Spain

[ES] New Act on the Protection of Personal Data

IRIS 2000-2:1/28

Alberto Pérez Gómez

Entidad publica empresarial RED.ES

The Spanish Parliament has approved a new Act dealing with data protection. This new Act abrogates and supersedes the Ley Orgánica 5/1992, de Tratamiento Automatizado de datos de carácter personal (Organic Act 5/1992, on the regulation of the automatic processing of personal data). The new Act has been passed in order to incorporate into Spanish Law the EC Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. According to Art. 32 of this Directive, Member States had to bring into force the provisions necessary to comply with the Directive no later than three years after the date of its adoption, i.e., before 24 October 1998. Although that deadline was not met, the necessary implementing measures have finally been adopted.

According to Art. 1 of the new Act, the principal aim of this provision is to protect the fundamental right to personal and family privacy and honour in relation to the processing of personal data. In order to make this protection effective, the new Act establishes some requirements that are to be satisfied in order to render the processing of data lawful. These requirements deal with data quality, information to be given to the data subject, the security of data and the recognition of the data subject's rights of access, rectification, erasure or blocking of personal data.

The new Spanish Act also regulates other relevant subjects, such as the transfer of data to third countries; the supervisory authority in this field (the Agencia de Protección de Datos); the creation of a Registry for the protection of data; the responsibilities of the Autonomous Communities on this matter; and a system of penalties.