Spain

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Proyecto de Ley Orgánica de Protección de Datos de Carácter Personal

Status: DRAFT

LAWFULNESS OF PROCESSING (ART 6)

VARYING/ADDITIONAL REQUIREMENT: 

The Spanish Act adopts specific requirements for data processing in specific sectors: (1) processing of data of an individual in a professional/business capacity is considered lawful under legitimate interests, provided the processor does not attempt to engage with the individual or process the data in other than a professional capacity (Art 19 Spanish Act); (2) the processing of personal data in the form of common credit system information is presumed lawful when this is carried out for purposes of monetary, financial, or credit obligations, upon certain conditions (Art 20 Spanish Act); (3) data processing for legitimate business purposes are presumed lawful when these are necessary for the continuation of the service (Art 21 Spanish Act); (4) CCTV is considered lawful when necessary for security purposes and upon strict conditions (Art 22 Spanish Act); (5) the creation of databases containing individuals who have expressed their right to opt out of receiving direct marketing is legitimate (Art 23 Spanish Act); and (6) whistleblowing hotlines are considered legitimate upon strict conditions (Art 24 Spanish Act) (Art 6 GDPR).

CHILD’S CONSENT (ART 8)

VARYING REQUIREMENT: 

Minimum age to provide consent is lowered to 13 years old. Consent below that age shall only be valid when provided or authorized by the holder of parental responsibility or guardianship (Art 7 Spanish Act) (Art 8(1) GDPR).

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

VARYING REQUIREMENT: 

The prohibition on the processing of sensitive data cannot be lifted by the individual’s consent when the main purpose remains the identification of the individual’s ideology, union membership, religion, sexual orientation, beliefs, or racial or ethnic origin (Art 9(1) Spanish Act).

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

No Deviation

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT’S RIGHTS (ART 23)

SPECIFYING REQUIREMENT: 

When rightfully exercising a right to deletion, a data controller is required to block the individual’s data. The blocked data will remain available to judges and courts, the public prosecutor, or competent public authorities, in particular competent supervisory authorities, for the determination of liability of the individual arising from the processing operation. The Spanish DPA and regional authorities may decide that such obligation to block the data does not apply when, due to the high number of individuals affected and the nature of the data, this would pose a high risk to the rights of individuals concerned or would require a disproportionate effort from the data controller (Art 32 Spanish Act) (Art 23 GDPR).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

SPECIFYING REQUIREMENT: 

Judicial authorities and public bodies are obligated to make public their record of processing (Art 31 Spanish Act) (Art 30 GDPR).

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

DATA PROTECTION OFFICER (ART 37(4))

ADDITIONAL REQUIREMENT:

The Spanish Act has provided for specific categories of companies that must appoint a DPO: (1) professional associations and general councils; (2) schools and public and private universities; (3) telecom providers and network operators; (4) information society service providers; (5) entities supervising credit institutions; (6) credit institutions; (7) insurance companies; (8) investment service companies; (9) gas and electricity providers; (10) credit rating and fraud prevention entities; (11) entities carrying out advertising and commercial prospecting (market research); (12) health institutions required to maintain patient records; (13) the gambling and gaming sector; and (14) the private security sector (Art 34 Spanish Act) (Art 37(4) GDPR).

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

SPECIFYING/ADDITIONAL REQUIREMENT: The Spanish Act foresees that investigatory competencies include contacting the relevant public authority in Spain to obtain evidence of the data protection violation and identification by telecom and information society services providers. In addition, they may obtain all information for the fulfillment of their duties, conduct inspections, require the delivery of evidence or other documents, obtain copies thereof, and inspect hardware and IT systems (Art 52 Spanish Act). They may also carry out searches on (private) homes in accordance with procedural rules governing these searches (e.g., upon prior judicial authorization) (Art 53 Spanish Act). The DPA may also carry out preventive audits (Art 54 Spanish Act). During an investigation, the individual or entity under investigation has a duty to cooperate (Art 52 Spanish Act).
Furthermore, the president of the DPA shall have the power to issue implementing legislation called “circulars” that will become binding after publication in the Official Gazette (Art 55 Spanish Act). There may also be regional DPAs, supervised by the Spanish DPA, appointed to exercise the powers of a supervisory authority granted by the GDPR (Art 57–58 Spanish Act) (Art 58 GDPR).

