This post is also available in: Español

New technologies have fostered the growth of digital advertising, which in turn raises several challenges in terms of data protection. To guide advertisers and data subjects to solve these challenges, and to contribute to applying the General Data Protection Regulation (“GDPR”) in Spain, the Spanish Data Protection Agency (“AEPD”) has approved the Data Processing Code of Conduct for Advertising presented by the Association for Self-regulation of Commercial Communication (“AUTOCONTROL”).

This Code regulates measures for showing proactive responsibility in data processing in advertising and an out-of-court procedure to resolve disputes between the entities party to the Code and data subjects. However, it will only apply to processing by party entities based in Spain or that affects data subjects resident in Spain, if the processing relates to offering goods and services in Spain or checking their conduct abroad.

With regard to who can join, the Code includes: (i) the advertisers, agencies and media that are members of AUTOCONTROL; (ii) the associations or entities representing a sector that are members of AUTOCONTROL, on their behalf or that of their principals; and (iii) any other entities in the advertising industry.

The first part of the Code regulates the data processing principles that advertisers must comply with, referring to the data protection obligations by design and by default (which we addressed in another blog post) and the principle of minimization.

The Code also reminds that data processing in advertising can be based on the data subjects’ consent, which must be categorical and separate, or on the legitimate interest of the party to the Code. This requires weighing the prevalence of that interest against the data subjects’ rights and fundamental freedoms in accordance with the specific case. Unless data subjects expressly accept to receive commercial communications, the advertising exclusion systems must be consulted first.

It also states that the data subjects must be informed that their personal data are being processed for marketing purposes “in a concise, transparent, intelligible and easily accessible manner with clear and simple language” and that they are entitled to oppose that processing when the data are collected and in each commercial communication sent by electronic means.

The most relevant aspect of the Code is that it regulates a system for out-of-court resolution of disputes between party entities and data subjects resulting from processing their data in the advertising field. From January 1, 2021, individuals who believe the data protection regulations have been infringed in an advertising activity will have an online form available to make a claim to companies that are party to the Code. The AEPD thus offers a mediation system (mandatory only for the companies party to the Code) allowing the parties to reach an agreement in 30 days. If they cannot, the data subjects can request a ruling from the Advertising Board.

It is the first code of conduct approved by the AEPD under Articles 40 and 41 of the GDPR and section 38 of the Spanish Personal Data Protection and Guarantee of Digital Rights Act, which has implemented the Codes of Conduct Register, which we will keep an eye on to keep you informed.

Authors: Alejandro Negro and Paula Conde

This post is also available in: Español



61 artículos

Alejandro Negro


36 artículos