LawBytes brings an update on the new Spanish and Finnish privacy law implementing GDPR and their main impacts on data protection matters.
Following Italy, Belgium and the Isle of Man, other two States in the Euro zone have finally adopted a data protection law integrating the GDPR and aligning the respective legal frameworks to the highest standards imposed by the European privacy Regulation.
Privacy – Finland adopts GDPR implementing law after agreement on enforcement entity
On 13 November 2018, the Finnish Parliament approved the Data Protection Act complementing the GDPR and repealing the Personal Data Act of 1999. The delay was partly caused by legislative struggles on the role of the Finnish Privacy Commissioner in imposing administrative fines, as having one member to impose very high sanctions did not fit in with Finland’s legislative tradition. As a result, a three-member board was set up, chaired by the Privacy Commissioner, but without the power to impose sanctions on public authorities.
Here is an overview of the key changes introduced:
- the minimum age of consent for information society services has been lowered to 13 years, whereas the default option in the GDPR is 16 years;
- Additional specific legal grounds for processing health data were introduced for liability definition in insurance claims;
- An exception was introduced to process health data and genetic data for anti-doping purposes and in the context of sport for disabled people; and
- Derogations to certain GDPR obligations were introduced with regard to certain data subject rights when processing takes place solely for journalistic, academic, artistic or literary purposes.
Privacy – New GDPR implementing law in Spain introduces “unusual” changes
In Spain, after a very long delay due to the difficult political situation and complex legal procedure to change laws regarding privacy and subsequent to the adoption of an urgent data protection decree last July 2018, finally a new GDPR-compliant Data Protection Act has been approved.
On 21 November 2018, the Organic Act on Data Protection and Digital Rights Guarantee was approved by the Spanish Parliament.
The new law replaces the previous privacy decree, clarifies certain provision of the GDPR and lays down some extra rules.
Here is a brief overview of the key changes brought by the Act:
- New Digital Rights: universal access to the internet, digital security, digital education, right to be forgotten are among the new rights provided. Furthermore, a right to disconnect from the daily workload is introduced for employees;
- New rules on the personal data of deceased people: data subjects may issue a ‘smart will’ allowing relatives to access, rectify or delete any data;
- Presumption of lawfulness of the processing for M&A transactions: data may be processed if it’s necessary for the transaction (e.g for due diligence) for the good purpose of the operation and, where applicable, if it guarantees the continuity of the services. If the transaction is not completed, the transferee must immediately delete all data.
These are only some major changes, for a more comprehensive overview check out this previous article from our colleage Diego Ramos “Spain adopts its data protection act implementing the GDPR“.
As usual, the GDPR implementing laws contain a number of provisions which create some differences among the states thus, as a fact, “localizing” the privacy Regulation. In my opinion, companies willing to deploy a cross-border service or aiming to sell a product across EU can rely on the core GDPR principles to develop a compliance strategy, but shall always take into account national customization to avoid incurring in local sanctions.
If you are interested in this topic don’t miss our previous posts: “Are privacy fines really massive under the GDPR?” and “3 top issues for an outsourcing agreement on picking the right court and law“.