Spain: Data Protection Regulation


On May 25th 2016, REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GENERAL DATA PROTECTION REGULATION) entered into force.

Although European Regulations are directly enforceable in the member states, without any adaptation into national law), Spanish Government has decided to derogate Spanish current Act 15/1999 on Personal Data Protection and to submit a new Constitutional Act on Personal Data Protection which shall replace the one published in December 1999 and implements the modifications introduced by the EU General Data Protection Regulation.

So far, the Spanish Government instructed the Spanish National Codification Commission to prepare a new text of the Act, in collaboration with the Spanish Data Protection Agency (AEPD in the Spanish acronym) which is the public law authority overseeing compliance with the legal provisions on the protection of personal data.

The text was recently forwarded to the Ministry of Justice, which presented it to the Council of Ministers on 24 June 2017. The preliminary draft is currently subject to consultations, opinions and reports, including consultation with citizens and entities concerned, as well as the opinion of the Council of State. The new Act shall enter into force at the same time as the EU General Data Protection Regulation, i.e. in May 2018.

Considering the above, we cannot give you an overview on the final regulations in the new Spanish Personal Data Protection Act, but the text submitted for approval currently contains the following regulations:

(1) This new Spanish Act on Personal Data Protection shall not apply to the processing of personal data:

  • by a natural person in the course of a purely personal or household activity;
  • by the Spanish General Administration when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
  • of deceased persons;
  • subject to legislation on the protection of classified information;
  • for statistical or research purposes.

(2) Consent to the processing of personal data is assumed by any voluntarily given, specific, unequivocal and informed indication of the data subject into the processing of his or her personal data.

(3) The processing of the personal data of a child shall be lawful only in case of consent given by a child of 13 years of age or older. Children under 13 years of age, the consent must be given by the legal guardian.

(4) New Spanish Act on Personal Data Protection shall include specific regulations regarding the processing of personal data related to non-fulfilment of monetary, financial or credit obligations by common credit information systems and processing for video-surveillance purposes.

(5) The processing of personal data with the aim of sending commercial communications, shall not be allowed to those who have expressed their refusal or opposition to receive them.

(6) The processing of personal data relating to convictions and criminal offenses, precautionary and security procedures and measures, for purposes other than those for the prevention, investigation, detection or prosecution of criminal offenses or for the execution of criminal penalties may only be carried out when expressly authorised. The Spanish Ministry of Justice shall be responsible for the management of information systems in which all data relating to convictions and criminal offenses, precautionary and security procedures and measures are collected.

(7) Information on how and which data is being collected, must be provided in a concise and clear way, in an easily accessible form using clear and plain language. This information shall be duly adapted when addressed to children.

(8) Information to be provided on personal data collection shall include:

  • The identity of the collector or the controller’s representative;
  • the purposes of the processing;
  • information about how to exercise the rights established in Articles 15 to 22 of EU General Data Protection Regulation.

(9) The Spanish regulation regarding rights of access, rectification, erasure, restriction of processing, data portability and objection, shall follow the lines of the EU General Data Protection Regulation.

(10) A Data Protection Officer must be appointed in the following entities:

  • Professional bodies and their general councils, as stated in Spanish Act 2/1974, 13 February, on professional bodies.
  • Teaching centres that provide education regulated by Spanish Organic Act 2/2006, May 3, on Education, and public and private universities.
  • Entities that operate networks and provide electronic communications services in accordance with the provisions of Spanish Act 9/2014, May 9, General Telecommunications.
  • Information society service providers who collect information from the users of their services, whether or not the registration is required to obtain them.
  • Entities included in article 1 of Spanish Act 10/2014, June 26, on the management, supervision and solvency of credit institutions.
  • Financial credit institutions regulated by Title II of Spanish Act 5/2015, April 27, on the promotion of business financing.
  • Insurance and reinsurance entities subject to Spanish Act 20/2015, July 14, on the management, supervision and solvency of insurers and reinsurers.
  • Investment services companies, regulated by Title V of the consolidated text of the Spanish Act on the Stock Market, approved by Spanish Royal Legislative Decree 4/2015, October 23.
  • Distributors and traders of electric energy, in accordance with the provisions of Spanish Act 24/2013, December 26, on the electricity sector, and gas distributors and traders, in accordance with Spanish Act 34/1998, October 7, on the hydrocarbons sector.
  • Entities responsible for common files for the evaluation of the equity solvency and credit or common files for the management and prevention of fraud, including responsible for the files regulated by article 32 of Spanish Act 10/2010, April 28, on Prevention of money laundering and terrorist financing.
  • Entities that develop advertising and commercial prospecting activities, including commercial research and market research, when carrying out treatments based on their preferences.
  • Medical-health centres legally obliged to maintain patients’ medical records in accordance with the provisions of Spanish Act 41/2002, November 14, on the autonomy of the patient and on rights and obligations in the field of information and clinical documentation.
  • Entities that provide commercial reports about people and companies as business purpose.
  • Operators that develop the activity of game through electronic channels, information technology, telematics and interactive, in accordance with the provisions of Spanish Act 3/2011, May, on regulating the game.
  • Those entities that carry out the activities regulated by Title II of Spanish Act 5/2014, April 4, on Private Security.

For the entities not included in the list above, the appointment of a Data Protection Officer shall be discretionary.

(11) Finally, regarding the kind of infringements which derive in the imposition of an administrative fine, new Spanish Act on Personal Data Protection shall classify them as:

  • Very serious, such as the use of the data collected for a purpose that is not compatible with the purpose for which they were collected, without the consent of the affected or without a legal basis for it;
  • Serious, such as the processing of personal data of a person under 13 years without obtaining his consent, when he has capacity for it, or the consent of his parental authority or guardianship;
  • Minor, such as the requirement of payment of a fee to provide the information required by Articles 13 and 14 of EU General Data Protection Regulation.

Regarding administrative fines, it seems that very serious infringement shall be punished with a fine over 300.000 Euros; serious infringements with a fine from 40.001 to 300.000 and minor infringements with a fine up to 40.000 Euros.

We will have to wait a little bit longer before we can confirm the final version of the new Spanish act. Once approved by the Spanish Government, the final text will be published in the Spanish Official Gazette (BOE, in the Spanish acronym) and available on the following website: https://www.boe.es/diario_boe/

Contact Person: guest article by Vanessa Sánchez, Advocada at Mireia Serry and Colleagues in Barcelona, Spain