After a very long delay and amidst rumors that the Spanish Parliament could be dissolved and early elections called, the Spanish Senate speedily dismissed all the proposals for further changes and approved the new GDPR-compliant Spanish Data Protection Act on Wednesday 21 November 2018.
The new Act (“NLOPD“), in addition to regulating many other topics:
- Contains a special regime for personal data of deceased people
- Includes additional duties for controllers and processors regarding the accuracy and confidentiality of the data.
- Develops article 7 of GDPR regarding how the consent shall be granted. Consent alone shall not be deemed sufficient to support the processing of certain sensitive data (religious or political ideas, trade union membership, sexual orientation, ethnic origin or race).
- Makes processing of criminal records information more flexible than before, allowing lawyers and legal entities to run databases including this type of information. In the case of administrative law infringements, companies may process that information only holding the consent of the data subject, with few exceptions.
- Clarifies and expands the scope of articles 13 and 14 GDPR on the information to be provided to data subjects.
- Adds further requirements in connection with the rights of access, rectification and erasure. An additional right/duty “blocking right”, following the exercise of a rectification or erasure, is formally added to the ones already in the GDPR. This right was a Spanish peculiarity under the Directive.
- Approves new rules to determine when a data agent is a data controller and not a data processor.
- Imposes very demanding requirements in connection with bad debts and credit recovery databases, making the management of these data much more onerous than elsewhere in the European Union.
- Establishes the divide between children and standard data subjects at 14 years.
- Provides extensive additional regulation regarding CCTV systems, whistleblowing schemes (admitting anonymous reporting for the first time in Spain).
- Establishes specific criteria for applying data security measures and authorizes the Spanish Data Protection Commissioner to establish the security standards for personal data.
- Lists 16 scenarios, on top of article 37 GDPR, in which appointing a Data Protection Delegate shall be mandatory. Notification of the appointment within 10 days becomes mandatory, with the resulting list being accessible on line.
- Clarifies the procedures for granting data export authorizations when no other alternative under GDPR does exist.
- Recognizes new “digital rights”, including Internet neutrality, universal access to Internet, security of online communications, digital education, protection of minors on the Internet, rectification / update of non-accurate information on the Internet, a right-to-be-forgotten-like right not to be found by searching engines on the Internet and social networks.
- Develops a new framework for handling health information and information on medical research.
- Allows employers a right to access corporate electronic devices (previously forbidden), following clear rules drafted with the participation of the workers’ representatives. It also allows employees to disconnect from the company networks out from the standard working hours, in accordance with a pre-defined policy. Special rules on CCTV schemes intended for control of employees and limitations on geo-localization of employees are established as well.
- Generates a new catalogue of “unfair competition practices” linked to personal data.
The new Act shall be fully applicable as from its date of publication in the Spanish Official Gazette (BOE). This was initially expected to be 22 or 23 November 2018, but it was later delayed.