Spain adopted its data protection act implementing the GDPR which led to interesting surprises as its contents are quite different from those of other EU Member States.
* * * *
After a very long delay and amidst rumors that the Spanish Parliament could be dissolved and early elections called, the Senate of Spain speedily dismissed all the proposals for further changes and approved the new GDPR compliant Spanish Data Protection Act on Wednesday 21 November 2018.
The new data protection act (the “NLOPD“), in addition to regulating many other topics:
- Contains a special regime for personal data of deceased people;
- Includes additional duties for controllers and processors regarding the accuracy and confidentiality of the data;
- Develops article 7 of GDPR regarding how the consent shall be granted. Consent alone shall not be deemed sufficient to support the processing of certain sensitive data (religious or political ideas, trade union membership, sexual orientation, ethnic origin or race);
- Makes processing of criminal records information more flexible than before, allowing lawyers and legal entities to run databases including this type of information (Read on the topic “How data on criminal convictions of employees become a privacy risk“). In the case of administrative law infringements, companies may process that information only holding the consent of the data subject, with few exceptions;
- Clarifies and expands the scope of articles 13 and 14 GDPR on the information to be provided to data subjects;
- Adds further requirements in connection with the rights of access, rectification and erasure. An additional right/duty “blocking right”, following the exercise of a rectification or erasure, is formally added to the ones already in the GDPR. This right was a Spanish peculiarity under the Directive;
- Approves new rules to determine when a data agent is a data controller and not a data processor;
- Imposes very demanding requirements in connection with bad debts and credit recovery databases, making the management of these data much more onerous than elsewhere in the European Union;
- Establishes the divide between children and standard data subjects at 14 years;
- Provides extensive additional regulation regarding CCTV systems, whistleblowing schemes (admitting anonymous reporting for the first time in Spain);
- Establishes specific criteria for applying data security measures and authorizes the Spanish Data Protection Commissioner to establish the security standards for personal data;
- Lists 16 scenarios, on top of article 37 GDPR, in which appointing a Data Protection Officer shall be mandatory (Read on this topic “What liabilities for the data protection officer under the GDPR?“). Notification of the appointment within 10 days becomes mandatory, with the resulting list being accessible on line;
- Clarifies the procedures for granting data export authorizations when no other alternative under GDPR does exist;
- Recognizes new “digital rights”, including Internet neutrality, universal access to Internet, security of online communications, digital education, protection of minors on the Internet, rectification / update of non-accurate information on the Internet, a right-to-be-forgotten-like right not to be found by searching engines on the Internet and social networks;
- Develops a new framework for handling health information and information on medical research;
- Allows employers a right to access corporate electronic devices (previously forbidden), following clear rules drafted with the participation of the workers’ representatives. It also allows employees to disconnect from the company networks out from the standard working hours, in accordance with a pre-defined policy. Special rules on CCTV schemes intended for control of employees and limitations on geo-localization of employees are established as well.
- Generates a new catalogue of “unfair competition practices” linked to personal data.
The new Act integrating the GDPR in Spain shall be fully applicable as from its date of publication in the Spanish Official Gazette (BOE).