IDC Names Securiti a Worldwide Leader in Data PrivacyView
Spain was one of the first countries globally to take active legislative measures to protect the privacy of its citizens' personal information and data. The Spanish Constitution of 1978 states, "the law shall restrict the use of informatics in order to protect the honour and the personal and family privacy of Spanish citizens, as well as the full exercise of their rights".
Later, the Royal Decree 428/1993 of 1993, as amended by Organic Act 15/1999 in 1999, extended the protection of Spanish residents' personal data and information collected via electronic means with the Protection of Personal Data Act. As a member of the European Union (EU), the General Data Protection Regulation (GDPR) also came into effect within the country in 2018.
One aspect of GDPR that is open to differences is the age of consent to differentiate between adult and child data subjects. Spain has set the age of consent with regard to data protection at 16 years old.
Both these legislations require all data handlers to take proactive measures to ensure the safety of any data being collected on Spanish data subjects.
The GDPR is quite transparent about who needs to comply. Any entity that collects data on its users within the EU, whether they're a business or a non-profit, must comply with the GDPR. The Spanish data protection law has a slightly different take on both in terms of material and territorial scope.
The Spanish data protection law affords blanket protection for all data that may have been collected on a data subject. There are only a handful of exceptions that include:
The Spanish data protection law applies to all data handlers that are:
The Spanish data protection law and GDPR lay out specific obligations for all data handlers. These obligations ensure maximum protection is accorded to all collected data while minimizing the chance of data breaches.
In case the data handler is not based in Spain, their representative must be easily accessible for any legal cases that may be brought against the data handler for failing to comply with any of the law’s requirements.
Article 6 of Spain's Data Protection Law states that no form of data collection or processing can move forward without "the unambiguous consent of the data subject". Furthermore, the data subject must be adequately educated about their rights, especially the right to rescind their consent at any time.
Article 9 of Spain's Data Protection Law is direct and explicit in stating the responsibility of the data handler is to take adequate measures to ensure the protection of any data collected. It mandates all data handlers to adopt technical and organisational measures necessary to ensure the security of the personal data and prevent their alteration, loss, and unauthorised processing or access.
Additionally, collection of any information that may reveal a data subject's ideology, trade union membership, religion, beliefs, racial or ethnic origin, or sex life remains prohibited.
In case a data breach occurs, data handlers are required to inform the relevant authorities within 72 hours of the detection of the breach.
Similarly, all affected data subjects must be informed of this breach as soon as possible. No time frame is mentioned in this case. However, if informing all affected data subjects would take a disproportionate effort, data handlers can send a press release or public announcement to communicate the breach to the data subjects and other relevant parties.
The Spanish data protection law only requires data handlers that fall under the following categories to hire a Data Protection Officer (DPO):
All data handlers in Spain must carry out regular, in-depth data protection impact assessments to ensure they are following the best practices within their organisation.
The DPO is generally the person responsible for planning, strategising, and executing these assessments. Spain's own law does not require organisations to carry out such assessments. However, data handlers would be well advised to regularly conduct these assessments to give them a real-time view of how well they're equipped to protect their data.
As per the GDPR, cross border data transfers can occur if they fulfill the following criteria:
The Spanish law's requirements are comparatively easier. It requires the data handler to relay the news of the data transfer to the data subjects, also indicating the purpose of the file, the nature of the data transferred, and the name and address of the transferee. Additionally, the AEPD is to judge whether the proposed location of the data transfer offers adequate data protection before the transfer can go through.
Both the GDPR and Spain's Protection of Personal Data ensure that all data subjects within Spanish jurisdiction have a set of unalienable rights that a data handler must guarantee. These include:
The Agencia Española de Protección de Datos (AEPD, English: Spanish Data Protection Agency) is responsible for ensuring the implementation of Spain's data protection legislation and some elements of the GDPR within Spanish jurisdiction.
To ensure its effectiveness in enforcing the law across the country, two additional regional offices, the Catalan Data Protection Authority and the Basque Data Protection Agency, help enforce the law in the Catalan and Basque regions.
By law, it enjoys "absolute independence from the Public Administration", meaning the agency has the powers and resources to reprimand data handlers for their non-compliance without waiting for any other administrative body's permission.
The penalties for non-compliance in Spain are clear as far as the GDPR provisions are concerned. Any data handler found in breach will be fined €20 million or 4% of their annual turnover, whichever is higher.
Additionally, the criminal courts in Spain can hand data handlers in breach of Spain's data protection laws with additional fines if their non-compliance is proven in the courts. There are three tiers of penalties that can be handed out depending on the severity of the non-compliance:
Adherence to both the GDPR and Spain's own data protection law should be high on any company's agenda dealing with Spain's customers. However, sometimes that can be easier said than done considering the intricacies of the two different legislations involved. To make operationalizing the law within an organisation more manageable, here are some basic steps any data handler can take:
Data is nothing less than a treasure trove for businesses. It can tell businesses everything they might need to know about their current and potential customers. What they like, what encourages buying behavior, how different age groups behave on-site, etc. However, on the flip side, the slightest mismanagement of this data can lead to catastrophe for any business.
This is precisely why data protection has become an essential part of most businesses' organisational infrastructure. Considering how different countries have different data protection laws requiring businesses, or data handlers, to comply with different conditions, data privacy compliance can be a tough nut to crack.
That's where Securiti can help. Securiti has made a name for itself as a market leader in enterprise data compliance and governance solutions. Thanks to its PrivacyOps framework, Securiti offers a plethora of different AI and Machine Learning-driven tools that can help any business deal with their specific data privacy compliance needs.
Request a demo today to see how these tools can help your organisation.
As an EU member state, Spain is under the jurisdiction of GDPR (General Data Protection Regulation).
Spain has a range of laws covering various legal areas, including civil law, criminal law, administrative law, and more.
See how easy it is to manage privacy compliance with robotic automation.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.