On 10 November, the Council of Ministers passed the Data Protection Act, which replaces the current Organic Law 15/1999, 13 December, on personal data protection and adapts Spanish legislation to the provisions of EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data  (GDPR), which will enter into force on 25 May 2018.

In Progreso 12 we analyzed the main differences in the draft bill from the earlier personal data protection legislation. After completing the public hearings and consultation stage, the Bill has been published, keeping to a large extent the provisions in the previous draft, but including certain changes that are summarized here:

Processing based on the data subject’s consent

The enforcement of a contract may not be subject to the consent of the data subject for the processing of their personal data for purposes unrelated to the maintenance, development or control of the contractual relationship.

Rights of data subjects

With regard to the right of access, the taking on of risks and disproportionate costs on the part of the data subject is eliminated in those cases where a different means from that which was offered is chosen to exercise the right of access.

With respect to the right to portability, the restrictions on exercising this right are eliminated, under the terms of article 20 of the GDPR, with no further content added.

Specific types of processing

• Contact data of individual business people: processing the contact details of natural persons providing services to a legal person is still permitted, if certain requirements are met, but evidence to the contrary is admissible.
• The provisions on data processing manifestly put into the public domain by the data subject themselves, have been completely eliminated, inasmuch as this data is no longer protected by the presumption that their processing is permitted.
• Credit information systems: evidence to the contrary is equally admissible against the presumption of legitimacy of personal data processing relating to breaches of monetary, financial or lending obligations by shared credit information systems. Similarly, it is no longer necessary, as a prerequisite for the processing to be permissible, to warn the data subject that their data is being input into these systems
• Carrying out certain commercial transactions: in the same vein, in this case evidence to the contrary is admissible against the legitimacy of the data processing that might arise from any transaction that modifies the structure of companies or the contribution or transfer of the business or branch of business activity. In addition there is a further obligation upon the institution providing the data, to proceed immediately to erasing the same, should the transaction not be finalized, even though the obligation to block, provided for in the regulations, is not applicable.
• Video surveillance purposes: employers are required to inform their employees about the processing of their data obtained from video surveillance systems in the exercise of control functions. Nevertheless, in the event that the images captured reveal the flagrant commission of a criminal act, the absence of this communication will not render the images inadmissible as evidence.
• Systems for excluding advertising: preferences may be included, through which data subjects limit the reception of commercial communications from certain companies. The institutions in charge of the advertising exclusion systems must inform the Spanish Data Protection Agency (AEPD) that they have been created, explaining their overall or sector-specific nature and the way in which data subjects can join these systems.
• Statistics and public interest archive: data for public statistics purposes may only be collected with the express prior consent of the data subject. Thus, processing by public administrations of data for archives of public interest is considered legitimate.

Data protection officer

The circumstances in which certain institutions are required to appoint a data protection officer are specified: in the case of entities that are operating networks and providing electronic communication services, “when they process large volumes of personal data on a regular and systematic basis”; and in the case of providers of information society services, “when they compose service user profiles on a large scale”.

With regard to the requirements for demonstrating the data protection officer’s qualification, the text states that this may be effected through voluntary certification mechanisms. The duty of the controller or processor to provide the officer with the material and personal means to perform their duties appropriately has been eliminated.

International data transfers

For international data transfers to countries or organizations which are not considered to have suitable protection guarantees, prior authorization is required from the AEPD or regional authorities. A new stipulation in the draft law is that the authorization procedure may not take longer than 1 year.

Procedure in the event of a data protection regulatory breach

The AEPD may refuse to accept complaints in cases where the controller or processor, having previously informed the Agency, has adopted corrective measures to put an end to a potential breach of the data protection legislation, provided it has not caused injury to the data subject and that their rights remain fully guaranteed by application of the same.

Likewise, the maximum timespan for dealing with procedures and notifying the parties of the corresponding resolutions has been reduced from 18 to 9 months.

Serious offenses

Serious offenses include the failure to adopt the technology and organizational measures suitable for guaranteeing an appropriate level of security, and the breakdown of the same, once implemented, from a lack of due diligence.