The Spanish Data Protection Agency sent out letters dated October 29, 2015 to companies that are registered with the DPA and that rely on Safe Harbor for data transfers to US recipients. 

The letter states that companies need to take alternative measures since Safe Harbor has been invalidated. The DPA asks specifically whether the notified data transfers to US recipients based on Safe Harbor will continue, and if so, which alternative measures the company will now take. 

Safe Harbor Alternatives

As alternatives, the DPA suggests the EU Model Clauses or, where applicable, any of the derogations set out in Art. 34 of the Spanish Data Protection Act (typically, consent or contract performance). Consequently, the covered companies must inform the DPA about the continuity of the data transfers to the concerned US recipients and, if so, also the chosen alternative to update their existing filings as soon as possible, and no later than January 29, 2016.

Model Clauses vs Consent

When considering the alternatives, companies must keep in mind that EU Model Clauses are subject to an approval requirement by the DPA which can be very burdensome; consent on the other hand is - in our experience - a feasible alternative in Spain because it would not necessarily require a signature of the concerned individuals. The DPA also stated that they may initiate a proceeding to temporarily suspend data transfers to US recipients in the absence of a response or any alternative measures being taken.