The Ministry of Justice has published the draft Personal Data Protection Law to replace Personal Data Protection Law 15/1999 (LOPD, its Spanish acronym) in order to adapt the Spanish regulations to the General Data Protection Regulation 2016/679 (GDPR), passed by the European Union on April 2016. This draft is submitted to public consultation on the Ministry of Justice’s website, open to citizens’ participation until July 19th.

First of all, we must bear in mind that Personal Data Protection is a fundamental right within the Spanish system and, as such, it must be regulated by an organic law pursuant to article 81.1 of the Spanish Constitution, which must be passed by absolute majority of the Congress, pursuant to article 82.2 of the same. We must also keep in mind for the sake of the analysis we make in this paper that, as it is a draft, it can vary significantly before being passed as an Organic Law.

As it is mandatory, the Spanish state respects and reproduces in this draft the text of the GDPR, introducing some specifications on several aspects, among which the following ones can be stressed out:

  • Regulation of deceased persons’ personal data treatment, granting the heirs the right to access, rectification and erasure, unless expressly prohibited by the deceased or forbidden by law.
  • Presumption of veracity for the data collected directly from the data subject.
  • The age for consent is lowered to 13 years old, (former Organic Law 15/1999 set it at 14, and the GDPR establishes it at 16 years old, enabling member states to lower it but not under 13).
  • Consent is excluded as the sole basis for making especially-protected data processing legitimate.
  • Conditions for lawfulness of data processing aiming at providing credit information, as well as other specific obligations for the entities who maintain these systems and for the creditors, who are considered as joint controllers.
  • Specific regulations for personal data processing:
    • Regarding administrative infringements and sanctions, being closer to criminal infringements and sanctions.
    • When used for video surveillance
    • In the advertising exclusion systems (Robinson list and similar) and the internal complaints in private entities
  • New obligation for controllers: blocking obligation
  • Legal and economic regime of the Spanish Agency of Data Protection, as well as its functions, powers and relations with the rest of public institutions including judicial bodies and regional authorities for data protection.
  • Legal framework for data protection regional authorities.
  • Infringements qualification, following the Spanish administrative sanctions general regime, in the following way:
    • Very grave infringements: approximately match the ones foreseen in GDPR article 83.5 (fines up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year), usually breaches of processing principles, of the rights of the data subjects and of the conditions imposed for especially-protected data processing and non-compliance with the resolutions of the data protection authorities.
    • Grave infringements: generally match the ones foreseen by GDPR article 83.4 (fines up to 10 000 000 EUR, or up to 2 % of the total worldwide annual turnover of the preceding financial year), mainly those regarding non-compliance with obligations of the GPDR for controllers and processors and personal data processing for minors without fulfilling the required conditions.
    • Minor infringements: include among others and generically: non-compliance of merely formal obligations (especially some regarding joint controllers, controllers and processors among them) and ill-compliance of other obligations.
    • Sanctions for institutions, authorities and other public entities when they act as controllers or processors will only consist in a reprimand and the indication of the corresponding measures to cease or correct the effects of the infringement and, if the data protection agency decides so, the institution of disciplinary measures.

It can be observed that some of the changes are stricter than the GDPR (such as the exclusion of the consent as the sole legal basis to process especially-protected data), so it will be worth watching its path through the Congress in order to be prepared to fulfill all the dispositions of the future Organic Law (whose entry into force is foreseen on May, 25th, 2018, matching with the date of enforcement of the GDPR), and thus avoiding any possible sanction.

By Carolina Reyes Kahansky, Lawyer, Adarve Abogados