This post is also available in: Español

Six months after the General Data Protection Regulation (GDPR) came into force, the Spanish senate passed the new Act on Data Protection and Guarantee of Digital Rights on Wednesday November 21, with 220 votes in favor and 21 against, and with no amendments to the version sent by the Congress of the Deputies, meaning that now all that remains is for the act to be published in the Official Gazette of the Spanish State.

The most relevant aspects regulated by the act are as follows:

  • Specific and separate regulation on how to process the personal data of the deceased.
  • Making use of the margin allowed by the GDPR, the act makes 14 the minimum age for minor consent, as opposed to the original draft that set the minimum age at 13, keeping in place the age defined in Spanish Royal Decree 1720/2007, of 21 December, which implemented the previous Spanish Data Protection Act.
  • The act limits consent for processing certain categories of data, making it insufficient for processing certain categories of personal data (ideology, union membership, religion, sexual orientation, beliefs or racial or ethnic origin).
  • The act specifies the cases where processing of criminal records will be allowed.
  • It recognizes the double-layer mechanism and the minimum content of the basic information required for informing interested parties about the processing of their personal data.
  • The act implements the regulations that will apply to how interested parties can exercise their rights, with article 32 adding what is known as “data blocking” for when personal data should be rectified or erased.
  • It specifically regulates certain personal data processes that, unless proven otherwise, should be considered to be lawful based on a legitimate interest or public interest (processing of contact information, electronic credit rating systems, commercial transactions, video surveillance, do-not-call systems, internal complaint information systems).
  • The act adds a catalog of situations that should be considered when determining whether technical and organizational measures should be applied.
  • It clarifies the distinction between the positions of data controllers and data processors, and their obligations.
  • The act includes a complete category of entities that must appoint a data protection officer, including new categories in addition to those originally planned, and it makes it mandatory to notify the Spanish Data Protection Agency of the appointment within a maximum of 10 days.
  • It expands on the cases where international data transfers will be permitted.
  • The act indicates how to start sanctions proceedings, and their duration, differentiating between cases where (i) a request to exercise rights is not answered; (ii) a possible breach has been determined; and (iii) proceedings have been started due to a claim filed with another national oversight authority. It also includes an open catalog of breaches, divided into three categories (minor, serious and very serious).
  • It recognizes and guarantees a new digital bill of rights that includes net neutrality, universal internet access, digital security, digital education, protection of minors on the internet, rectification or updating of information on the internet, the right to be forgotten on search engines and social networks, and regulation of the right to a digital will.
  • The act reinforces employees’ privacy rights and their right to digital disconnection and privacy from the use of digital devices, video surveillance and GPS tracking, allowing collective bargaining agreements to guarantee stronger protections.
  • It extends the terms of data processor contracts signed before the GDPR’s introduction until their expiry dates, and in the case of indefinite contracts, until May 25, 2022.Over the coming weeks, we will look at the act’s most relevant points and analyze them in various posts; we encourage you to follow the blog so you can become more familiar with all the changes to come from the new Spanish Act on Data Protection and Guarantee of Digital Rights.
  • Although the new Spanish Act on Data Protection and Guarantee of Digital Rights will not come into force until it is published in the Official Gazette of the Spanish State (expected any day now), as the act has already been passed, it will not be subject to additional changes.

This post is also available in: Español



43 artículos

Alejandro Negro


49 artículos