Jan 32019

Spain’s New Data Protection Act Now in Force

Alan Charles Raul, Colleen Theresa Brown and Francesca Blythe
, , , , ,

When the GDPR came into effect on May 25, 2018, several European Member States had yet to put in place further implementing legislation.  And while the data protection world watches and eagerly digests each new interpretive guidance from data protection authorities, Member State legislation provides additional interpretive tones of harmony or discord in data protection across Europe.  After much delay and almost seven months after the EU’s General Data Protection Regulation (“GDPR”) came into force, the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”) – which implements the GDPR in Spain – entered into force on 7 December 2018. As with the other national implementing laws, though the leitmotif remains the same, Spain takes advantage of a number of the derogations under the GDPR including inter alia the following:

  • Sensitive Personal Data: the processing of sensitive personal data (e.g., health data, ethnicity, race) is prohibited under Article 9(1) of the GDPR unless one of the conditions for processing such data are satisfied under Article 9(2) of the GDPR. The LOPDGDD provides that consent will not be a valid condition where the primary purpose of the processing is to identify e.g., the individual’s ethnicity. Instead, it will be necessary to rely on another condition under Article 9(2) of the GDPR.
  • Business Contact Data: there is a presumption that the processing of personal data of business contacts, where the sole purpose is to establish a relationship with the business, will be in the legitimate interests of the controller.
  • Data Protection Officers: a list of entities that must appoint a data protection officer are set out in the LOPDGDD. These include, for example, insurers, investment service companies and providers of information society services. Organisations have ten days from the date of appointment of a data protection officer, to notify the Spanish data protection authority of the appointment.
  • Children’s Data: only children aged 14 or over are able to provide valid consent with regard to the receipt of online services.
  • Accuracy of Data: Article 5(1)(d) of the GDPR requires that personal data be accurate and where necessary kept up to date. The LOPDGDD provides that a controller will not be responsible for processing inaccurate personal data in certain limited circumstances, including where the data were obtained from a public register or the data were received from a third party as a result of a request for data portability.
  • Digital Rights: the LOPDGDD introduces a number of new digital rights for individuals which go beyond those provided in the GDPR e.g., the right to privacy and use of digital devices in the workplace.   This includes a right to “digital disconnection” that applies to both public and private sector workers.  And while the precise details of how those rights of disconnection will be exercised is generally left to the internal policies of employers as well as collective bargaining processes, it is nonetheless a significant development for the digital economy.

To read more, the Act is available (in Spanish) here: https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.