On 10th November 2017, the Council of Ministers approved the sending of the draft law on Data Protection to the General Courts (Spanish Parliament) in order to adapt Spanish legislation to the provisions of Regulation 2016/679 of the European Parliament and of the Council, dated 27th April 2016. This European Regulation shall be applied as from 25th May 2018. Our previous article dated 24th March 2017 also referred to said European Regulation.

One of the main objectives of the European Regulation is to end the current fragmentation resulting from the different legislation in force in the member states of the EU. Furthermore, it seeks to adapt the regulations in data protection to the rapid technological evolution and phenomenon derived from the Information Society and globalisation.

In Spain’s case, given that data protection is one of the fundamental rights protected by the Constitution, there are new developments regarding consent and the processing and introduction of new figures and procedures.

1. Minors and deceased

  • The age for consent to be given for data processing is brought forward to the age of thirteen in line with other nearby countries.
  • The processing of data concerning deceased persons shall take place based upon the wishes of their heirs. The figure of implied consent shall be excluded and substituted by an affirmative and explicit action on the part of the affected party and the obligation of confidentiality is clearly set out.
  • Where inaccuracy exists in personal data obtained directly, the person responsible for the data processing shall be not be held accountable if reasonable measures for rectification or elimination have been adopted.
  • In matters related to data processing, the principle of transparency is incorporated regarding the right of the affected parties to be informed about said processing and it explicitly provides for the rights of access, rectification, elimination, the right to limit processing, as well as portability and opposition.

2. Discriminatory situations

In order to avoid discriminatory situations, it remains prohibited to store especially protected data, such as data regarding ideology, trade union affiliation, religion, sexual orientation, racial or ethnic origin and beliefs. In these categories, the mere consent of the interested party is not enough to make processing viable.

Likewise, the new law introduces some premises under which the lawmaker applies as a presumption the prevalence of the legitimate interest of the person responsible for processing the data in complying with certain requirements, such as in the case of credit information.

Similarly, situations in which there is a public interest are also regulated, for instance those related to video surveillance and systems of exclusion from advertising (“Robinson List”), public statistics functions and complaints in the private sector.

3. Other developments

Among the new developments, the boosting of the figure of a data protection delegate stands out. The delegate may be a natural or legal person, but their designation must be duly communicated to the competent authority, and it is the delegate who shall maintain communications with the Spanish Data Protection Agency (Agencia Española de Protección de Datos “AEPD”).

As far as proceedings are concerned, the existence of autoregulation mechanisms are facilitated, in both the public and private sectors, and the obligation of blocking, which guarantees that the data are always at the disposition of the courts, the prosecution service or other competent authorities such as the Spanish Data Protection Agency, in case of demands for possible liabilities derived from data processing, and in this way avoiding the deletion of data in order to cover up any non-compliance.

4. Cross-border data flow

The Regulation attends to new circumstances arising from the increase of the cross-border flow of personal data as a consequence of the activity of the internal market, taking into account that rapid technological evolution and globalisation have made such data become a fundamental resource for the Information Society.

Consequently, there now exists a greater inherent risk in this area, given that information on individuals has multiplied exponentially, and data is now much more accessible and easy to process, while at the same time, control of data use and its purpose has become far more difficult.

 

 

Mika Otomo

Vilá Abogados

 

For more information, please contact:

va@vila.es

 

24th of November 2017