More than six months after the implementation of the General Data Protection Regulation (“GDPR”), the Spanish Parliament has finally approved the Data Protection and Digital Rights Guarantee Act (Ley Orgánica 3/2018, de Protección de Datos y de Garantía de los Derechos Digitales). This new law -published in the Official State Gazette (Boletín Oficial del Estado) on December 6- enters into force on December 7, 2018.
Some of the more noteworthy aspects regulated by this act are the followings:
- It regulates the processing of deceased persons’ data in a specific and separate way.
- It makes use of the leeway granted under the GDPR, establishing the minimum age of consent for minors at 14.
- It limits the consent granted regarding special categories of personal data, in such a way that it will be insufficient to process certain types of personal data (ideology, union membership, religion, sexual orientation, race, creed, or ethnicity).
- It specifies those cases wherein the processing of data of a criminal nature is permitted.
- It recognizes the double layer mechanism and the minimum content of basic information to comply with the duty of information for data subjects regarding the processing of their personal data.
- It develops the regulation applicable to the exercise of the rights of data subjects, adding the concept of “data blocking,” when the data subjects request the amendment or deletion of their personal data.
- It specifically regulates certain personal data processing, which it considers lawful based on legitimate interest or public interest (processing of contact data; credit information systems; commercial transactions; video surveillance; advertising exclusion systems; internal whistleblower information systems).
- It includes a catalogue of situations that must be taken into account when determining the application of technical and organizational measures.
- It clarifies the distinction between the data controller and the data processor, as well as their duties.
- It includes a full catalogue of entities that must appoint a data protection officer, including new categories in addition to those initially envisioned, and it imposes the obligation to report the appointment to the Spanish Data Protection Agency within a maximum period of 10 days.
- It details the cases where an international data transfer is permitted.
- It specifies how to initiate the sanctioning process and its duration, differentiating between cases that concern the (i) failure to address a request for the exercise of rights; (ii) determination of the existence of a possible infringement; and (iii) processing of the procedure as a result of notification of a claim filed with another national control authority. Likewise, it includes an open catalogue of infringements, divided into three categories (minor, severe, and very severe).
- It recognizes and guarantees a new catalogue of digital rights, which includes net neutrality, universal internet access, digital security, digital literacy, the online protection of minors, the amendment or updating of information online, the right to be forgotten on search engines and social networks, and the regulation of the right to a digital last will and testament.
- It strengthens the privacy of employees and their right to digital disconnection and privacy vis-à-vis the use of digital devices, video surveillance, and geolocation in the workplace, and it permits collective agreements that ensure greater protection.
- It extends the validity of data processing agreements signed prior to the application of the GDPR until their expiration date or, for indefinite contracts, until May 25, 2022.
Over the coming weeks, we will extract the most relevant points and analyze them in different posts, so we encourage you to follow the blog to learn about the changes to the new law in detail.