The Spanish Parliament finally approved the new GDPR-compliant Data Protection Act on 21 November 2018 (Ley Orgánica de Protección de Datos y de Garantía de Derechos Digitales).

The new law clarifies certain provision of the GDPR and lays down some extra rules. 

Key features of the new law include:

  • Consent:  when consent is obtained in order to process data for various purposes, the consent must clearly be for each and every purpose. And consent alone is not enough to process sensitive data – ie data about religious or political ideas, trade union membership, sexual orientation, ethnic origin or race.
  • Transparency: the law clarifies the GDPR’s rules on the information that must be given to data subjects; the law states that the information may be provided in ‘layers’ – eg by linking to the more detailed information.
  • Right of access:  there are new rules on data subjects’ rights to access, rectify and delete their data, including on ‘blocking rights’ (and the limited processing that may be done of blocked data).
  • New rules on the personal data of deceased people:  people may issue a ‘smart will’ and, subject to that will, relatives may access, rectify or delete any data.
  • New rules on processing data related to certain commercial transactions, including the sale of businesses:  data may be processed if it’s necessary for the transaction  - eg for due diligence - and if it guarantees the continued provision of services.  If the transaction is not completed, the transferee must immediately delete all data.
  • Extensive new rules on CCTV systems, with specific provisions relating to the workplace.
  • Whistleblowing channels:  new rules will allow anonymous reporting for the first time in Spain.
  • Codes of conduct:  the law encourages self-regulation by means of codes of conduct, including alternative means of dispute resolution.
  • Procedures for international data transfers, including those that require prior information or prior approval.
  • New procedures to impose sanctions for breach.
  • New ‘digital rights’, including internet neutrality, universal access to the internet, security of online communications, digital education, protection of minors on the internet, rectification / update of non-accurate information on the internet, and a right not to be found via search engines and social networks (similar to the ‘right to be forgotten’).
  • New digital rights for employees, including rights to:
    • privacy when using digital devices at work; 
    • be able to disconnect;
    • privacy in video and audio recording; and
    • privacy in geo-location.

There are also new digital rights for collective negotiation. 

For more information, please contact us.

Raquel FlórezMadrid