance, the type of AI component used, type of data processing and the risks to the rights and freedoms of the data subjects that the processing activities pose.

Special features of AI audits methodology

The AEPD remarks that the audit process should be governed by the principles laid down in the GDPR, namely: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability.

The AEPD also points out that all the controls listed in the Guidelines are not meant to be applied together. The auditor should select those ones that are relevant based on the scope of the audit and the goals it pursues.

What type of data processing do these requirements apply to and who should comply with them?

The Guidelines will be applicable where:

  • There are personal data processing activities at any stage of the AI component lifecycle; or
  • The data processing activities aim to profile individuals or make automated decisions which produce legal effects concerning the data subjects or similarly significantly affects them.

The AEPD states that in some cases it might be useful to carry out some preliminary assessments before moving forward with the audit, such as, inter-alia, an assessment of the level of anonymisation of personal data, an assessment of the risk of re-identification and an assessment of the risk of losing data stored in the cloud.

The document is especially addressed to data controllers who audit personal data processing activities that include components based on AI, to data processors and developers who wish to offer additional guarantees around their products and services, to DPOs responsible for monitoring the data processing and providing advice to the data controllers and to auditors who work with this type of processing.

Control goals and actual controls

The main body of the Guidelines consists of five audit areas that are broken down into several objectives containing the actual controls among which the auditors, or the person in charge of the process as relevant, can make their selection for the specific audit they are undertaking.

The AEPD provides an exhaustive list comprising more than a hundred of controls, which are summed up in the following paragraphs. 

  • AI component identification and transparency

This area includes the following objectives: inventory of the AI components, definition of responsibilities, and transparency.

The AEPD stresses the importance of keeping full records both of the components, -including, inter alia, ID, version, date of creation and previous versions- and the persons in charge of the process -such as their contact details, roles and responsibilities-. There are also some provisions with regard to the information that should be available to the stakeholders, especially when it comes to the data sources, the data categories involved, the model and the logic behind the AI component, and the accountability mechanisms.

  • AI component purpose

There are several objectives within this area: identification of the AI component purposes, uses and context, proportionality and necessity assessment, data recipients, data storage limitation and analysis of the data subject categories.

The controls linked to these objectives are based on the standards and requirements needed to achieve the desired outcomes and the elements that may affect said result, as for example the conditioning factors, the socioeconomic conditions, and the allocation of tasks, among others, for which a risk assessment and a DPIA are recommended.

  • AI component basis

This area is built over the following objectives: identification of the AI component development process and basic architecture, DPO involvement, adequacy of the theoretical models and methodological framework.

The controls defined in this section are mainly related to the formal elements of the process and the methodology followed. They aim to ensure the interoperability between the AI component development process and the privacy policy, to define the requirements that the DPO should meet and guarantee their proper involvement in a timely manner and to set out the relevant revision procedures.

  • Data management

The AEPD details four objectives in this area: data quality, identification of the origin of the data sources, personal data preparation and bias control. 

Whereas data protection is the ‘leitmotiv’ along the Guidelines, it is specially present in this chapter, which covers, inter alia, data governance, variables and proportionality distribution, lawful basis for processing, reasoning behind the selection of data sources and data and variables categorisation.

  • Verification and validation

Seven objectives are pursued in this area: verification and validation of the AI component, adequacy of the verification and validation process, performance, coherence, robustness, traceability and security. 

The controls set out in this area focus on ensuring data protection compliance for the ongoing implementation and use of the AI component, looking for guarantees around the existence of a standard which allows for verification and validation procedures once the AI component has been integrated, a schedule for internal inspections, an analysis of false positives and false negatives, a procedure to find anomalies and mechanisms for identifying unexpected behaviour, among others.

Final remarks

The AEPD concludes with a reminder of the fact that the Guidelines contain a data protection approach to the audit of AI components, which means, on the one hand, that it may need to be combined with additional controls derived from other perspectives and, on the other hand, that not all controls will be relevant in each case, as they should be selected according to the specific needs, considering the type of processing, the client’s requirements, and the specific features of the audit and its scope, together with the results of the risk assessment.

Does your company use AI? You may be affected by EU future regulatory framework. We can help you. Aphaia provides both GDPR and DPA 2018 adaptation consultancy services, including data protection impact assessmentsEU AI Ethics assessments and Data Protection Officer outsourcingContact us today.