Published and draft legislation - Spain

Transposition of European data protection regulations

Draft Bill

In April 2016, the European Parliament passed regulations on personal data protection and the free movement of this data, revoking Directive 95/46/EC (General regulation on data protection).

The regulation, applicable from 25th May 2018, not only represents an update to EU standards, but is also a reinforcement of legal certainty and transparency in recognising “the right of member states to specify or restrict their rules as they wish in order to remain consistent and so that national provisions are understandable to those to whom they apply”.

In July, the Council of Ministers published the Personal Data Protection bill.  Once passed, it will revoke the current Organic Personal Data Protection Law 15/1999, 13th December,  and whatsoever national provisions existing at the same or lower levels that might be contrary to or incompatible with the General data protection regulations. The bill is currently at the public consultation stage.

The following are some of the bill’s new features:

Deceased persons

The first section, as well as describing the purpose of the law (adapting Spanish legislation to the General regulation on data protection), also circumscribes its area of application: any processing, wholly or partially automated, of personal data, and the non-automated handling of personal data in a data file or that will be included in one in the future. It also mentions those scenarios where it will not be applicable.

There are now provisions in an area where there had previously been no regulation, that of deceased persons. Heirs (or anyone expressly so authorised by the deceased) may ask the person in charge of data processing, the controller, for access to, and rectification or elimination of the data about the deceased, unless the deceased had explicitly forbidden this, or it is prohibited by law. If the deceased is a minor or is legally incapacitated, these powers may be exercised by the Prosecution Service.

Express consent

The Bill sets out in section II that data obtained directly from their owners are understood to be exact and up to date.

There is an explicit reference to consent being necessary to legitimate processing. This must be in the form of a statement or clear positive action by the affected party, and does not include what has been termed as “tacit consent”. The regulation also accepts boxes that have not been pre-selected  when a contract is being arranged or negotiated.

Specifically, article 8 states that the age at which a minor can give consent is thirteen.

There are also provisions in this section that apply to particular processes: contact data and data on individual business owners, data clearly publicised by the data holder, credit rating systems, data for the purposes of video surveillance, advertising opt-out systems, whistle-blower information systems in the private sector, as well as data processing in the arena of public statistics and criminal justice. The common denominator in all these is that a balance of interests or a weighting of legitimate interest should exist as a legal starting point for data processing.

Blocking data

The principle of transparency in data processing has been added, so that the controller must provide information that is clear, concise and easily accessible to the data holder; this should have a basic level of content, depending on whether the information has been obtained from the party concerned or not.  

This section also covers the right to access, rectify, erase (“be forgotten”), oppose, and set limits to processing, as well as data portability; the requirement to block data in the scenarios covered by the Regulation and when, by default, data should be rectified or erased are both new additions. Data that has been blocked will be available only to the corresponding public body, in order to guarantee appropriate application and oversight of compliance with data protection standards.

Data protection officer

In line with the principle of accountability, a new feature of the regulation requires a preliminary assessment by the controller of the risk that personal data processing can pose and for measures to be adopted in consequence. This section of the law defines accountability measures, regulates the position of controller (head of data processing) and that of the data protection officer, and references the relevant codes of conduct and certification.

Certain organisations covered in article 35 will be obliged to appoint a data protection officer. The officer may be a part of the controller’s organisation or not, and be a natural or legal person.  In any event, they must satisfy the requirements contained in the Regulations and demonstrate visible knowledge of the subject, showing their credentials, including certification.

The controller or person in charge must provide the officer with the material and personnel wherewithal necessary and may not remove them except in the event of dishonesty or serious negligence. 

One-stop shop

Section VII deals with the “one-stop shop” model which the Regulation is introducing, under which organisations with subsidiaries in several member states will only have to deal with the data protection authority where they have their main headquarters. The Spanish Data Protection Agency (AEPD in the Spanish acronym) will decide where the competence lies at the beginning of proceedings, establishing whether the institution is domestic or international, sending the claim on to the relevant authority if international.