One day after the GDPR came into force the Spanish Data Protection Agency ("AEPD") published a brief document explaining some of the changes introduced by the GDPR through a practical system of twelve questions and answers in order to help Spanish organisations to adapt to the GDPR.

After explaining that the GDPR has come into force on the 25 May 2016 but is not going to be of application until 25 May 2018 and that Spanish organisations and individuals must be in compliance with the current legislation until that moment, the AEPD explains some of the relevant changes that will be introduced in two years' time covering the following topics:

  • Scope of application  

The GDPR will be applicable not only to data controllers and data processors established within the EU territory, but also to those companies that offer goods or services to EU residents or which monitoring of behavior EU residents as far as such behavior takes place in the EU.

The AEPD highlights the importance of nominating a representative of companies not established in the EU to be the addressees of the communication issued by the authorities and also the importance of providing data subjects with the contact details of these representatives.

  • New tools for citizens to protect their personal data  

The AEPD explains that the GDPR introduces new mechanisms for data subjects to have control over their personal data, such as the right of portability and the right to be forgotten.

The AEPD explains that the right to be forgotten is a consequence of the cancellation right that data subjects already had which allowed them to request of the data controller that their personal data are deleted when, among other things, they are no longer necessary for the purpose for which they were collected, when the consent is withdrawn or when they have been collected illegally. The AEPD adds that the right to be forgotten has been adopted following the ruling of the Court of Justice of the EU dated 13 May 2014 which recognises that search engines qualify as data controllers and that citizens have the right to request their personal information not to be shown in the search engine results where the information is outdated, incomplete, false or irrelevant and is not relevant for the public interest.

The AEPD also highlights the new right of portability which allows data subjects to request data controllers to transfer their personal data to a different data controller when it is technically possible to do so and the personal data are processed by automatic means.

  • Consent  

The new GDPR establishes that the minimum age of consent for the processing of personal data in relation to information society services will be 16 years; however, it also opens the possibility for Member States to establish a lower age for this consent, but never lower than 13 years old. The AEPD explains that in Spain, the age to understand valid consent from children is 14 and therefore, it will continue to be the minimum age for consent when the GDPR comes into force.

In respect of consent more generally the AEPD highlights that practices that fall under the so-called tacit consent and are accepted under current legislation will cease to be valid when the GDPR is applicable.

  • Tips for organisations  

The AEPD explains that it may be useful for organisations that process personal data to start to consider the implementation of some of the measures required under the GDPR, provided that such measures are not inconsistent with the provisions of the current Spanish data protection legislation, which remains the governing law in Spain until the GDPR comes into force.

For example, organisations should note that from May 2018 they should perform risk analysis of their data processing and it would be advisable for them to carry out this activity now in order to identify the kind of data processing they carry out and to establish the degree of complexity of the analysis that they should carry out, etc. It is hoped that over the next 2 years the AEPD will introduce tools to assist with this analysis of an organisation's data processing.

Similarly, nothing prevents organisations from planning the record of data processing that they will keep or implementing privacy impact assessments or any other of the measures provided in the new GDPR.

Organisations could also begin designing and implementing procedures to properly notify the data protection authorities or data subjects of security breaches that may occur.

The advantage of an early introduction of such new measures is that it will allow organisations to detect difficulties, inadequacies or errors in a stage whilst these measures are not mandatory and therefore correction or effectiveness would not be subject to supervision. This would allow the correction of errors by the time the GDPR is of application.

Organisations should refer to the AEPD's 12 questions in their work towards compliance with the GDPR in Spain.

A link to the AEPD's 12 questions is available here (Spanish).