ANALYSIS: A new law on data protection and digital rights has been approved by Spain's parliament and will come into force in the coming days. The law will complement the General Data Protection Regulation (GDPR).
The new law, the Organic Law on Data Protection and Digital Rights Guarantee (LOPDGDD), was approved by a large majority in the Spanish Senate on 21 November after being nearly two years in development. The Senate did not amend any of the text that was previously approved by the Congress, ending a period of delay in the parliamentary process.
The new law is due to be published in the Official Spanish Bulletin by 6 December. It will take effect when it is published, bringing Spain into line with other EU countries, including the UK, France, Germany and Ireland, which have all implemented national legislation to supplement the GDPR.
The LOPDGDD contains a range of provisions that will impact data processing operations.
The data of the deceased are still excluded from the scope of data protection regulations, although persons linked to them for family or de facto reasons, as well as their heirs, may request access, rectification or erasure of their data under certain circumstances.
Data controllers will not be liable for processing inaccurate data in certain cases:
The minimum age from which the consent to for a lawful processing of personal data will be valid is fourteen years old.
Under the LOPDGDD, consent of the data subject will not be enough to remove the prohibition of processing special data where the main purpose is to identify an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. In all these cases, it will be necessary to rely on another of the legal bases for processing set out in the GDPR.
The LOPDGDD also indicates that the processing of special data based on a substantial public interest, on the need for preventive medicine and similar purposes or in a public interest in the area of public health should be regulated by a legal instrument with the status of a law.
The new law has codified into law guidelines on the layering of privacy information that should be provided to data subjects. Those guidelines were outlined by the former Article 29 Working Party and recommended by the Spanish data protection agency (AEPD) in its guide on the compliance of the information duty.
The processing of contact data of professionals and entrepreneurs for the sole purpose of establishing a relationship with the legal entity that those data subjects provide their services to will be presumed lawful under the legitimate interest of the data controller so long as the contact data is limited to the professional location of the data subject.
LOPDGDD also sets out the requirements for including personal data of data subjects on credit debt information systems. Data will be able to be stored on those systems for up to five years after the credit debt services have expired.
Personal data gathered by video surveillance systems must be deleted within one month of capture, except where it is necessary to retain the footage to prove the commission of acts attempted against people, property or facilities.
Under the LOPDGDD, businesses engaging in direct marking activities will be obliged to consult systems set up to exclude advertising to ensure they do target people who have opted out from receiving such materials. Businesses will be free to target individuals with direct marketing where they have their consent to do so.
The new law allows businesses to maintain logs of employee complaints and whistleblowing, so long as employees are informed of their existence. Personal data in these systems must only be stored for as long as necessary and, except if the purpose of that storage is to demonstrate compliance with the crime prevention model by the legal entity, never for a period exceeding three months.
Businesses have up to 10 days after appointing a data protection officer to notify the AEPD of that fact.
The LOPDGDD includes a list of entities that must appoint a data protection officer as mandatory for their activity. Examples include: professional associations, education centres, public and private universities, entities that operate networks and provide electronic communications services, providers of information society services when they develop large-scale profiles, insurers, credit finance institutions, investment service companies, health centres, and private security companies.
The new law splits infringements into three categories for the purpose of setting different limitation periods. For very serious infringements, enforcement action will be possible up to three years later. Serious infringements and minor infringements are subject to two and one year limitation periods respectively.
One of the biggest changes that the LOPDGDD introduces is new citizen rights for the internet age. These have been named 'digital rights'. Although many of them only constitute a reinforcement from the digital point of view to the rights regime already established in the GDPR, others are completely original and introduce not only specific obligations for data controllers, but also guiding policies for the Spanish government. These include:
The current Spanish Organic Law of the General Electoral System is modified by the LOPDGDD. The aim of the reforms is to indicate that political parties, coalitions and electoral groups can use personal data obtained from websites and other sources of public access to carry out political activities during the election period. Likewise, sending election propaganda by electronic means, as well as contracting it on social networks or equivalent will not be considered a commercial activity.
Madrid-based Paloma Bru and Paula Fernández-Longoria are data protection law experts at Pinsent Masons, the law firm behind Out-Law.com.