Ventura Garcés

 

What law(s) specifically govern personal data / information?

The Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter, “Spanish Data Protection Act”) adapts the Spanish legal order to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, “GDPR”), which is directly applicable in Spain.

 

What are the key data protection principles in this jurisdiction?:

The key principles that apply to data protection in our jurisdiction involve consideration of the existence of both rights and duties to ensure that the use made of an individual's personal data is consistent with the protection of a fundamental right.

Lawful basis for processing

The GDPR provides an exhaustive list of legal bases on which personal data may be processed:

  • consent of the data subject for one or more specific purposes;
  • contractual necessity;
  • compliance with a legal obligation of the controller to perform the relevant processing;
  • protection of the vital interests of the data subject or of another natural person;
  • performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).

The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:

  • explicit consent of the affected data subject;
  • the processing is necessary in the context of employment or social security law; or
  • the processing is necessary for the establishment, exercise or defence of legal claims.

Transparency

Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Purpose limitation

Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.

Data minimisation

The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.

Accuracy

Personal data must be accurate and, where necessary, kept up to date.

Storage limitation

Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.

Integrity and confidentiality

Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability

The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.

 

What is the supervisory authority / regulator in charge of data protection?

Spanish Data Protection Agency. In Spain, there are also autonomous data protection authorities.

 

Is there a requirement to register with a supervisory authority / regulator?

In the Spanish jurisdiction, registration with a supervisory authority is not required.

The obligation to registration/notify files in Spain is replaced on May 25th April-2018 by preparing a record of processing activities for each Controller, that must contain the information indicated in article 30 GDPR.

 

Is there a requirement to notify the supervisory authority / regulator?

Yes, when there is a personal data breach.

 

Is it possible to register with / notify the supervisory authority / regulator online?

It is possible to submit the request in writing through the Spanish Data Protection Agency Electronic Headquarters. [Electronic Headquarters - Spanish Data Protection Agency ( sedeagpd.gob.es )].

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Right to information

Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.

Right of access

A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in Article 15 GDPR.

Additionally, the data subject may request a copy of the personal data being processed.

Right to rectification of errors

Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.

Right to deletion/right to be forgotten

Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reasons as listed in Article 17 GDPR apply.

Right to restriction of processing

Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.

Right to data portability

Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).

Right to object to processing

Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.

Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.

Right to withdraw consent

A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.

Right to complain to the relevant data protection authority(ies)

Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.

Right not to be subject to automated individual decision-making

Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (Article 22 GDPR).

This is a summary only and there are some qualifications and limitations to these rights which may be relevant.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Under the GDPR (articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations that:

  • are a public authority or body (except for courts acting in their judicial capacity);
  • whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
  • whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.

The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

An impact assessment is required where a type of processing, in particular where it uses new technologies, is likely, by its nature, scope, context or purposes, to result in a high risk to the rights and freedoms of natural persons. The impact assessment shall be carried out prior to the processing.

A data protection impact assessment shall in particular be required in the case of:

  • a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
  • a systematic monitoring of a publicly accessible area on a large scale.

 

Does this jurisdiction have any specific data breach notification requirements?

In the case of a personal data breach, controllers are obliged to notify the Spanish Data Protection Agency. The notification must be made without undue delay and, if possible, no later than 72 hours after the controller has become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the Spanish Data Protection Agency does not take place within 72 hours, it shall be accompanied by an indication of the reasons for the delay.

The EDPB (European Data Protection Board) has issued guidelines on the data breach notification, detailing requirements for data breach notifications ( Guidelines 9/2022 on personal data breach notification under GDPR and Guidelines 01/2021 on Examples regarding Data Breach Notification) .

 

What restrictions apply to the international transfer of personal data / information?

Firstly, international data transfers may take place if they are based on an adequacy decision approved by the Commission. That is, where the Commission has decided that the third country, a territory or one or more specific sectors within that third country, or the international organisation concerned ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

The EU Commission has issued decisions concerning an adequate level of protection on the basis of Article 45 para 3 GDPR for the following countries: Andorra; Argentina; Canada; Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand; Republic of Korea, Switzerland; and Uruguay. The United Kingdom has been recognised by EU Commission as providing adequate protection under the GDPR and the Law Enforcement Directive.

Secondly, in the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or an international organisation only if it has provided appropriate safeguards, and on condition that the data subjects have enforceable rights and effective legal remedies. The appropriate safeguards may be provided for, without requiring any specific authorisation from the supervisory authority, by:

  • A legally binding and enforceable instrument between public
  • authorities or public bodies;
  • Binding corporate rules;
  • Standard data protection clauses adopted by the Commission or by the Spanish Data Protection Agency;
  • Codes of conduct or certification mechanisms, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including those relating to the rights of data subjects.

