- Spain’s New Data Protection Law Provides Additional Provisions to the Already Vast GDPR
- February 6, 2019 | Authors: Jason L. Ott; Marjorie F. Bagnato
- Law Firm: Dickie, McCamey & Chilcote, P.C. - Pittsburgh Office
We have previously analyzed the General Data Protection Regulation (“GDPR”), which was enacted in May of 2018. The GDPR set a standard that all European Union (“EU”) member countries now are required to follow. However, those countries are free to add additional protections beyond those set forth in the GDPR. Recently, Spain did just that when it passed and implemented its Organic Law 3/2018 (the “Organic Law”) in December of 2018. The objective of the Organic Law is to adapt the Spanish legal system to the EU’s GDPR while also guaranteeing digital rights of Spain’s citizens beyond the protections outlined in the GDPR. The Organic Law addresses several different areas concerning the GDPR and consumer data privacy protection, which include:
- rights of data subjects
- duties of the Data Protection Officer
- political parties processing personal data
Rights of Data Subjects
In part, the Organic Law aims to specify how the Spanish Data Protection Authority (the “SDPA”) interprets the rights of Spanish data subjects. First, the Organic Law sets forth that a data subject’s rights may be invoked personally or through a legal representative. It also provides that either the processor or the controller (if they are separate entities) may attend to the request of a data subject seeking to exercise one of her rights under the GDPR, if the two parties set this out in whatever legal instrument binds them. In addition, the Organic Law states that a data subject who seeks to exercise her rights with a company more than once in a six month period will be viewed as excessive absent a legitimate reason for doing so.
Duties of the Data Protection Officer
While the language in the GDPR only applies to companies with 250 employees or more, Spain’s Organic Law adds additional circumstances where a Data Protection Officer (“DPO”) is required. The law requires a DPO to be appointed where a company is involved in large scale processing or the processing of minors’ personal data. Cases where these requirements might apply would be public and private universities and service providers developing large-scale profiles of service users, among others. The law also adds an additional function to the duties of the DPO. Under the Organic Law, the DPO has the discretion to avoid sanctions by appropriately remedying the alleged misconduct directly with the consumer. Finally, the law adds that a DPO may be dismissed or penalized for completing her tasks if acting fraudulently or negligently in doing so. This provision is interesting as it could lead to litigation between a DPO and her former employer.
Political Parties Processing Data
A specific provision within the Organic Law already has caused concern among Spanish citizens, despite its extremely recent passage and implementation. A provision that provides political parties, coalitions, and other electoral groups with the ability to use personal data obtained from web pages to conduct political activities during elections has caused confusion and concern that political parties might obtain the power to process personal data for profiling purposes. The SDPA addressed these concerns recently by stating that this law will not allow political parties to create profiles of people based on their political opinions. Instead, the SDPA has made it clear that the Organic Law only will allow political entities to process political opinions that have been openly and freely expressed.
Spain’s specific inclusion of provisions that are additional to the GDPR aids the analysis of how the DPAs of various EU member nations might interpret the GDPR. It also shows that other EU member countries likely will interpret the GDPR as well as the extent to which they might add clarifications or further provisions.
Our experienced attorneys at Dickie, McCamey & Chilcote, P.C. will continue to provide updates on this latest development (and others to be forthcoming) as the global trend toward stricter data privacy regulation continues. If you have any questions or concerns, please contact us; and we will be happy to work with you and to help equip your company for compliance in this constantly evolving area.