The Spanish Data Protection Agency recently issued a Recommendation on Data Protection regarding e-commerce. The recommendation clarifies some aspects of the Spanish Data Protection Act and its supplementary legislation, which implemented the relevant EU directive. These provisions apply to e-commerce transactions, with some peculiarities due to the particular nature of this type of commerce.

The recommendation focuses on the following points:

  • If personal data is collected online only for the purposes of payment by financial entities, data that may link the method of payment and the identity of the data subject cannot be stored. Users must be informed of the transfer of control from one website to another (Article 5).

  • If a user voluntarily gives his or her personal data for purposes other than a commercial transaction, it will be understood that he or she consents to the data processing in the terms of which he or she was informed when the data was collected (Article 6).

  • The data subject's consent is required if personal data is used for purposes other than those for which it was collected. Users must be informed when collection takes place if any of the following are intended: (i) categorization of data for commercial purposes; (ii) invisible data collection procedures; or (iii) data used to identify a consumer and send him or her unsolicited advertising. In all three cases users have the right to refuse (Article 4.1).

  • Once data has been deleted access to it will be blocked. The data will be kept only for public administration purposes and for use in the courts in relation to liabilities arising from data processing (Article 4.5).

  • Files containing data on the purchase of certain categories of goods (eg, orthopaedic and sexual devices) will only be processed if the data subject expressly consents (Article 7.3).

  • Articles 12 (dealing with the contract between data processor and data controller) and 9 (dealing with security measures) both apply to data obtained by means of online commercial transactions.

  • Consent to the communication of personal data will be void if the data subject is not informed of the purposes for which the data is going to be used. This information can refer to a generic economic area (eg, financial services), but never to an undetermined purpose. Such an undetermined purpose would include “commercial activities”, “advertising purposes” or “to be used by the companies within the group”. If an online service is transferred to a new holder and the transfer includes a new controller, it may imply a data assignment. In such case provisions regarding the assignment of data must be observed. Users must be informed if data is communicated to controllers of linked websites (Article 11).

  • All the provisions concerning international movement of data apply to e-commerce transactions.

  • The Regulation on Security Measures must be complied with. Identification, authentication and access control procedures will be available for registered users who have online access to their personal data. Files containing data on purchase habits to evaluate the consumer's personality will be subject to medium-level security measures (Article 9).

For further information on this topic please contact Gonzalo de Ulloa or Jose Carlos Erdozain at Gómez-Acebo & Pombo by telephone (+34 91 582 9100) or by fax (+34 91 582 92 82) or by email ([email protected] or [email protected]).