Thirdly, international data transfers that do not have an adequacy decision approved by the Commission or that are not covered by any of the aforementioned guarantees will require prior authorisation from the Spanish Data Protection Agency or, where appropriate, from the autonomous data protection authorities, in which case the appropriate guarantees may also be provided by means of:

  • Contractual clauses also known as Standard Contractual Clauses (“SCCs”) drafted by the EU Commission can be entered into for transfers to a third country or international organisation. The SCCs, which took effect from 27 June 2021, are available for the following transfers:
    1. Module 1: controller to controller
    2. Module 2: controller to processor
    3. Module 3: processor to processor
    4. Module 4: processor to controller; or
  • Provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

Fourthly, as derogations for specific situations, in the absence of an adequacy decision or appropriate safeguards, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall only take place if one of the following conditions is met:

  • The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards;
  • The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
  • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • The transfer is necessary for important reasons of public interest;
  • The transfer is necessary for the establishment, exercise or defence of legal claims;
  • The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
  • The transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Finally, where a transfer could not be based on an adequacy decision approved by the Commission or on any of the abovementioned appropriate safeguards, including the provisions on binding corporate rules, and none of the derogations for specific situations is applicable, it may only be carried out if it is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of the compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. In this case, the controller shall inform the Spanish Data Protection Agency or, where applicable, the autonomous data protection authorities. Likewise, the data controller shall inform the data subject of the transfer and on the compelling legitimate interests pursued. This information must be provided prior to the transfer.

The transfer is covered by one of the permitted derogations set out in article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

Yes, the GDPR has “extra-territorial” effect. The GDPR applies to the processing of personal data:

  • in the context of activities of an establishment of a controller or a processor in the EU, regardless of whether the processing itself takes place in the EU.
  • of data subjects who are in the EU by a controller or processor who is not established in the EU, where the processing activities are related to (i) the offering of goods or services to such data subjects in the EU, irrespective of whether a payment of the data subject is required; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the EU.

 

What rules specifically deal with marketing?

In Spain, commercial communications and promotional offers are governed by Act 34/2002 of 11 July 2002 on information society services and electronic commerce. In addition, other rules, such as the General Advertising Act, would also apply.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

Act 34/2002 of 11 July 2002 on information society services and electronic commerce, Spanish Data Protection Act and GDPR are applicable.

For consumers, the following laws must be taken into account:

  • Royal Legislative Decree 1/2007, of 16 November, approving the revised text of the General Law for the Defence of Consumers and Users and other complementary laws.
  • Law 4/2022 of 25 February on the protection of consumers and users in situations of social and economic vulnerability

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

The aforementioned Act 34/2002 of 11 July 2002 on information society services and electronic commerce.

In Spain, there is AUTOCONTROL, which is the independent self-regulatory body of the advertising industry in Spain. It is composed of advertisers, advertising agencies, media and professional associations, and its aim is to work for responsible advertising that is fair, truthful, honest and legal. The AUTOCONTROL Advertising Jury is an alternative dispute resolution body.

AUTOCONTROL drafts different Codes of Advertising Conduct, which are the instruments in which the deontological commitments are set out which, complementing the applicable legal regulations, companies voluntarily assume in their advertising activity. In addition, AUTOCONTROL applies the Sectoral Codes of Advertising Conduct, through which certain sectors establish complementary voluntary ethical commitments in relation to the advertising of their specific products or services.

Among others, AUTOCONTROL’s activity includes the processing of complaints in relation to commercial communications, submitted by individual consumers, or by other entities, such as consumer associations, companies and the Administration.

 

What rules specifically deal with cookies?

Article 22.2 of Act 34/2002 of 11 July 2002 on information society services and electronic commerce establishes a set of obligations to comply with cookies, in relation to the Spanish Data Protection Act and the GDPR. In addition, the Spanish Data Protection Agency has drafted Guidance on the use of cookies ( https://www.aepd.es/es/documento/guia-cookies.pdf ).

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

According to data protection legislation, administrative fines may be imposed, which, depending on the type of infringement, may be up to:

  • EUR 10 000 000 maximum, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
  • EUR 20 000 000 maximum, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. For the application of sanctions, certain graduation criteria will be taken into account, such as:
    • the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
    • the intentional or negligent character of the infringement;
    • any action taken by the controller or processor to mitigate the damage suffered by data subjects;
    • the degree of responsibility of the controller or processor, taking into account the technical or organisational measures that they have implemented;
    • any previous infringement committed by the controller or processor;
    • the extent of cooperation with the supervisory authority for the purpose of remedying the breach and mitigating the possible adverse effects of the breach;
    • the categories of personal data concerned by the breach;
    • the manner in which the supervisory authority became aware of the breach, in particular whether and, if so, to what extent the controller or processor notified the breach;
    • where the measures referred to in Article 58(2) GDPR have previously been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
    • adherence to codes of conduct or to certification schemes; and
    • any other aggravating or mitigating factors applicable to the
    • circumstances of the case, such as financial gain or loss avoided, directly or indirectly, through the infringement.

According to Act 34/2002 of 11 July 2002 on information society services and electronic commerce:

  • For the commission of very serious infringements, a fine of EUR 150,001 to EUR 600,000.
  • The repetition, within a period of three years, of two or more very serious infringements, firmly sanctioned, may give rise, depending on the circumstances, to the sanction of prohibition to act in Spain, for a maximum period of two years.
  • For the commission of serious infringements, a fine of EUR 30,001 to EUR 150,000.
  • For minor infringements, a fine of up to EUR 30,000.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Controllers and processors who are not established in the EEA are generally required under Article 27 of the GDPR to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under Article 3, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA.

Multinational organisations should also consider the regulations applicable in Spain as set out in this guide.

 

What upcoming data protection developments should multinational organisations be aware of?

None.

 

Search by:

Need more information?
Contact a member firm:
Claudi Garcés
Ventura Garcés
Spain


Víctor De Cambra
Ventura Garcés
Spain