Select Page

The – not so – new Regulation (EU) 2016/679 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data (GDPR), entered into force on May 24th, 2016, but applicable since May 25th, 2018, is an European legal norm of direct applicability and direct effect, whose main purpose is to ensure the harmonisation and uniformity of the Member States’ legislation so that a Digital Single Market is achieved, where the citizens’ rights are guaranteed a more strengthened and even level of protection. Despite its direct effectiveness, the GDPR allows the Member States to implement -by the means of making specifications or establishing restrictionsits provisions in their legal system when they consider it to be necessary for coherence and for the comprehension for the persons to whom these provisions apply (i.e. the respective citizens of the EU Member States).

In this context was developed the new Spanish Data Protection and Digital Rights Guaranty Act (the “SPDA” – Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales), already approved by the Spanish Parliament, and pending for publication in the Official State Gazzette (Boletín Oficial del Estado).

From among the legislative developments worthy of highlighting contained in the “SDPA”, we will focus particularly on those we consider to have a greater impact on our rights:

  • With respect to the duty of transparency and information towards the citizens: the controller shall provide the data subject, through easily accessible means, with information regarding the processing activity. The SDPA provides a method consisting of several layers of information, where the first layer entails notifying the data subject about: the controller’s identity, the purposes of the processing for which the personal data is intended and the power the data subject has to exercise his/her rights. The remaining information can be accessed by the data subject by the means of a direct link.


  • In relation to minors: the SDPA establishes 14 years to be the age at which a minor can give valid consent for the processing of his/her personal data. Where the minor is below 14 years old, the consent should be given by the holder of parental responsibility over the child. The SPDA also provides that where the use or dissemination of images or personal information of minors constitutes an intrusion or an interference with his/her fundamental rights, the Public Prosecutor will intervene.


  • With regard to the personal data of deceased persons, the SPDA provides that the relatives of the deceased or other persons similarly associated with the deceased, or the heirs, may contact the data controller and assert the right of access, right to rectification or right to erasure, always considering the deceased’s instructions and will.


  • The SPDA regulates the right to be forgotten, which is everyone’s right to obtain from the controller the erasure of personal data concerning him or her without undue delay, provided that (i) the personal data has been collected for its publishing to social media networks, or (ii) the personal data has been disclosed by and collected from a third party and is considered to be: inadequate, inaccurate, irrelevant, outdated or excessive. This extends to the right to have the personal data erased from Internet search engines.


  • As to the Creditor Reporting System, the period of time during which the debt is included in it is reduced by the SPDA from 6 to 5 years, and the requirement of a minimum quantity (50 euros) so that the debt is included in said system is imposed.


  • The implementation of systems for the recording of internal complaints (a.k.a. whistleblowing systems) is provided by the SPDA. Whether they are anonymous or not, they have to ensure the preservation of the confidentiality of the affected persons -particularly, the identity of the complainant (whistle-blower)-.


  • Also, a system for the protection of information within the company is foreseen, where the number of persons and departments who can have access to the company’s information is restricted, and the period of time until its deletion or anonymisation is shortened.


  • The employees’ right to privacy when the employer uses tracking devices, video surveillance and recording devices at the work place is reinforced: the SPDA expressly forbids the use of these devices in the locker rooms, bathrooms or dining rooms, and enhances that the employer is allowed to make use of them, provided the employees are being informed, only when significant risks may occur in relation to the safety of persons, goods or facilities. The employer is permitted to access the contents of the digital devices -phones, computers, etc- provided to the employees for the solely purposes of checking that they are complying with their work duties and ensuring the integrity of said devices.


  • Concerning the advertising exclusion systems, the SPDA establishes that every citizen who is unwilling to receive advertising material or unauthorised phone calls can appoint oneself to a register file which is mandatory to be checked by the companies who run direct marketing campaigns.


  • As regards the Data Protection Officers (the “DPO”), the SPDA makes several specifications related to the accreditation of their skills (the usage of certification mechanisms and college/university degrees to demonstrate their knowledge and expertise regarding Law and data protection) and the performance of their tasks with complete independence. The SPDA also names the sector of activity where the companies are obliged to name a DPO, otherwise an appropiate administrative penalty will be applied to them.


  • The SPDA also refers to the cases of lawful data processing, naming several types of processing which can fit in the provision no. 6.1.f) of the Regulation (EU) 2016/679 -particulary, in the definition of “legitimate interests”-. In this way, a legal certainty is granted when completing certain operations (e.g. the processing of personal data at a professional level; checking registers of internal complaints or the advertising exclusion registers). The SPDA expressly authorises the processing by lawyers of data related to offenses and convictions.


  • In the Final Provisions of the SPDA other Spanish acts are being amended with the purpose of harmonising them with the provisions enclosed in the Regulation (EU) 2016/679. These amendments concern, among other aspects, the preservation of the patients’ clinical history, the regulation of the census data or the regulation of the aggressive practice consisting of impersonating the identity of the Spanish Data Protection Agency or its tasks.


  • For example, in the Statute of Workers Rights -one of these other amended Spanish acts-, the right to digital disconnection in the context of the place is granted for the first time. It consists of the right of every employee to not be obliged to attend his/her work phone or computer once the working day has ended, and implies an obligation for the employer to implement measures to avoid the employees’ fatigue due to digital connection.


  • The First Additional Provision recognises the National Security Framework (Esquema Nacional de Seguridad) as the appropiate means to guarantee the technical and organisational security measures required by the Regulation (EU) 2016/679 in the field of public sector and the private companies which opérate within.

As for the controversial issues regarding some of the provisions of this recent Spanish Data Protection Act, the ones worth mentioning are: the exemption of financial penalties for the public administrations when they not comply with mandatory provisions, and the way in which the political parties obtain and use personal data for electoral purposes.

To be continued…

Sönke Lund and Mihaela Gongu

Grupo Gispert

Share This