In advance of the implementation of the EU General Data Protection Regulation (GDPR), Spain has put out for consultation revisions to the current Spanish data protection law that amongst other things includes:-

  • The requirement to obtain consent for each purpose for which personal data will be processed;
  • That the age above which children can give consent to processing of their personal data will be 13 years;
  • That whilst legitimate interest is a lawful ground for processing personal data, it will be restricted to certain instances where consent is impractical such as whistleblowing, CCTV for crime prevention and credit references;
  • That in respect of whistleblowing, for the first time anonymous reports may be permissible and;
  • Where Data Protection Officers (DPO) are appointed this will have to include Telcos, information society service providers, financial services, banking and healthcare, then the details of the DPO will have to be notified to Spanish Data Protection Agency within 10 days of the appointment and that the DPO must not be conflicted from the ability to report non-compliance of GDPR.

If the draft law is implemented in its current form it will expand upon the requirements of GDPR and implement local variations which may be anticipated in other EU Member States.