On June 28th, the Spanish Ministry of Justice published a Preliminary draft of the Organic Law concerning the Protection of Personal Data which intends to align the Spanish Legislation on Data Protection to the GDPR. Hence, providing a new regulatory framework in line with the GDPR and adapting its requirements to the Spanish legal system. It has seventy eight articles divided in eight titles.
However, this legal text is still in an initial stage. The Spanish Ministry of Justice launched a public consultation on such Preliminary draft, which closed in July.
The main issues to highlight in relation to the Preliminary draft are:
- Data subject's consent: When the processing of personal data is to be based on the data subject's consent for several purposes, the new legal text introduces the obligation to require such consent for each of the purposes.
- Minors' consent: The new legal text states that minors aged 13 and over will be allowed to give consent to the processing of their personal data.
- Special categories of data: The new legal text establishes that obtaining the explicit consent of the data subject is not enough to process certain special categories of personal data.
- Lawfulness of the processing of personal data: It conforms a closed list of cases in which the processing of personal data can be considered to be based on legitimate interest.
- Whistleblowing: The new legal text expressly sets forth the possibility of creating whistleblowing channels in private entities allowing the submission of anonymous complaints.
- Right to data portability: The new legal text does not extend the right to data portability to the data inferred by the controller.
- Security measures: It does not specify the security measures that must be implemented in each case, and it leaves the determination of such measures to the discretion of controllers and processors.
- Representatives of controllers or processors not established in the European Union: The representative will be jointly liable with the controller or processor.
- Data processors: The new legal text clarifies that a data processing commission will still be considered as a mere access, and not as a communication.
- Designation of a Data Protection Officer (DPO): The new legal text lists certain cases in which it imposes an obligation to appoint a DPO.
- International transfers of data: The need to obtain previous authorization from the AEPD, as a general rule, has been removed.
- Sanctions system: The Preliminary draft tries to complement the sanctions system set forth by the GDPR and to adapt it to the Spanish legal system.
We will keep you updated on the outcome of the consultation.