Last Friday, the Council of Ministers approved the bill for the new Personal Data Protection Act. This new act aims to adapt current Spanish legislation to the General Data Protection Regulation ("GDPR"), which will be effective May 25, 2018.
The bill introduces many new features, most of which are already listed in the GDPR. However, there are other issues, such as the regulation of data of deceased persons, or introducing the public interest exception for advertising exclusion lists, also known as Robinson Lists, which represent new issues from what is established in the GDPR.
Also, it reduces the minimum age to give consent for personal data processing from 14 to 13 years (as already established in other European countries).
However, it introduces the transparency principle in the treatment of data, establishing the right of those affected to be aware of how their data is being treated and to be able to exercise the new rights of deletion, limitation and portability of personal data already announced by the GDPR.
As a new highlight when compared to the current regulations, it introduces the position of Data Protection Officer (already stated in the GDPR), displacing the former Security Officer. The Spanish Data Protection Agency (“SDPA”) must be notified of the details of this person, who will act as a contact point between the SDPA and the company. The Data Protection Officer will not have other functions in the company; this role will be linked to analyzing and controlling the levels of security and compliance in terms of data protection in the company. That is why this position, unlike the former Security Officer, will require contrasted legal knowledge of data protection.
The parliamentary process for the bill will now begin. We will follow it closely and update you in our Blog.