Spain’s New Data Protection Act Now in Force

When the GDPR came into effect on May 25, 2018, several European Member States had yet to put in place further implementing legislation.  And while the data protection world watches and eagerly digests each new interpretive guidance from data protection authorities, Member State legislation provides additional interpretive tones of harmony or discord in data protection across Europe.  After much delay and almost seven months after the EU’s General Data Protection Regulation (“GDPR”) came into force, the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”) – which implements the GDPR in Spain – entered into force on 7 December 2018. As with the other national implementing laws, though the leitmotif remains the same, Spain takes advantage of a number of the derogations under the GDPR including inter alia the following:

  • Sensitive Personal Data: the processing of sensitive personal data (e.g., health data, ethnicity, race) is prohibited under Article 9(1) of the GDPR unless one of the conditions for processing such data are satisfied under Article 9(2) of the GDPR. The LOPDGDD provides that consent will not be a valid condition where the primary purpose of the processing is to identify e.g., the individual’s ethnicity. Instead, it will be necessary to rely on another condition under Article 9(2) of the GDPR.
  • Business Contact Data: there is a presumption that the processing of personal data of business contacts, where the sole purpose is to establish a relationship with the business, will be in the legitimate interests of the controller.
  • Data Protection Officers: a list of entities that must appoint a data protection officer are set out in the LOPDGDD. These include, for example, insurers, investment service companies and providers of information society services. Organisations have ten days from the date of appointment of a data protection officer, to notify the Spanish data protection authority of the appointment.
  • Children’s Data: only children aged 14 or over are able to provide valid consent with regard to the receipt of online services.
  • Accuracy of Data: Article 5(1)(d) of the GDPR requires that personal data be accurate and where necessary kept up to date. The LOPDGDD provides that a controller will not be responsible for processing inaccurate personal data in certain limited circumstances, including where the data were obtained from a public register or the data were received from a third party as a result of a request for data portability.
  • Digital Rights: the LOPDGDD introduces a number of new digital rights for individuals which go beyond those provided in the GDPR e.g., the right to privacy and use of digital devices in the workplace.   This includes a right to “digital disconnection” that applies to both public and private sector workers.  And while the precise details of how those rights of disconnection will be exercised is generally left to the internal policies of employers as well as collective bargaining processes, it is nonetheless a significant development for the digital economy.

To read more, the Act is available (in Spanish) here: