Spain’s Data Protection Authority, the Agencia Española de Proteccion de Datós (‘AEPD’), has issued a deadline of 29 January 2016, for the implementation of alternative mechanisms to Safe Harbor.

By letter dated 3 November 2015, the AEPD imposed the deadline on all companies operating in Spain that had previously notified it of personal data transfers to the United States which were based on the recipient’s Safe Harbor certification.  The letter requires companies in Spain to inform the AEPD of the mechanism(s) they have implemented to ensure the “adequate protection” of personal data which is transferred to the United States.

The AEPD’s deadline is hardly surprising. We previously reported that the Article 29 Working Party had issued a statement that EU data protection authorities would be taking “all necessary and appropriate actions, which may include coordinated enforcement actions” if no appropriate solution with the United States was found by the end of January 2016. The AEPD has been “quick off the mark” with its letter, which warns of enforcement action against any companies that fail to comply with the requirement to supply information of their adequate protection mechanisms. Such enforcement action could include monetary fines and the potential temporary suspension of transfers.

Affected companies should also note that certain mechanisms of data transfer, such as Data Transfer Agreements incorporating the Standard Contractual Clauses, must be submitted to the AEPD for authorisation.