Spain

[ES] Spain goes further than the GDPR when adapting its data protection law

IRIS 2019-3:1/11

Miguel Recio

CMS Albiñana & Suárez de Lezo

More than a year after the draft bill was submitted to the Congress on 14 November 2017, Spain finally adopted its Organic Law No. 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights. The law entered into force on the day following its publication in the Official Gazette of 6 December 2018, Constitution Day in Spain.

The law applies to the public and private sector, is organised into ten chapters and includes ninety-seven articles, one repealing the provision as well as several additional, transitory and final provisions. It repeals Organic Law No. 15/1999 of 13 December on the Protection of Personal Data, with the exception of several articles related to the processing of personal data by the police and judicial sectors until a law adopts Directive (EU) No. 2016/680 of the European Parliament and of the Council of 27 April 2016 protecting personal data when being used by police and criminal justice authorities; the Royal Decree-Law No. 5/2018 of July 27 on urgent measures to adapt Spanish Law to EU regulations on data protection; and any other regulations that contradict, oppose or are incompatible with the General Data Protection Regulation (GDPR) and this law.

In addition to adapting the Spanish legal system on data protection to the GDPR, the law includes an additional Chapter X - Articles 79 to 97- on guaranteeing the digital rights of citizens and employees beyond the GDPR. This chapter was included during the processing of the draft bill in Congress.

One of the most interesting amendments that the law introduces into the Spanish legal system on data protection, which goes further than the GDPR, and which was included during the parliamentary procedure, is one which provides political parties with the possibility of processing personal data obtained from webpages and other public sources. The Spanish data protection authority published a relevant legal report in answer to a query from its own director.

With regard to data protection, the law includes some specifications and restrictions as provided in the GDPR. For example, on transparency and information, Article 11 of Organic Law No. 3/2018 states that the controller may provide, as a minimum, some information on the processing of personal data and indicate to the data subject an electronic address or any other means which would allow access to additional information.

Another relevant specification is included in Article 13(3) of Organic Law No. 3/2018. Following Article 12(5) of the GDPR, the law specifies that a request for the right to access information shall be considered as excessive, on the basis of its repetitive character, when submitted “more than once during a period of six months, unless there is a legitimate reason.”

The law also specifies that the data processor, on behalf of the data controller, may attend the exercise of the data subject´s rights when it is stated in the contract or other legal act that binds them (Article 12(3) of Organic Law No. 3/2018). Furthermore, as stated in Article 33 of Organic Law No. 3/2018, at the end of the processing procedure, the data processor may retain “duly blocked” personal data “as long as responsibilities could be derived from its relationship with the data controller.”

Other relevant specifications are, for example, the obligation to block personal data when rectified or deleted during the term within which liability derived from the processing may be required; specific cases in which a data controller or processor has the obligation to designate a data protection officer, such as providers of information society services when profiling users on a large scale, or private security companies.

In line with Article 83(7) of the GDPR, the Organic Law establishes that public authorities and bodies established in Spain are not subject to administrative fines. Article 77 of Organic Law No. 3/2018 includes applicable provisions to data controllers and processors that are public authorities or bodies and provides that when they infringe the law, the competent authority shall issue a resolution sanctioning them with a warning and establishing as well the measures that must be adopted to cease the infringement or correct the effects of the infringement that has been committed.

For the purposes of the prescription of infringements, in its Articles 72 to 74, the law classifies the infringements as very serious, serious and minor. In these articles, the law specifies some actions considered as infringements, in addition to the ones included in Article 83 of the GDPR.

Finally, the chapter on digital rights, beyond the GDPR, includes, among others, provisions on Internet neutrality, universal access to the Internet, digital security, digital education, the right to privacy and the use of digital devices in the workplace, the right to digital disconnection outside the workplace, the right to privacy against the use of video surveillance devices and sound recording in the workplace, the right of privacy against the use of geolocation systems in the workplace and the right to a digital testament. In any case, these are rights outwith the scope of the GDPR that will need further regulation.