Spain Data Protection Law Overview

Spain was one of the first countries globally to take active legislative measures to protect the privacy of its citizens' personal information and data. The Spanish Constitution of 1978 states, "the law shall restrict the use of informatics in order to protect the honour and the personal and family privacy of Spanish citizens, as well as the full exercise of their rights".

Later, the Royal Decree 428/1993 of 1993, as amended by Organic Act 15/1999 in 1999, extended the protection of Spanish residents' personal data and information collected via electronic means with the Protection of Personal Data Act. As a member of the European Union (EU), the General Data Protection Regulation (GDPR) also came into effect within the country in 2018.

One aspect of GDPR that is open to differences is the age of consent to differentiate between adult and child data subjects. Spain has set the age of consent with regard to data protection at 16 years old.

Both these legislations require all data handlers to take proactive measures to ensure the safety of any data being collected on Spanish data subjects.

1. Who Needs to Comply with the Law

The GDPR is quite transparent about who needs to comply. Any entity that collects data on its users within the EU, whether they're a business or a non-profit, must comply with the GDPR. The Spanish data protection law has a slightly different take on both in terms of material and territorial scope.

1.1 Material Scope

The Spanish data protection law affords blanket protection for all data that may have been collected on a data subject. There are only a handful of exceptions that include:

• Information subject to a pending legal case
• Information collected concerning the investigation of terrorism or organised crime
• Information classified as "Confidential" for matters related to Spain's national security

1.2 Territorial Scope

The Spanish data protection law applies to all data handlers that are:

• Carrying out data collection activities in Spain
• Not established in Spain but carrying out data collection activities on Spanish territory
• Not established within the European Union but carrying out data collection activities on Spanish residents unless for data transit purposes only

2. Obligations for Organizations Under Spanish Data Protection Law

The Spanish data protection law and GDPR lay out specific obligations for all data handlers. These obligations ensure maximum protection is accorded to all collected data while minimizing the chance of data breaches.

2.1 Lawful Basis Requirements

Data on the data subjects can only be collected if the data handler has a lawful reason for doing so. The privacy policy and the consent agreement in that policy need to be explicit in stating how the collected data helps the data handler’s commercial interests in making the browsing experience better for a data subject.

In case the data handler is not based in Spain, their representative must be easily accessible for any legal cases that may be brought against the data handler for failing to comply with any of the law’s requirements.

2.2 Consent Requirements

Article 6 of Spain's Data Protection Law states that no form of data collection or processing can move forward without "the unambiguous consent of the data subject". Furthermore, the data subject must be adequately educated about their rights, especially the right to rescind their consent at any time.

2.3 Privacy Policy Requirements

Spain's data protection law requires all data handlers to inform the data subject of the following in their privacy policy:

• The purpose of collecting the data and the recipients of the information
• The obligatory or voluntary nature of the reply to the questions put to them
• The consequences of obtaining the data or of refusing to provide them
• The possibility of exercising rights of access, rectification, erasure, portability, and objection
• The identity and address of the controller or their local Spanish representative

2.4 Security Requirements

Article 9 of Spain's Data Protection Law is direct and explicit in stating the responsibility of the data handler is to take adequate measures to ensure the protection of any data collected. It mandates all data handlers to adopt technical and organisational measures necessary to ensure the security of the personal data and prevent their alteration, loss, and unauthorised processing or access.

Additionally, collection of any information that may reveal a data subject's ideology, trade union membership, religion, beliefs, racial or ethnic origin, or sex life remains prohibited.

2.5 Data Breach Requirements

In case a data breach occurs, data handlers are required to inform the relevant authorities within 72 hours of the detection of the breach.

Similarly, all affected data subjects must be informed of this breach as soon as possible. No time frame is mentioned in this case. However, if informing all affected data subjects would take a disproportionate effort, data handlers can send a press release or public announcement to communicate the breach to the data subjects and other relevant parties.

2.6 Data Protection Officer Requirement

The Spanish data protection law only requires data handlers that fall under the following categories to hire a Data Protection Officer (DPO):

• Educational establishments
• Credit and Financial institutions
• Insurance entities
• Investment companies regulated by the Securities Market legislation
• Distributors of electricity and natural gas
• Advertising agencies
• Research firms
• Health institutes maintaining detailed patients' information
• Sports federations
• Private security firms
• Game developers and publishers

2.7 Data Protection Impact Assessment

All data handlers in Spain must carry out regular, in-depth data protection impact assessments to ensure they are following the best practices within their organisation.

