Spain has recently enacted Royal Decree 5/2018 amending its existing (pre-GDPR) data protection legislation in line with the GDPR by introducing new "urgent measures". These new urgent measures will remain in effect until Spain enacts the final version of its new GDPR-compliant national data protection laws (currently going through the legislative process).
The urgent measures in the Decree include:
- incorporation of the penalties established in the GDPR into domestic Spanish law
- the Spanish Supervisory Authority (Agencia Española de Protección de Datos) has been appointed as the Spanish representative within the European Data Protection Board
- the procedure and requirements to determine whether the Spanish Supervisory Authority has to decide on a particular matter, recognizing the possibility of initiating investigations in order to acknowledge whether the Spanish Supervisory Authority is competent or not, or the adoption of provisional measures pursuant to Art. 66(1) GDPR
- identification of competent staff for the exercise of investigations that the GDPR grants to data protection authorities
- transitional provisions to the effect that investigations/procedures brought before enactment of the Decree shall be governed by the previous law, unless the present legislation is more favorable for the data subject.