This post is also available in: esEspañol

The Spanish government has fast-tracked the approval of measures aimed at adjusting Spanish legislation to the new General Data Protection Regulation (GDPR) by passing Royal Decree-Law 5/2018. These are provisional measures that will only be valid until the anticipated new future Spanish Data Protection Act (“LOPD”) comes into force. The upcoming LOPD, which should have entered into force together with the GDPR, on May 25, is still in the process of parliamentary approval, leading to an awkward situation, as, although the GDPR is directly applicable, its multiple references to domestic law require internal adjustments that are fully in line with the European regulations.

Royal Decree-Law 5/2018, published yesterday in the Official Gazette of the Spanish State, and in force from today, July 31, seeks to partially compensate for the absence of an LOPD that is adapted to the GDPR, regulating aspects considered outside the exclusive scope of organic law. In particular, it issues rules on sanctioning proceedings for infringements, so that they can be heard in accordance with the European regulation.

Among other points, the royal decree-law (i) establishes who may be responsible for infringements, excluding the data protection officer from the application of the sanctioning regime; (ii) refers to the GDPR for the classification of infringements; and (iii) establishes a three-year statute of limitations for infringements punishable with higher amounts (those of sections 5 and 6 of article 83 GDPR) and two years for minor infringements (article 83.4 GDPR). It establishes limitation periods for sanctions already imposed, distinguishing three groups according to their amount (equal to or less than €40,000, between €40,001 and €300,000, and more than €300,000). It also regulates procedures with the participation of authorities from other EU Member States and refers to the previous legislation for processing ongoing procedures.

The decree also covers provisional measures and investigation tasks, and repeals the provisions of the LOPD on infringements and sanctions, excluding article 46 concerning public administrations.

The  royal decree-law also includes the measure already planned in the draft LOPD, providing that data processing agreements entered into under the LOPD before May 25, 2018 will remain valid until their expiry date, and if entered into for an indefinite period, until May 25, 2022.

Click this link to access the firm’s Legal Flash, which outlines some of the royal decree-law’s main aspects.

This post is also available in: esEspañol



42 artículos


Leave a Reply

Your email address will not be published. Required fields are marked *