Share this post

The council of ministers has passed Royal Decree-Law 5/2018 of 27th July regarding urgent measures for adapting Spanish Law to the European Union law regarding data protection. Said Royal Decree-Law entered into force on 31st July 2018.

This regulation is aimed at bringing Spanish legislation in line with EU Regulation 2016/679 of the European Parliament and of the Council, of 27th April 2016, regarding the protection of the data of individuals in relation to the processing of their personal data and the free flow of such data (hereinafter referred to as the “Regulation), in those aspects not reserved for the Organic Law and whose regulation should not be postponed any longer.

The Regulation is fully applicable in Spain since 25th May 2018 and has replaced all  national legal provisions which are contrary to the provisions of the Regulation.

Without prejudice to the organic law which shall adapt the Spanish regulations on data protection to the referred to Regulation (currently in progress), the text which has just been passed considers urgent the implementation of the  following measures:

(1) Inspection in the area of data protection.


For the purposes of inspection in terms of data protection, the Royal Decree-Law identifies the competent persons for conducting an investigation. Accordingly, it establishes that the faculty to conduct such an investigation shall be carried out by officials of the  Spanish Data Protection Agency or other external officials, who are expressly authorised to do so. Said officials shall be required to keep secret any information which comes to their knowledge in the performance of their duties.

 (2) Penalty system

The new regulation indicates that the persons responsible for data processing, the representatives of those responsible for or in charge of processing which are not established in the EU, certifying entities and authorised entities  for the supervision of codes of conduct are subject to the penalty system.

Furthermore, the penalty system incorporates the fines stipulated by the Regulation of 10,000,000 €, 20,000,000 € or 4% of global annual turnover for companies, in those cases contemplated in sections 4, 5 and 6 of article 83 of the Regulation and the corresponding time limits.

(3) Procedure for breach of data protection rules

 The text of the rules sets forth how to initiate a procedure and its duration, from the application process of the claims; the determination of the territorial reach of the procedure; measures to be taken prior to the investigation; the agreement upon the initiation of the procedure for the exercise of the power to impose penalties and the provisional measures.

Finally, the Royal Decree-Law designated the Spanish Data Protection Agency as the representative of Spain in the European Committee.

For more information, please contact:

10th August 2018

Hugo Ester

Print Friendly, PDF & Email