On May 25, 2017, exactly one year before the new General Data Protection Regulation (“GDPR”) will come into force, the Spanish Data Protection Agency (“Spanish DPA”) held its 9th annual open meeting, focusing once again on the implications of the new European regulation.From this meeting, in which multiple topics were targeted, the following can be highlighted:

  • Despite the initially optimistic previsions, the Spanish DPA has announced that the new Spanish regulation on data protection, which will adapt the GDPR and replace the current Spanish Data Protection Act, is unlikely to be enforced until May 2018.
  • The Spanish DPA has presented a trial version of “NANOPYMES,” a tool for PYMES, which will allow them to generate, through answers to a questionnaire, the minimum required documentation to fulfill the GDPR regarding low-risk data processing (record of processing activities, information clauses, data processing agreement and a list of basic security measures).
  • The Spanish DPA has also launched its new data protection guide for citizens, which (i) explains the main data protection obligations, as well as data protection rights and how to exercise them; (ii) analyzes specific data processing, such as processing related to creditworthiness files, communities of neighbors and advertising; and (iii) lists the resources the Spanish DPA makes available to citizens.
  • The Spanish DPA stresses that article 2.2 of the Regulation developing the Spanish Data Act (which excludes specific professional contact data from the application of the data protection regulation) will not be valid when the GDPR is fully applicable. However, depending on each case, this data processing may be justified based on other legal grounds, such as legitimate interest.
  • With regard to information to be provided to data subjects, the Spanish DPA strongly recommends that information should be provided in layers, as specified in its guide for the fulfillment of this duty, and underlines that the information the controller must provide according to the GDPR is not required for all data processing informed before May 25, 2018 if the information given complies with the Spanish Data Protection Act.
  • Furthermore, the Spanish DPA highlights that tacit consent will not be valid anymore, which makes it vital to use this transitional period to adapt any consent so obtained. However, the Spanish DPA also specifies that, if that consent is not “remedied” by obtaining new unambiguous consent according to the GDPR, it might be necessary to consider whether there are other legal grounds for further action.
  • The Spanish DPA will publish a list of high-risk data processing for which an impact assessment would be required. However, this list will be unofficial until its approval by the still inexistent European Data Protection Board.
  • The Spanish DPA emphasizes that the security measures of the regulation developing the Spanish Data Protection Act are not considered sufficient to meet the GDPR's security requirements. It pointed out, however, that security audits will still be necessary because, although the GDPR did not expressly provide for this obligation, the accountability principle required by this standard heightens the need to verify that the security measures implemented are working properly and are sufficient. It also indicates that it will be up to controllers and processors to determine periodicity according to the data processing circumstances. The Spanish DPA has announced that it will publish recommendations on risk analysis and security measures.
  • As far as data protection officers are concerned, the Spanish DPA is working with ENAC (national accreditation entity) and a group of experts on a certification scheme (although, under the GDPR, no certification is required to be data protection officer).
  • The Spanish DPA has noted that the GDPR gives no space for states to typify infringements in detail, in the way the Spanish Data Protection Act does, except as regards the limitation period and allowing economic sanctions to be imposed on public authorities.
  • The European authorities will spend the next year working on the publication of guidelines to assist compliance with the GDPR in relation to consent, transparency, profiling, international transfers and notification of data breaches.