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

SPECIFYING/ADDITIONAL REQUIREMENT: The Spanish Act categorizes infringements as “very serious,” “serious,” and “mild,” Very serious infringements are, in addition to the GDPR: (1) processing of personal data related to criminal offenses outside GDPR limits; (2) processing of administrative personal data outside the limits of the Spanish Act; (3) breach of the secrecy obligation imposed on controllers and processors by the Spanish Act; (4) failure to lock the data pursuant to the Spanish Act; and (5) inhibiting the data protection investigation by the Spanish DPA or other competent authority. In these cases, the statute of limitations is three years (Art 72 Spanish Act).

Serious infringements include lack of cooperation in procedures of the supervisory authorities (not under
Art 72) (Art 73 Spanish Act). In these cases, the statute of limitations is two years.

The most important mild infringements include: (1) infringements against the information obligation; (2) failure to respond to individual rights requests without justification; (3) failure to comply with the notification requirement of access or correction request; (4) failure to delete the data pursuant to the Spanish Act; (5) violations of controller/processor responsibilities pursuant to controller/processor agreements; and (6) failure to comply with all requirements of recordkeeping (ad hoc notifications). In these cases, the statute of limitations is one year (Art 74 Spanish Act).

The Spanish Act also allows for a suspension and interruption of the statute of limitations (causing a potential restart of the limitation period) (Art 75 Spanish Act). A potential aggravating factor, in addition to those mentioned in the GDPR, may exist in the continuous nature of the infringement (Art 76 Spanish Act). In case the entity sentenced is a legal person, an additional sanction may exist in the publication of the judgment (including revealing the identity of the entity sentenced) in the Official Gazette (Art 76(4) Spanish Act). Additionally, statutes of limitations are set at one year for fines of less than €40,000, at two years for fines between €40,001 and €300,000, and at three years for fines exceeding €300,000.

PENALTIES (ART 84)

No Deviation

HR PROCESSING (ART 88)

No Deviation

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

SPECIFYING REQUIREMENT: For data processing for statistical purposes, competent bodies may deny individuals their access, correction, deletion, objection, restriction, portability, and automated decision-making rights when the data are covered by the statistical confidentiality guarantees provided in state or regional legislation (Art 25 Spanish Act) (Art 89 GDPR). For data processing for archiving purposes, this shall only be lawful when carried out for purposes of the public interest described in specific Spanish legislation or the GDPR (Art 26 Spanish Act) (Art 89 GDPR).

OBLIGATIONS OF SECRECY (ART 90)

SPECIFYING REQUIREMENT: The Spanish Act sets forth an obligation of secrecy for controllers and processors (as well as all other persons involved) for data processing activities. These are in addition to any obligations of professional secrecy that may apply. The obligation remains even when the contractual relationship of the controller-processor has ended (Art 5 Spanish Act) (Art 90 GDPR).

REMARKS

The Spanish Act foresees procedural rules governing proceedings before the Spanish DPA, as well as substantive provisions.

The Spanish government has approved the Real Decreto-ley 5/2018, de 27 de julio, de medidas urgentes para la adaptación del Derecho español a la normativa de la Unión Europea en materia de protección de datos (BOE, núm. 183, de 30 de julio de 2018) (“Royal Decree-law 5/2018”). This provisional legislation will be in force until the Spanish Act is enacted. The law sets out the following:

  • Chapter I: Investigative Powers: The SA, or the Spanish Data Protection Agency, has investigative powers including conferring power to seconding SA’s staff (Art 58(1) & 62(3) GDPR).

  • Chapter II: Sanctions Regime: The statute of limitations for infringements of Art 83(4) GDPR and Art 83(5) & (6) GDPR is two years and three years, respectively. The statute of limitations for payment of fines is one year for fines less than €40,000, two years for fines between €40,001 and €300,000, and three years for fines over €300,000 (Art 83 GDPR).

  • Chapter III: Procedures for Violations of Data Protection Regulation: This chapter details the procedures, such as the type of claims that may be submitted to the SA and determination of territorial scope, for possible violations of the GDPR or Spanish data protection laws (Art 4(23), 55, 56 & 68(4) GDPR).

  • Transitory provision: Data processing agreements entered into before May 25, 2018, remain in force until their termination date or until May 25, 2022, if there is no termination date. During this period, either party may request to modify the contract to comply with Art 28 GDPR (Art 28 GDPR).