The DPO is generally the person responsible for planning, strategising, and executing these assessments. Spain's own law does not require organisations to carry out such assessments. However, data handlers would be well advised to regularly conduct these assessments to give them a real-time view of how well they're equipped to protect their data.

2.8 Cross border data transfer Requirements

As per the GDPR, cross border data transfers can occur if they fulfill the following criteria:

• Data is being transferred to a safe/whitelisted jurisdiction
• Data is being transferred to a third party with the appropriate data privacy and protection certifications
• Binding contractual rules in place
• Ad-hoc contracts in place, approved by the AEPD

The Spanish law's requirements are comparatively easier. It requires the data handler to relay the news of the data transfer to the data subjects, also indicating the purpose of the file, the nature of the data transferred, and the name and address of the transferee. Additionally, the AEPD is to judge whether the proposed location of the data transfer offers adequate data protection before the transfer can go through.

3. Data Subject Rights

Both the GDPR and Spain's Protection of Personal Data ensure that all data subjects within Spanish jurisdiction have a set of unalienable rights that a data handler must guarantee. These include:

• Right to access the data subject's own personal data: As per Spain's data protection law, all data subjects have the right to access their own personal data collected on them by the data handlers. In case the identity of the data handler is unknown, the data subject can request General Data Protection Register to know everything they can to know about their personal data, the purpose of its collection, and the identity of the data handler.
• Right to rectify/correct the data subject's own personal data: All data subjects have the right to request rectification or correction of any data collected on them due to incomplete, incorrect, or outdated information.
• Right to erasure of personal data: All the data subjects have the right to request erasure and permanent deletion of any data collected on them by the data handler. The collected data can only be maintained solely at the disposal of the public administrations, judges, and courts to determine any liability arising from the processing. The data is to be deleted after the expiration of such liability.
• Right to damages: All the data subjects have the right to claim compensation in lieu of damages incurred due to processing activities carried out by the data handler. The claim will be heard in civil court.

4. Regulatory Authority

The Agencia Española de Protección de Datos (AEPD, English: Spanish Data Protection Agency) is responsible for ensuring the implementation of Spain's data protection legislation and some elements of the GDPR within Spanish jurisdiction.

To ensure its effectiveness in enforcing the law across the country, two additional regional offices, the Catalan Data Protection Authority and the Basque Data Protection Agency, help enforce the law in the Catalan and Basque regions.

By law, it enjoys "absolute independence from the Public Administration", meaning the agency has the powers and resources to reprimand data handlers for their non-compliance without waiting for any other administrative body's permission.

5. Penalties for Non-compliance

The penalties for non-compliance in Spain are clear as far as the GDPR provisions are concerned. Any data handler found in breach will be fined €20 million or 4% of their annual turnover, whichever is higher.

Additionally, the criminal courts in Spain can hand data handlers in breach of Spain's data protection laws with additional fines if their non-compliance is proven in the courts. There are three tiers of penalties that can be handed out depending on the severity of the non-compliance:

• €600 to €60,000 for minor violations
• €60,000 to €300,000 for serious violations
• €300,000 to €600,000 for severe violations

6. How an Organization Can Operationalize the Law

Adherence to both the GDPR and Spain's own data protection law should be high on any company's agenda dealing with Spain's customers. However, sometimes that can be easier said than done considering the intricacies of the two different legislations involved. To make operationalizing the law within an organisation more manageable, here are some basic steps any data handler can take:

• Conduct a thorough data mapping exercise across your organisation to figure out how compliant your current practices are.
• Have an easily understandable privacy policy that properly educates the data subjects about their rights without any room for ambiguity.
• Hire a competent DPO or local representative that understands the GDPR and Spain's data protection law inside and out to ensure competent individuals are running your data protection department.
• Ensure all the company's employees and staff are acutely aware of their responsibilities under the law.

7. How can Securiti Help

Data is nothing less than a treasure trove for businesses. It can tell businesses everything they might need to know about their current and potential customers. What they like, what encourages buying behavior, how different age groups behave on-site, etc. However, on the flip side, the slightest mismanagement of this data can lead to catastrophe for any business.

This is precisely why data protection has become an essential part of most businesses' organisational infrastructure. Considering how different countries have different data protection laws requiring businesses, or data handlers, to comply with different conditions, data privacy compliance can be a tough nut to crack.

That's where Securiti can help. Securiti has made a name for itself as a market leader in enterprise data compliance and governance solutions. Thanks to its PrivacyOps framework, Securiti offers a plethora of different AI and Machine Learning-driven tools that can help any business deal with their specific data privacy compliance needs.

Request a demo today to see how these tools can help your organisation.