Support Centre

Spain

Summary

Law: Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (only available in Spanish here) (LOPDGDD) and General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Spanish data protection authority (AEPD)

Summary: Spain implemented the GDPR in 2018 through the Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (only available in Spanish here) (LOPDGDD) which came into effect on December 6, 2018. However, the LOPDGDD derogates from the GDPR in areas such as the appointment of data protection officers, digital rights in the working environment, and whistleblowing schemes. In addition, the Spanish data protection authority (AEPD) is an active regulator and regularly issues enforcement actions and responds to data subjects' complaints and requests. The AEPD has imposed several administrative penalties in cases affecting multinational organizations from different business sectors, as well as small to medium-sized enterprises and private subjects. Furthermore, the AEPD has issued substantive guidance on a range of key compliance areas, such as the use of cookies, data transfers mechanisms, and Data Protection Impact Assessment (DPIA) requirements, providing organizations with both a blacklist and a whitelist in relation to DPIAs.

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview of the rules and guidelines for DPO contact registration across Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.

In only five years, the Spanish data protection act, the Organic Law 3/2018 of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (only available in Spanish here) (LOPDGDD), has undergone four amendments and has been subject to two appeals of unconstitutionality.

In this Insight article, María Luisa González Tapia, from Ramón y Cajal Abogados, delves into the recent amendments introduced in the Spanish data protection regulations and explores the key modifications made to the LOPDGDD.

Artificial intelligence ('AI') has been identified by the EU as one of the most relevant technologies of the 21st century, and a key strategic component for the EU's digital transformation. On its part, machine learning ('ML'), a sub-discipline of AI, relies largely on accurate and representative data sets.

With the aim to clear up common misconceptions surrounding ML systems (with special emphasis on the protection of personal data), the Spanish data protection agency ('AEPD') and the European Data Protection Supervisor ('EDPS') have convened again to prepare a joint paper with technology as the guiding thread, this time titled '10 misunderstandings about machine learning' ('the joint ML paper')1. This document follows on from the AEPD-EDPS joint paper on '10 misunderstandings related to anonymisation'2.

Bárbara Sainz de Vicuña, Isabela Crespo Vitorique, and Mercedes Ferrer Bernal, from GÓMEZ-ACEBO & POMBO ABOGADOS, S. L. P., provide an overview of the joint ML paper and how AI and ML interplay with data protection.

The Spanish data protection authority ('AEPD') published, on 29 June 2021, its 'Guidelines on Risk Management and Impact Assessment in the Processing of Personal Data'1 ('the Guidelines'). Isabela Crespo, Bárbara Sáinz de Vicuña, and Mercedes Ferrer, from Gómez-Acebo & Pombo, summarise the main provisions of the Guidelines.

On 10 February 2022, the Spanish data protection authority ('AEPD') approved the Code of Conduct on the Processing of Personal Data for the Purposes of Clinical Trials, other Clinical Investigations and Pharmacovigilance ('the Code'), making it the first sectoral code of conduct to be approved following the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR’). The Code was approved under Article 40 of the GDPR and Article 38 of the Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights ('LOPDGDD'). Bárbara Sainz de Vicuña, Isabela Crespo Vitorique, and Mercedes Ferrer Bernal, from GÓMEZ-ACEBO & POMBO ABOGADOS, S. L. P., discuss the Code and its requirements.

The processing of personal images of employees by companies is regulated not only by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), but also by local laws in jurisdictions such as Spain. Roger Vilanova Jou, Lawyer at PwC, discusses this topic and its nuances.

Facial recognition technology ('FRT') is an area which creates novel challenges for European data protection law and in particular how certain provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') can be interpreted. Roger Vilanova Jou, Lawyer at PwC, discusses this topic and recent developments in the Spanish context.